My Lords, I rise with some temerity. This is my first visit to this Committee to speak. I have popped in before and have been following it very carefully. The work going on here is enormously important.
I am speaking to Amendment 115, thanks to the indulgence of my noble friend Lord Bethell, who is the lead name on that amendment but has kindly suggested that I start the discussions. I also thank the noble Lord, Lord Clement-Jones, for his support. Amendment 115 has one clear objective and that is to prevent transfer of UK user data to jurisdictions where data rights cannot be enforced and there is no credible right of redress. The word “credible” is important in this amendment.
I thank my noble friend the Minister for his letter of 11 April, which he sent to us to try to mop up a number of issues. In particular, in one paragraph he referred to the question of adequacy, which may also touch on what the noble Lord, Lord Clement-Jones, has just said. The Secretary of State’s powers are also referred to, but I must ask: how, in a fast-moving or unique situation, can all the factors referred to in this long and comprehensive paragraph be considered?
The mechanisms of government and government departments must be thorough and in place to satisfactorily discharge what are, I think, somewhat grand intentions. I say that from a personal point of view, because I was one of those who drafted the European GDPR—another reason I am interested in discussing these matters today—and I was responsible for the adequacy decisions with third countries. The word “adequacy” matters very much in this group, in the same way that we were unable to use “adequacy” when we dealt with the United States and had to look at “equivalence”. Adequacy can work only if one is working to similar parameters. If one is constitutionally looking at different parameters, as is the case in the
United States, then the word “equivalence” becomes much more relevant, because, although things cannot be quite the same in the way in which administration or regulation is carried out, if you have an equivalence situation, that can be acceptable and lead to an understanding of the adequacy which we are looking for in terms of others being involved.
I have a marvellous note here, which I am sure noble Lords have already talked about. It says that every day we generate 181 zettabytes of personal data. I am sure noble Lords are all aware of zettabytes, but I will clarify. One zettabyte is 1,000 exabytes—which perhaps makes it simpler to understand—or, if you like, 1 billion trillion bytes. One’s mind just has to get around this, but this is data on our movements, finances, health and families, from our cameras, phones, doorbells and, I am afraid, even from our refrigerators—though Lady Kirkhope refuses point blank to have any kind of detector on her fridge door that will tell anybody anything about us or what we eat. Increasingly, it is also data from our cars. Our every moment is recorded—information relating to everything from shopping preferences to personal fitness to our anxieties, even, as they are displayed or discussed. It is stored by companies that we entrust with that data and we have a right to expect that such sensitive and private data will be protected. Indeed, one of the core principles of data protection, as we all know, is accountability.
Article 79 of the UK GDPR and Section 167 of our Data Protection Act 2018 provide that UK users must have the right to effective judicial remedy in the event of a data protection breach. Article 79 says that
“each data subject shall have the right to an effective judicial remedy where he or she considers that his or her rights under this Regulation have been infringed as a result of the processing of his or her personal data in non-compliance with this Regulation”.
4 pm
As those following the Bill will be aware, we are supposed to have a system in place to prevent private data falling into the wrong hands. Where countries are trusted to handle data, as I said, they are rendered “adequate” and user data can be transferred without restrictions. Where countries do not meet the threshold, data can be transferred, but only where contracts are in place with certain standard data protection clauses between UK companies and companies in the destination country. These standard contractual clauses, or SCCs, set out the rights and obligations of parties involved in a cross-border data transfer. They have to ensure that personal data transferred is protected in line with UK law. Companies may transfer data only if the entities involved have provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available, inter alia, by the standard data protection clauses adopted by the UK.
The reality is that this system does not work. Sadly, UK data is and has been routinely transferred to jurisdictions in which there is no hope of even a basic level of data protection. Huge amounts of UK user data are legally transferred to countries where there is no credible appeal process and no predictable rule of law, all enabled because contracts were signed making promises that they knew they could not keep. In view
of the time, I will not give many examples, but my noble friend may want to take this further. Yandex, a Russian-owned internet search company operating in the UK, transfers personal data between the EEA and Russia. It employs standard contractual clauses for data transfers, but in 2019 it was instructed by the Russian Federal Security Service to surrender encryption keys. While Yandex’s contracts imply data security, Russia lacks a reliable legal pathway for remedies, rendering these assurances essentially meaningless. The only other examples that come immediately to mind are Iran and, I am afraid, India. These contracts create the illusion of data protection where, in reality, the data transfer is manifestly unsafe, either because the prospect of state interference is real or because the conditions for protected data transfer simply are not present.
Our amendment seeks to achieve two things: first, prohibiting personal data transfer to countries where data subject rights cannot be adequately upheld and maintained; secondly, prohibiting private entities from using contracts to give the impression of data security where little to none exists. This is a modest amendment. All it does is establish rights that UK citizens believe they already enjoy. It is a scandal that we are allowing such mass data transfer of private data to insecure locations while allowing companies to pretend otherwise, merely because they have a signed contract. Enforceable data rights should already be a condition of data transfer but, as I have tried to explain, this right is routinely violated. Our hope is that this amendment, if successful, will lead to a global shift towards stronger data protection practices, especially in countries such as Russia.
We may well hear from my noble friend the Minister that this is too blunt an instrument. I would answer that this amendment merely establishes in law a right that UK citizens already think they have, and does so in a manner consistent with the Government’s stated objectives. For a blunt instrument, I refer noble Lords to the United States, where Congress has passed a Bill that would require TikTok to divest from its parent company, ByteDance, within six months or face the consequences.
Secondly, we may hear that the anticipated financial impact would be too great. We always hear this; impacts are always very expensive. I would answer simply that, if companies are making huge amounts of money from transferring UK user data to places where data protection is not possible, then we have a problem. The UK is at risk of becoming an outlier, not a source. On the basis of the Bill as drafted, we may find ourselves deemed “inadequate” for the purposes of data transfer, which would have a greater financial impact than ensuring that private data cannot be leaked to foreign Governments.
This amendment is a modest, proportionate and much-needed measure, addressing national security and data protection vulnerabilities in our current frameworks which may cost us dearly in the longer term if we fail to address them.