PARLIAMENTARY DEBATE
Leaving the EU: Data Protection - 12 October 2017 (Commons/Commons Chamber)
Debate Detail
That this House has considered Exiting the European Union and Data Protection.
The digital revolution through which we are living is bringing about the fastest pace of change that any generation has ever seen. With advances in technology accelerating, it is likely that this current pace of change will be the slowest that any of us will experience probably for the rest of our lives. This vast change brings with it big opportunities. We have opportunities to communicate, innovate and organise in ways that were simply inconceivable just a few short decades ago. It also brings with it challenges: to harness the technology for good; to mitigate harm; and to make sure that everyone can benefit.
Underpinning this revolution is the fact that the cost of storing and transmitting data has collapsed faster than at any time since the invention of the printing press, and perhaps at any point in history. The new technology then cut the cost of storing information from the cost of a handwritten manuscript to the cost of print, and the revolution now has cut the cost from that of print to the almost infinitesimally small cost of data storage. Data is therefore the fuel of this new digital economy, and getting the rules on data right is mission-critical for strength in the future.
As well as being fuel for change, data is a massive stimulant for our economic growth, jobs creation and innovation. The UK has Europe’s largest and most dynamic digital economy, attracting approximately £28 billion in technology investment since 2011. The UK also has the largest internet economy of all G20 countries, emphasising the fact that data is rapidly transforming our lives, and creating exciting and innovative opportunities right across the world. The impact is, of course, much broader than just in the tech industry itself. Data underpins social interactions: a Skype call to a family member on the other side of the world; our cultural collaboration, as performances are broadcast across borders; and almost every other part of economic activity, and almost all trade. The importance of the digital economy as a catalyst for job creation and innovation continues to increase exponentially, so it is vital that data is kept secure. Our approach to data protection as we leave the EU is straightforward: we wish to ensure the unhindered free flow of data between countries, if that data is held securely and privacy is respected.
Having just set out my punchline, perhaps I can describe the build-up to it. The goal is for data to be unhindered when security and privacy are respected. It must be unhindered, so that trade and communication can be effective and so that we can innovate in the use of information, including through advanced techniques such as machine learning and artificial intelligence. But data can be unhindered only where it is appropriate for it to go—with data held securely and privacy respected—which means where there are high standards of cyber-security and data protection.
On cyber-security, the 2017 British Chambers of Commerce digital economy survey reveals that at least one in five UK firms were subject to a cyber-attack in 2016, with larger firms more likely to be hit. As more and more citizens, and the wider economy, rely so heavily on digital technology, it is vital to keep data safe from cyber-attack. On the other side of the coin from strong cyber-security is strong data protection. The UK has been a world leader in data protection for a long time, combining privacy with support for dynamic data-driven innovation. We are determined to ensure that, after our exit from the EU, the UK remains a global leader, promoting both the flow of data internationally and high standards of data protection.
For more than a generation, the Data Protection Act 1998 has been regarded as the gold standard in the world. That Act, which was based on European rules set out in 1995, was the result of a piece of work that started under the then Conservative Government, with the legislation enacted by the subsequent Labour Government. That demonstrates the cross-party approach that has been taken to data protection in the UK. Technology marches on, however. It is almost 20 years since the 1998 Act, but the legislation needs to be kept up to date in this changing world. The Data Protection Bill, which had its Second Reading in the other place earlier this week, will modernise data protection legislation, giving citizens more rights over their data while allowing businesses to use modern data management techniques. It offers greater transparency and accountability, thus giving people more reassurance about how their personal data is used by businesses and organisations. Increased accountability and public confidence in how data is used can enhance the digital economy for the benefit of all.
To return to the point made by the right hon. Member for East Ham (Stephen Timms), the Bill will prepare Britain for Brexit. It will extend the EU’s general data protection regulation—GDPR—and bring into UK law the law enforcement directive. It will extend the principles of GDPR into many areas of our domestic law, which will help to ensure that we prepare the UK for the future after we have left the EU. The implementation of the Bill will ensure that we preserve the concepts of the Data Protection Act that have served us so well. We will aim to ensure that the transition for businesses, individuals and charities is as smooth as possible, while complying with the GDPR and the law enforcement directive in full. That means we will be as well placed as possible to achieve the unhindered flow of data with the EU through something akin to the adequacy deal mentioned by the right hon. Gentleman. That is strongly in the interests of both sides in the negotiation.
