My Lords, I am grateful to noble Lords for their comments and the opportunity, I hope, to make things clearer. Amendment 5 seeks to make it clear that the applied GDPR does not apply to processing activities which fell outside the scope of EU law. Amendment 6 examines the differences between the GDPR and the applied GDPR. The applied GDPR exists to extend the GDPR standards to personal data processing to datasets outside the scope of EU law, which may be otherwise left unregulated. This is an essential extension because, first, we believe that all personal data should be protected, irrespective of EU legal competence; and secondly, we need a complete data protection regulatory system to secure the future free flow of data.
Chapter 3 of Part 2 and Schedule 6 create the applied GDPR, which is close to, but not identical to, the GDPR. This is primarily because we have anglicised it as it sits within our domestic law, not European law. References to member states become references to the UK. As domestic regulation it is also outside the scope of the functions of the European
Data Protection Board, so appropriate amendments are needed to reflect that. Otherwise the same general standards and exemptions apply to the applied GDPR as for the GDPR.
6 pm
Clause 3 exists to help make the Bill easier to follow. It signposts readers to the provisions that cover either the GDPR or the applied GDPR. The language that it uses to do this has no legal effect. The applied GDPR is what it is. The extent of its similarity to the GDPR is a subjective matter. The Bill describes it as “broadly equivalent”. Amendment 6 prefers,
“identical in all major respects”.
We prefer the current drafting of the Bill because it better reflects the position.
The noble Lord, Lord Stevenson, asked about the relevance of “activity” in Clause 19. Activities should be taken to include processing of personal data. There is no special meaning. It has the meaning as in article 2 of the GDPR.
Amendment 115 seeks to reinstate the definition of “representative” into article 4 of the applied GDPR. Under the GDPR the territorial scope extends to controllers outside the EU where they are offering goods and services to persons inside the EU. Where a controller is outside the EU, subject to certain exemptions in article 27 of the GDPR, they must designate a representative inside the EU. The applied GDPR does not have the same extraterritorial application as the GDPR so does not have any requirements to designate representatives. As such, that definition is unnecessary.
The applied GDPR applies only to the processing outside the scope of the GDPR and which is not caught by any of the data being processed for law enforcement or national security purposes under Parts 3 and 4 of the Bill. The type of processing captured is primarily within the public sector, relating to areas such as defence and the UK consular services. Controllers in these situations are either in the UK or, if overseas, are not offering goods and services to those in the UK. As such, there is simply no need for the applied GDPR to have the same extraterritorial application as the GDPR.
Some people have suggested that the applied GDPR represents what the GDPR may come to look like once the UK leaves the EU. In some respects, this is a reasonable conclusion to draw. The applied GDPR anglicises the language and strips out irrelevant provision. This approaches some of the issues that the noble Baroness, Lady Hamwee, was talking about—the European language as opposed to what we are used to in UK legislation.
However, in some respects, it is not the same as what future legislation will look like, including on the question of extraterritoriality. When we leave the EU, the powers in the EU withdrawal Bill will bring the GDPR into our domestic law, anglicised—as has been done to the applied GDPR—but also with other modifications that are dependent on the future negotiations with the EU.
We have been clear, as I mentioned with the previous group of amendments, the future free flow of data is the number one priority in respect of our
data protection policy and will ensure that we maintain the international high standards in this respect. I hope my clarification is sufficient and that the noble Lord will withdraw the amendment.