My Lords, Amendment 39 is in my name and that of my noble friend Lady Hamwee. I am grateful for the briefing from techUK, which raises concerns about how this legislation might affect a deal between the EU and the UK on adequacy should the UK leave the European Union. We are unsure how to address those concerns and this amendment is very unlikely to be the means by which to do so, but at this stage it is a means of raising them. It is a bit of a Second Reading amendment, if noble Lords get my drift.
Throughout our debates it has been emphasised that the sole purpose of this legislation is to enable UK law enforcement agencies to find a faster legal means to secure data held overseas that may contain vital evidence in serious criminal cases being prosecuted in the UK than the current mutual legal assistance treaty process. Data handled in the UK is subject to the protections of the Data Protection Act 2018 and the EU general data protection regulations. Indeed, the Data Protection Act ensures that the GDPR continues to have effect, even if the UK does leave the EU.
Throughout our debates on this legislation we have expressed our concerns that the designated international co-operation arrangements that enable overseas production orders to have effect in the target state will give as much right to overseas law enforcement agencies to demand data from UK service providers as the right this legislation will give UK law enforcement agencies to demand data from a service provider in a
foreign state. Those foreign states, such as the United States of America, are not bound by the Data Protection Act or the GDPR.
For a third country to exchange data with the EU it must persuade the EU that it has adequate protections for personal data equivalent to or exceeding the standards that EU countries have to comply with under the GDPR. Indeed, EU states are not bound by EU regulation relating to data used for national security purposes, but third-party states are. For the first time, if we leave the EU, the EU will scrutinise the way we handle data in relation to national security because we will become a third-party country, involving more scrutiny than currently takes place. I think that is called “taking back control”. Whether in relation to national security or not—we have already debated the weaker safeguards proposed in relation to terrorism offences—such arrangements could result in personal data from an EU country and shared with a UK service provider being passed to a law enforcement agency in a state that falls short of the protections provided by the GDPR.
In summary, our concern is that, by entering into international co-operation agreements enabling overseas law enforcement agencies directly to access personal data held in the UK by UK service providers, sensitive personal data will be accessed by overseas law enforcement agencies whose standards fall below those set out in the Data Protection Act and the GDPR, thereby jeopardising the EU granting the UK an adequacy certificate. Could the Minister explain what discussions have taken place with the EU on this issue and how the UK’s adequacy status will be protected? I beg to move.