During the summer, we published the future partnership paper, which sets out how we ensure the continued protection and uninterrupted exchange of personal data between the EU and the UK. The purpose of setting that out was to offer stability and confidence to businesses, public authorities, charities and individuals. My message to business in particular is very clear. We understand how important this matter is. We know that it is in the strong self-interest of the UK and the EU to get a good deal that involves the unhindered free flow of data. The new partnership should protect the privacy of individuals and respect the UK’s sovereignty, including the UK’s ability to protect the security of its citizens and to maintain and develop its position as a leader in data protection. Ensuring that we protect privacy while also allowing for the innovative use of big data so that the UK can be a world leader in artificial intelligence are the joint goals of the Data Protection Bill.
The new relationship should also not impose unnecessary additional costs on businesses and must be based on the objective consideration of evidence. Furthermore, because many of these issues are technical, we will continue to seek ongoing regulatory co-operation between the EU and the UK on current and future data protection issues. By doing that, we will build on the opportunity of a partnership between global leaders on data protection and continue to protect the privacy of individuals. As the paper that we published in the summer reiterates, it is important that we provide clarity and certainty for businesses and individuals as soon as possible, so that data flows are not disrupted when the UK leaves the EU. In addition, this is part of a wider global debate about the flow of data, because it is also incredibly important that we get right our data relationship with the United States, Japan and others.
A strong relationship on data is beneficial to citizens as it will reassure them that their personal data is subject to robust protection. Maintaining the flow is also important. Once we have left the EU, we will continue to play a leading global role in the development and promotion of appropriate data protection standards with trading partners right around the world.
I hope that I have managed to answer Members’ questions. Although I look forward to the debate, I think that we can see strong cross-party agreement on the importance of a high-quality data relationship with the EU once we have left, on ensuring that that works for citizens, businesses and individuals, and on ensuring that we can build on that relationship, which underpins so much in our modern economy.
If I may, I will just correct the Minister, who inadvertently misinformed the House. Of course, Gibraltar is not part of the United Kingdom. It is an overseas territory. It is technically part of the European Union, although it is obviously excluded from the customs union and the common agricultural policy.
There are few debates that are more important than those concerning trade, especially in the context of the decision of the UK to exit the European Union with all the impact that that could have on the UK economy. As the Minister quite rightly said, in the 21st century there is nothing much more important to trade than data. As we have heard, 43% of EU tech companies are based in the United Kingdom and three quarters of the UK’s cross-border data flows are with other European Union countries. These data flows are essential for UK trade. Approximately half of all trade in services is enabled by digital technologies and the associated data flows.
Effective modern data protection laws that set down strong rights and protections are vital if the public are to have any trust in the use of personal information within the digital economy, the delivery of public services and the fight against crime. Ensuring that the public can trust that their data is handled safely, whether in the public or private sector, is important for us all. We need to get the Data Protection Bill right—as the Minister pointed out, the Bill has been introduced in the other place and is there as we speak—to implement the new European Union rules on data protection contained in the general data protection regulation. If we do not get it right, people will not benefit to the fullest extent from the new digital services that are coming online all the time. I am sure that the Minister will be pleased that the Opposition welcome the Bill. We deeply regret that the Government opposed our previous attempts to strengthen data protection at the time of the passage of the Digital Economy Act 2017, just a few short months ago, but better late than never. In scrutinising the Data Protection Bill, we will ensure that it is not too little, too late.
So far, the Government have talked the talk about their commitment to unhindered, uninterrupted data flows post-Brexit, but the Data Protection Bill does not really set out fully how they plan to deliver on that promise. Even if the Bill succeeds in bringing UK law into line with the EU’s data protection framework by the deadline of 25 May 2018, it does not necessarily mean that the Bill provides for the future. On leaving the EU, the Government will need to satisfy the European Commission that the UK’s data protection framework provides an “adequate level of protection”. The Government and the Minister today seem to be saying that achieving a positive adequacy decision will be easy, but it might not be as easy as the Minister indicated.
