My Lords, I am very grateful to the noble Lords, Lord Clement-Jones, Lord Bethell and Lord Kirkhope, for tabling these amendments and for enabling us to have a good debate on the robustness of the proposed international data rules, which are set out in Schedules 5 and 7. Incidentally, I do not share the enthusiasm expressed by the noble Lord, Lord Bethell, for the rest of the Bill, but on this issue we are in agreement—and perhaps the other issues are for debate some other time.
4.15 pm
It is important that we maintain an outward-looking perspective on the movement of data. The noble Lord talked about the commercial imperatives and so on, and we agree—we accept that more data will need to travel across borders in the new global marketplace; that is the reality of the world that we are facing. But, as noble Lords have said, that makes it even more important that UK citizens do not lose their data protection rights and can be guaranteed the same safeguards in the countries to which their data is sent. As the noble Lord, Lord Kirkhope, said, this is a right that UK citizens already think they have, so it is important that we reassure them and maintain those rights.
This is a fundamental feature of Article 44 of the UK GDPR and the relevant parts of the Data Protection Act. Our challenge is to ensure that the new data protection test, which the Secretary of State will need to apply before approving transfers, has the same safeguards as the original legislation. As noble Lords have said, as the proposals stand it will still be necessary to consider the respect for human rights, the existence of a regulator and the compliance with international obligations of the receiving country.
Building on this, there is only a limited set of circumstances under which personal data can be transferred outside the UK. One circumstance is where there is an adequacy agreement such as we have with the EU—and here I feel that we are back to subjects that we have discussed on a number of occasions. We have to be assured that these new regulations, based on the outcome-based framework, still comply with the EU adequacy rules. We have touched on that on a number of occasions, and it would be helpful if the Minister could update us on how the new rules have been tested with the EU and what its response has been.
In the Commons Committee, the Minister, John Whittingdale, said that
“there is no reason to believe that this in any way jeopardises the EU’s assessment of the UK’s data adequacy”.—[Official Report, Commons, Data Protection and Digital Information (No. 2) Bill Committee, 16/5/23; col. 165.]
I would like a more concrete assurance than that. Presumably we have told the EU what changes the Government propose to make, so what has its response been? It is quite a simple question and has come up in other debates. At some point, it would be helpful if the Minister could write to us and say what discussions have been had with the EU on all the different aspects of the Bill that we are looking at, in terms of adequacy, and what its reaction has been. I would like to know what the debate has been. I hope we are not assuming that the EU is watching us and keeping an eye on us without us actually asking its opinion. It is a fundamental question.
Secondly, for countries without adequacy agreements, we need to take particular care that weaker standards for the protection of data are not allowed to creep in. We need to ensure that the promises made by third countries are enacted in practice and that their conduct in safeguarding data is properly monitored. Again, other noble Lords have highlighted that issue. This is why I particularly like the amendment of the noble Lord, Lord Clement-Jones, which would empower the Information Commissioner to make a proper assessment of a country’s suitability and a reassessment on an annual basis.
Finally, Amendment 115 from the noble Lord, Lord Bethell, raises a critical issue about the enforcement in a third country. It is vital that the data of UK citizens is not transferred to a third country where there is no credible appeals process and no access to effective legal redress. There needs to be evidence that these systems are in place and that they can be regularly tested and monitored before they can be trusted to receive potentially large quantities of private data from UK citizens.
As the noble Lord, Lord Kirkhope, rightly pointed out, the current arrangements for the protection of data transfers simply do not work. We already know that the guarantees given are simply not adequate or sustainable. There are a number of examples of where those rights are being routinely violated. We have to accept that the current arrangements are not robust enough; we need to find a more robust arrangement. Again, the amendment in the name of the noble Lord, Lord Bethell, sees a role for the Information Commissioner in making an assessment. We agree that this is a sensible proposition.
I hope the Minister can give us a more positive response on this and confirm that the Government take these issues seriously. I go back to the letter: we are pleased that he acknowledged the issues but, in terms of protections, I do not know whether the guarantees that we are looking at are there. Whether or not this is a sledgehammer, or whatever other expression the noble Lord may use about his amendment, it provides a simple solution. If the Minister is not going to support it, I would like to know what he proposes to do instead. I look forward to his response.