UK Parliament / Open data

Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020

My Lords, this is the third SI on this topic that has come before Parliament since the beginning of 2019. My colleagues have been dealing with similar revisions to already revised statutory instruments on other aspects of leaving the EU, and on a wide range on subjects. At least here we have the excuse that the CJEU’s ruling on the privacy shield, Schrems II, has necessitated further provision. In a debate earlier this afternoon, the noble Lord, Lord True, told us that the two previous drafts on public procurement had set out adjustments necessary for a no-deal outcome, but that the one we were considering today set out the detailed implications of a deal in that area. I am not sure whether I understood or believed his explanation.

I have several concerns about the implications of this SI. I was told in a briefing a week ago that Dominic Cummings detested the EU’s general data protection regulation and was determined that UK legislation should diverge from that standard. Now he has left the Government, but I am not yet sure that his influence has disappeared. The terms of the UK-Japan trade agreement appear to offer individuals fewer protections for their personal data than under GDPR, as many commentators have pointed out. It states that

“each Party should take into account principles and guidelines of relevant international bodies”,

such as the OECD. The Minister will appreciate the level of concern among the engaged public about lowering the protection for personal data now that we have left the EU. I thank her and her colleagues for offering briefings on the evolution of the Government’s digital strategy to interested Peers and I look forward to reassurance on this important principle.

The free flow of data across borders is a vital element in the digital economy, under appropriate regulatory conditions. I was concerned to read in the Secondary Legislation Scrutiny Committee’s comments on this SI that

“DCMS told us that the Commission was currently assessing the UK for adequacy under both the General Data Protection Regulation and the LED.”

Can the Minister tell us when the Commission is expected to complete this assessment?

Then there is the question of data sovereignty, which of course was one of the issues in the Schrems II case. My colleague and noble friend Lord Clement-Jones has written powerfully about the need to hold on to our national data assets as the foundation of a strong domestic base for digital enterprise but also as a matter of national and personal security. I note that health data has become a sector particularly vulnerable to multinational companies and hacking.

The UK Government are peculiarly relaxed about UK public data being stored on servers in the United States, in spite of the provisions of US law that make all data stored in the USA subject to surveillance, as others have mentioned. Our current Government, from the Prime Minister downwards, have an obsession with protecting the UK’s absolute sovereignty from any incursion by EU regulation or law but seem entirely

relaxed about extraterritorial American jurisdiction and surveillance. Many of us anticipate that, outside the EU, the UK will not prove to be an independent sovereign state—let alone a sovereign equal of the United States and China—but will become more and more dependent on the United States and a follower of American rules and regulations. If the UK supervisory authority is to diverge from the GDPR, it is most likely that it will converge on US regulation and take the American side in likely disputes with the EU. Do the Government plan to ensure that UK public data is stored in the UK rather than in the United States?

The law enforcement directive struck a careful balance between personal rights and national security. UK officials and Ministers played an active part in negotiating its terms. Our Government were one of the most active in pressing for further data exchanges related to cross-border crime and terrorism, from aircraft passenger names to intelligence on suspects. Cross-border travel, and cross-border crime and terrorist attempts, will not stop now that we have left the EU, but we need to ensure that such exchanges of data are tightly regulated and scrutinised. Until we left, the CJEU provided that scrutiny. Can the Minister tell us what shared mechanism will now be established to scrutinise such exchanges, strong enough to satisfy defenders of civil rights and personal privacy both within the UK and the EU? How confident is she that the UK will be able to ensure its security by maintaining access to these vital but highly sensitive databases?

I recall hearing Conservative MPs assert that we had no need of Europol—for example—when we left the EU because we could rely on our membership of Interpol. That level of ignorance about the quality of different international bodies, that assumption that an organisation that has Russia and China as significant members is preferable to one in which we shared more information with our democratic neighbours, leaves some of us close to despair about where the Government may be drifting.

I have one final question. How do the Crown dependencies fit into this post-Brexit pattern of data exchange? Can we be confident that their regulation is as tight and as open to scrutiny as within the UK and on the European continent? We do not want an offshore world around our shores through which financial data, dark money and criminal assets may flow unseen. What discussions are the Government engaged in with the Crown dependencies to ensure that no loopholes in our post-Brexit regulation of data are left on our doorstep? The Minister may wish to write to me on this matter.

6.57 pm

About this proceeding contribution

Reference

807 cc616-7GC 

Session

2019-21

Chamber / Committee

House of Lords Grand Committee
Back to top