Under article 45 of the general data protection regulation, the European Commission is required to consider a number of issues including, among other things, existing surveillance practices. As Lord Stevenson said in the other place on Tuesday, several commentators have indicated that the current activities of British intelligence services could
“jeopardise a positive adequacy decision”
since data protection rules
“do not offer an equivalent standard of protection to that available in the rest of the EU.”—[Official Report, House of Lords, 10 October 2017; Vol. 785, c. 129.]
Lord Stevenson asked the Government how they might square this circle, but unfortunately received no answer. I understand we will have the intense and unusual pleasure of a second contribution from the Minister in this debate—I foreshadow that by indicating to the House that I will also seek permission to respond on behalf of the Opposition in a similar fashion—so perhaps he could answer that question during his closing remarks.
The Government seem to have lost sight of the need to ensure continuity during the transition period and beyond. They must have measures in place to reassure all those businesses that have taken advantage of the UK as the gateway to Europe that they will pass the adequacy test and ensure that stability and certainty. Given that we need a new data protection regime for sharing data across the channel and the Irish sea, we may as well get this new regime right for consumers as well as businesses. At a time of increasing concern about the misuse of personal data by certain companies, is not there a need for a far more stringent regulatory structure than that contained in the Data Protection Bill?
Colleagues in the other place have already remarked that the tech giants that dominate the digital economy and the market for data have, for too long, got away with portraying themselves as purely neutral platforms. They are not, as each of their business models—not to mention their share value—is predicated on the data flows that they generate and monetise. It has become a cliché, but in a very real sense data is the new oil in the economy.
We should also speak about children in the context of data protection. The Minister did not mention this part of the Government’s plans in his remarks, but I hope he refers to it when he sums up. Children and young people are at the leading edge of the online world, with 75% of 10 to 12-year-olds and 96% of 13 to 18-year-olds using social media sites, with Facebook ranked at the top. Sadly, this has resulted in children and teens being treated as data assets by business, with their personal data stolen and sold without informed consent on a regular basis. That cannot be right. The Data Protection Bill represents an opportunity to right this wrong, but the current drafting of the Bill does not give us much cause for hope in that area.
The Government have chosen to derogate from the general data protection regulation, as the Minister mentioned, by setting the minimum age for a child consenting to the processing of personal data at 13 years of age, rather than 16. Why have they chosen to derogate in that fashion? As John Carr, a member of the executive board of the UK Council for Child Internet Safety, which was set up under the last Labour Government, has noted, perhaps the age of 13 was chosen because when Ireland—where the big social media companies are based—decided on 13 years of age, the UK’s decision was all but irrelevant. Does the Minister agree with that? If that is not the case, what is his explanation for why the Government chose to make this derogation? They claimed in their statement of intent published in August:
“Child online safety is one of the top priorities for this government”.
If so, 16 would have been a better age, as Sonia Livingstone, professor of social psychology in the department of media and communications at the London School of Economics, has argued.
Some people might argue that a lower minimum age is good for younger people’s participation in the digital world, but evidence from the regulator, Ofcom, shows quite clearly that fewer than half of 12 to 15-year-olds can identify an online-sponsored result, let alone understand how companies exploit their personal data. If the Government insist on staying the course with regard to this derogation, they must at the very least guarantee to the House today that they will ensure a significant increase in media education and digital literacy among young people. I hope that the Minister will refer to that in his response. This returns us to the responsibilities of social media and other online businesses.
While we may debate where the minimum age of consent should be fixed, the fact that the Bill does not place any requirements on these companies to prevent under-age access to their services is a glaring oversight, especially from a Government who claim that child online safety is one of their top priorities. The Leader of the House so memorably described Jane Austen in this Chamber not so long ago as
“one of our greatest living authors”—[Official Report, 20 July 2017; Vol. 627, c. 1004.]
To paraphrase Jane Austen, it is a truth universally acknowledged that the Government are making a complete Horlicks of the article 50 negotiations, as we saw again just this morning. At least, they have now taken up our policy.
I give the Minister and the Government credit for taking up our policy of having a transitional period with regard to Brexit to give themselves a little more time. The price of getting data protection wrong would obviously be enormous, because so many companies rely on transmitting data across the single market.
For many years, we have talked of the four freedoms—the free movement of goods, services, capital and people—but there is a fifth freedom, because, in reality, we have created one of the world’s leading regimes for data transfer, which has allowed our tech companies to grow, flourish and prosper. It would be a disaster if any division, dithering or incompetence around the Brexit negotiations now imperilled that achievement.
