I thank both noble Lords for their points. There has been nothing in our own domestic law that requires a UK provider to comply with an overseas order. There will therefore be no conflict with domestic law if a CSP decides that complying with a foreign order would put it in breach of its obligations under the GDPR.
The existence of any conflict with UK data protection law does not have the effect of making the order from the other country invalid. Equally, the existence of the order does not compel the UK CSP to ignore its data protection obligations under UK law. It will be for the CSP on which an order is served to reconcile and comply with all legal obligations it is under. It could apply for the variation or revocation of the order, or use the dispute resolution mechanism that we expect all specific international agreements to include. That said, we do not think that this is likely to be necessary in practice. The GDPR contains several “gateways” which permit the cross-border transfer of personal data, including in response to a request or order from overseas law enforcement.
I know the noble Lord’s concerns about data protection, and I absolutely sympathise with him. We have discussed this before, and I think that ultimately we all want the same thing: adequate protection for the privacy rights
of individuals. I hope that my explanation will satisfy the noble Lord that the Bill does not in any way threaten data protection rights, which are robustly protected by existing legislation. UK CSPs will continue to be bound by the GDPR and the Data Protection Act. Therefore, I hope that the noble Lord will feel happy to withdraw Amendment 12.