The Government have set themselves a very tight schedule for passing the Bill into law before the end of April 2018. As I have indicated, the Opposition will support the main principles of the Bill, but there is a great deal of work still to be done, with several areas needing to be scrutinised, and the Government need to be prepared to amend the Bill to rectify some of the inadequacies I have indicated during my remarks.
All of us in this place owe it to the public, and especially to children, to get this legislation right. We cannot afford to fail just because of the dysfunctionality at the heart of the Government, and I hope the Minister will not be complacent on that score.
The first picks up from where the shadow Minister left off. As a London MP, one cannot but be aware of the significance of tech companies and the digital industry to our economy. That is part of what makes London the world’s financial capital, and getting our position right on these issues and maintaining it is absolutely critical to our arrangements going forward.
As hon. Members know, I come at this debate as someone who rather wishes we were not in this situation, but given that we are, getting the detail right is absolutely vital. I understand and support the thrust behind the Bill and what the Minister very fairly said in his opening speech, but the detail is terribly important.
Only this week, I was at a meeting of the all-party parliamentary group on wholesale financial markets and services, where a number of representatives of the financial services sector, including Citi UK and UK Finance, raised the real issue that while we talk a great deal about the need to preserve regulatory equivalence and other means of achieving access to the single market once we have left it, data sharing is, to some degree, the elephant in the room and is often not spoken about. The director of one of London’s leading accountancy and consultancy firms described it to me as a huge issue that needs to be tackled.
The Minister is right to recognise the issue, and the Bill, of itself, is right and proper, but getting the detail right will go well beyond that. When he replies, I hope he will be able to assure us that his Department and the other relevant Departments are keeping in close contact with our financial sector. There are people with massive expertise out there, and they are willing to help the Government on this, and it is critical that we get it right for the future health of the UK.
None of us wants to see London’s position as the world’s financial capital diminished, and that is not in the EU’s interests either, because, in many respects, London, as a financial and digital capital, has been a gateway into European markets for many third-country investors. We want that to remain the case, so getting these issues right is terribly important.
My second point was highlighted by the right hon. Member for Carshalton and Wallington (Tom Brake). I agree with him about Gibraltar, and I declare an interest as the chair of the all-party parliamentary group on Gibraltar. I recently returned from Gibraltar’s national day celebrations, and you are fondly remembered there as an active former member of the group and as a good friend to Gibraltar, Madam Deputy Speaker.
Cross party, members of the all-party group were struck by the importance of this issue to Gibraltar. Gibraltar has revived its economy in recent years, moving away from what was essentially a garrison-type economy to an economy that is strongly based on financial services and online digital operations of a number of kinds—they are now the most important part of the economy. As the Minister says, Gibraltar is a successful part of the British family—a self-governing British overseas territory that is entirely financially self-supporting. It is to Gibraltar’s credit that it has been at pains throughout this period closely to mirror United Kingdom and European Union regulatory arrangements, and it ticks all the boxes in regulatory terms.
My third point relates to legal matters. I take the liberty of referring to the Justice Committee’s ninth report from the 2016-17 Session of the last Parliament. As hon. Members will know, I have the honour to chair that Committee, and we issued a report on the implications of Brexit for the justice system. I hope we will soon have a response from the Government to that report; it is one of those that is in Ministers’ in-tray—or, I hope, out-tray—at the Ministry of Justice. Perhaps a gentle nudge might be delivered by those on the Treasury Bench to their right hon. Friends there.
The report is constructive and stresses the importance of information-sharing arrangements for the legal system and the justice system. Part of that relates to the UK’s legal services, and that links in to what I said earlier about the financial services sector in London. The legal service sector underpins a great deal of that financial services work, so getting this issue right is critical for UK firms contracting with parties in the EU or with third parties. At the moment, a great deal of work is written in English law, and that is a great advantage to us, so getting the data sharing right around all those matters is terribly important to the firms involved.
However, the other issue in our report, which is perhaps even more strikingly important, relates to information sharing on policing and critical justice co-operation. In many respects, we have led the field in this regard, and it will certainly not be the intention of the Government or of the Prime Minister, who both as Prime Minister and as Home Secretary has stressed the importance of this issue, to lose any of that information sharing. However, again, the devil is always in the detail in these matters, and perhaps I can highlight what the Committee found.
We took a considerable amount of evidence, and it is clear that the EU offers a number of information-sharing tools. I particularly want to highlight the importance of the European criminal records information system. We are in that at the moment, and it was clear from the professionals in the field who gave evidence to us that we must do all we can to maintain access to that system. It provides access to accurate records of EU citizens’ offending histories.
It is perhaps worth putting on the record a quote from the National Crime Agency. Its evidence was:
“Through ECRIS, the UK is able to exchange tens of thousands of pieces of information about criminal convictions each year that help police and other law enforcement agencies to investigate crime, protect the public and manage violent and sexual offenders.”
We want to stay in ECRIS, but we noted that there are no previous examples of a non-EU member having access to it. We will have to seek a bespoke arrangement to achieve that, and I hope that Ministers regard that as a high priority.
The evidence given to the Justice Committee was clear that these are interlocking parts of a criminal justice co-operation system and we cannot cherry-pick some bits and not others. It is important that we find ways of maintaining equivalent means of access across the board on these criminal justice co-operation measures. I have mentioned ECRIS and I hope that the Minister will reassure us that finding a way to stay in it is a high priority for the Government.
We should also wish to remain in the second-generation Schengen information system as it gives the UK real-time access to all European arrest warrants. The European arrest warrant is a valuable tool and it is a great help to British law enforcement agencies. I say that as someone who worked as a barrister in criminal law for 25 years before I came to the House. That was at a time when we did not have that means of getting back from abroad villains who had committed crimes in this country. It is a great advantage that we do now have that ability, and since certain amendments were made to the way in which it operates, there are many more safeguards for UK citizens when an EAW is issued than was previously the case. It is a tool that has been refined and improved, and it would be a great advantage for us to stay in it.
SIS II—I apologise for all the acronyms—is also important because it contains, for example, alerts on missing persons. In all, it gives us access to 66 million pieces of data, which helps our justice system, and it is important that we continue to have access to it. The National Crime Agency said:
“Loss of access to SIS II would seriously inhibit the UK’s ability to identify and arrest people who pose a threat to public safety and security and make sure that they are brought to justice.”
I hope that the Minister will confirm that that, too, is a high priority for the Government.
We concluded that data sharing is not an area in which we can take a risk. Indeed, we concluded that these matters are so important that one would ideally wish to see them decoupled from the rest of the Brexit negotiations. Divorce bills or otherwise, public safety and security work for our interests and for every one of the citizens of the EU27, too. The right hon. Gentleman makes an important point and I agree with him.
I have talked about two key systems and I want to highlight their interrelated and technical nature because it is important to put that on the record. As well as those two systems, we also have access to Prüm, a regime for exchanging biometric information and vehicle registration data. It reduces the time taken to find matches from tens of days to 15 minutes when fully in place. We have recently gone into Prüm, and the chairman of the Criminal Bar Association, Francis FitzGibbon QC made the point to us that—and I shall quote his stark words in full to highlight their significance—
“if someone lets off a bomb in Berlin and makes his way to London, the police will be able to get hold of the fingerprints of the chap they arrest for double parking, or whatever it is, instantaneously.”
That gives us the swift ability to track down serious threats to our safety across the continent. We have not yet implemented Prüm, but we have signed up to do so and I hope that we will make it clear that we will implement it while we remain in the EU and we will seek to continue in it once we leave.
Our concern was that both Norway and Iceland—which are not members of the EU, although they are Council of Europe countries and have association arrangements with Interpol and others—have waited some years to have access to Prüm. We have started from a closer position and it would be a tragedy if we went back to the same place in the queue as them, giving away something that we are already moving into. I hope that the Minister will reassure us that the Government will attend closely to those specific points during the negotiations.
Our conclusion was that all these matters, extradition arrangements, the EAW, the data sharing that underpins prisoner exchange arrangements, together with our arrangements on judicial co-operation—on which British judges work closely with their counterparts—and of course our membership of Europol are all part of a system that comes together to protect us in criminal justice and security matters. They were described by our witness Professor Wilson as part of a system that
“you cannot disaggregate because, in my view, if you take out elements of the system, you have a less effective system for protecting British citizens on the streets.”
That was also the clear evidence from the Northumbria Centre for Evidence and Criminal Justice Studies. The evidence was overwhelming. Sometimes, as lawyers, we get cases in which the evidence all points one way, and that was very much our conclusion from the evidence to the Committee’s inquiry. These are all important matters. Of course, they are but one part of the data protection and sharing regime, but they are critical.
We received the clear message from practitioners that whatever we do and however we get to these arrangements —I hope that the Bill, when it is brought to the House, will help us to achieve this—the end state has to include a means of making sure that our data sharing and data protection regime are sufficiently close to those of the EU27. We shall, therefore, have to have a means of tracking changes and replicating them when it is likely to be to our mutual advantage to do so. Otherwise, with the very best will in the world, a law enforcement agency or police officer in the EU27 might not be able to share potentially critical information with his or her UK counterparts because he or she might find themselves in breach of the data regulations in his or her own EU27 country. That cannot be in anyone’s interest. I hope that the Minister will reassure us that creating such a system will be the centrepiece of our objectives on data sharing in relation to criminal justice and co-operation matters.
Data protection has been described by The Economist and others as:
“The world’s most valuable resource”.
The hon. Member for Cardiff West (Kevin Brennan) described data as “the new oil”. Currently, the UK Government define data protection as the controls on how personal information is used by organisations, businesses or the Government. Everyone responsible for using data has to follow strict rules, and they must make sure that the information is used fairly and lawfully. Information that is held on individuals can include their name, address, credit history, employment history, salary details and even internet browsing history. I am sure that right hon. and hon. Members would wish some, if not all, that information to remain as secure as possible. Robust and strict data protection is therefore absolutely essential to avoid any improper use of that information, whether for online fraud or identity theft, and to keep it from falling into the hands of people or organisations with which we would rather not share it.
Data protection may not be something that we think about every day—indeed, it may not even cross our minds from one year to the next—[Interruption.] Perhaps that is not the case for my hon. Friend the Member for Glasgow North (Patrick Grady). Whether we think about data protection on a daily basis or not, its importance is not diminished. That is why it is absolutely vital that the level of data protection we currently enjoy as EU citizens is guaranteed on day one of Brexit, so that businesses and individuals can continue to rely on existing data flows. It is no exaggeration to say that millions of jobs across Europe rely on data protection and data processing to a greater or lesser extent.
As the Minister acknowledged, the security we receive from our data protection legislation already has a distinctly European flavour, originating as it does from the 1995 EU data protection directive, which was adopted into UK law in the Data Protection Act 1998. Since then, the way in which we create, collate, access and use data has changed enormously, as has the amount of data we create as individuals and as a society. In recognition of that, in 2016 the EU introduced a new legislative framework for data protection: the general data protection regulation, of which we have heard so much, and the police and criminal justice directive. Both those pieces of legislation form the basis of the Data Protection Bill that is in Committee in the other place. The regulations will apply in member states from 2018, and EU member states are required to transpose the directive into national law by the same date.
The Scottish National party agreed with the Minister when he said in February that the GDPR was a “good piece of legislation”. We were pleased that it was included in the Queen’s Speech and that the Government made it clear that our current data protection framework would be amended and made compatible, so that we can adopt the new regulations. We very much welcome the Government’s move to implement the GDPR, giving people more power and control over their own data.
In normal circumstances, I believe that that piece of legislation would be relatively uncontentious. However, as it has done and I believe it will continue to do, Brexit makes the subject of data protection hugely problematic. If we are to leave the EU in March 2019, what is the future for our newly agreed and freshly implemented cross-border, pan-European arrangement with our EU partners? What will be the consequences for businesses and individuals if the UK suddenly finds itself on the outside without a deal to continue the free flow of data not just with the European Union, but with the safe nations with which the EU has secured a reciprocal deal? At a stroke, could the United Kingdom lose its right to exchange data with the United States, a nation on which the Secretary of State for International Trade and President of the Board of Trade seems to be pinning so much hope for our future trade?
We are in an era in which geographical boundaries for data do not exist. Today, as probably every speaker in this debate has said, almost half the large EU digital companies are based in the UK, and a remarkable 75% of cross-border data flow out of the UK is with EU countries. We also have significant data flow with the United States, which occurs because we enjoy access to the EU’s privacy shield agreement. There is no such thing as sovereignty where data is concerned. Currently, we are a signed-up member of an international network committed to safeguarding data. In this global economy, the unfettered free flow of data across international boundaries safely and without delay, cost or detriment is absolutely essential, not just for individuals and businesses but for agencies that need to work across international boundaries. We have heard about many of those agencies today, and they deal with matters such as crime prevention, disease control and national and international security.
For the UK to be able to take full advantage of the continued free flow of data with the rest of the European Union post Brexit, the most straightforward route would be for the EU to issue an adequacy decision. An adequacy decision, as we have heard, is given to a third country—a country that is outside the EU and the EEA—to allow it to operate securely and freely within the framework of the GDPR. It can be given to countries that meet the required standard of data protection, a criterion that currently applies to the United Kingdom. The problem is, however, that an adequacy decision is designed for third countries, and the UK is not—yet—a third country. Indeed, it will not be one until the end of the Brexit process. There is no existing legal mechanism to enable the EU to award an adequacy decision to a country in advance of its leaving the EU. As the leading data protection lawyer, Rosemary Jay, said, the EU has to go through a legislative process, and it is simply not in the EU’s gift to do this in an informal way. I cannot comprehend what the Minister meant when he said that he sought “something akin to” an adequacy deal.
That being so, there is a very strong suggestion that the Investigatory Powers Act 2016 may jeopardise the ability of the UK to receive a positive adequacy decision. The Investigatory Powers Act has already been accused of violating EU fundamental rights. Eduardo Ustaran, the internationally recognised expert on data protection law, has said:
“What the U.K. needs to do is convince the Commission—and perhaps one day the European Court of Justice—that the Investigatory Powers Act is compatible with fundamental rights. That’s a tall order”.
While the Government are understandably desperate to secure an adequacy decision, the harsh reality is that a lengthy and challenging legal process may have to be undertaken before that happens.
I fear the Government are in denial about this. Indeed, when questioned by the Culture, Media and Sport Committee back in February about what would happen on the day after Brexit if we do not have an adequacy decision in place, the Minister said:
“we seek unhindered data flows but we want that to happen in an uninterrupted way—that is to say, on the morning on which we have left the European Union, it is very important that our data rules work, so that there is an uninterrupted system in place”.
He is absolutely right—I could not agree more—but that did not answer the question about what happens if we do not have such an adequacy decision in place on the day we leave.
Just yesterday, at the Digital, Culture, Media and Sport Committee, I asked the Secretary of State a very similar question about the need to have an adequacy decision in place when the UK leaves the EU. Her answer was that she was
“very hopeful of getting that deal”.
I am sure she is and I wish her well, but at the moment there is no deal in place. The longer negotiations are at a stalemate, while we continue without the legal mechanism to get a third country deal, and, given the issues in relation to the Investigatory Powers Act, securing the agreement the UK needs and absolutely desires is becoming less and less likely.
Another potentially huge problem arises if we do not secure an adequacy decision by the day on which we leave the European Union, because not only will we be outside the EU and isolated from the other 27 member states, but we will also be outside the EU-USA privacy shield agreement. The consequences of that happening may be unthinkable for UK businesses and individuals, but it is absolutely incumbent on the Government to think the unthinkable and to be adequately prepared for it. Putting all their eggs in the one basket of hoping to secure a negotiated adequacy decision is a very high stakes game, so I again ask Ministers: where is the plan B should there not be an adequacy decision? What assessment has been made of the UK not having such a decision in place on the morning on which we leave the European Union, and when will Members of the House be able to see that plan B and that assessment?
Nobody wants such a situation to arise—we want a deal to be struck—but even if the Government’s faith is rewarded and we do secure an adequacy decision, the UK faces another problem. As the GDPR evolves over time, as it surely will, the UK, to maintain its membership, will be required to amend its data protection law to keep in line with European law. The EU charter of fundamental rights and freedoms is now central to EU data protection law, and the charter is interpreted by the European Court of Justice, yet clause 6 of the European Union (Withdrawal) Bill quite clearly states that EU courts will cease to bind UK courts and tribunals following withdrawal. I suspect that if the UK does manage to secure an adequacy decision, to keep it, it will have to fall into line with the European Union Court of Justice.
As I said at the start, we welcome the Bill as a move to ensure that people have more control over their own data and to bring the legislation into line with the huge technological advances since the 1998 Act. We welcome the commitment to implementing the GDPR and to the UK remaining fully involved in protecting EU citizens’ data post-Brexit. We question, and we will continue to question, the Government on how they can take this forward when an adequacy decision is not guaranteed and while there are still unresolved issues about the Investigatory Powers Act, at the same time as they are seeking to remove the UK from the jurisdiction of the European Court of Justice.
Of course, it does not have to be this way. The best, easiest and most straightforward way to ensure that there are no disruptions to data flows between the UK and the EU after Brexit is for the United Kingdom to remain a full member of the single market. The agony and the fear for millions of businesses and individuals of being cut off from both Europe and America if we do not secure an adequacy decision could be avoided by our staying in the single market. Why put people and businesses through this?
After all, no one in any of the nations of the United Kingdom voted to leave the single market. In fact, two of the four nations of the United Kingdom voted to remain in the European Union. We are in this situation because of the Conservative party’s extreme interpretation of Brexit, and that is why we are now actually having to prepare ourselves for what, hitherto, was unimaginable—a no-deal Brexit, with the catastrophic consequences that it will inevitably have for our society and our economy.
I am grateful for the opportunity to make a short contribution to this debate, and I do so from the perspective of having spent the past 30 years of my life in the world of sales. I should declare at the outset that I am a fellow of the Association of Professional Sales, a UK institution with a fast-growing global reputation. Its primary purpose is to raise the standard of sales professionalism, ethical sales conduct, and the overall talent and capability of sales professionals.
I recognise that this debate is about data protection as we leave the European Union, but let me be absolutely crystal clear: I am optimistic about the future of our country outside the European Union. I am not blind to the challenges that lie ahead, but I encourage Opposition Members who have a decided propensity to take a dim view of our future to brighten up. We have a great deal going for us in this country, and rather than cowering at the prospect of a global Britain, we should now embrace the opportunity.
So much of our national sales capability, which will be key to our global success, will hinge on our commitment to embracing new technologies. We in this country are driving the fourth industrial revolution, and I want our country, by which I mean—before my SNP colleagues shout, “Which country?”—the United Kingdom and Scotland—
The fourth industrial revolution is powered by data. It has already been said a number of times in this debate—perhaps it is a cliché—that data is the new oil. Increasingly, data makes the world go around. I am grateful to Guy Lloyd, a fellow of the Association of Professional Sales, for his graphic description of the digital age we live in, which is creating new information exponentially. Incredibly, 90% of data in the world today has been created in the past two years alone. Our current daily output of data is about the equivalent of 10 million Blu-ray discs which, if stacked, would be as high as four Eiffel towers. It does not take a genius to predict that, as the world becomes more connected and individuals become more empowered through technology, the data deluge will only increase.
Digital tools, fuelled by big data, are making it increasingly easy for business organisations to profile the marketplace they operate in, to identify the best potential customers for their business and to improve the effectiveness and efficiency of their lead generation activities. Using artificial intelligence search engines, businesses trawl company reports, social presence and analyst commentaries to find companies that are likely to have a problem suited to their offering, and then identify who to talk to and how to connect with them based on their prospects’ employee social profiles. Artificial intelligence will also identify problems in the prospect journey through the opportunity pipeline, even predicting possible issues before an initial engagement and suggesting workable solutions. The algorithmic examination of large amounts of data collected across the complex interactions of customers, and employees of customers, supports the design of much-improved customer experience. This is the world we are already living in.
Data protection should be about providing assurance that the data each of us provides to public bodies and private organisations is safe. The foundation principle of data protection must be trust. Each individual citizen must feel that their rights are protected in law, and they should also know that their rights are protected in law. The true focus of any data protection regime must be to provide reassurance to the individual citizen that their personal data is theirs to own, control and share as they choose and that they can make decisions to share their data on an informed basis. Public and private corporations must be accountable for how they use that information, and they must collect it ethically and transparently.
There is no argument from me about the fact that the data protection regime within the European Union is a robust system that has been designed to provide significantly enhanced rights and protections for individual EU citizens. My concern, however, is that data protection can also be a carefully constructed protectionist measure that works to the commercial advantage and convenience of some of the largest multinational companies. So often the voices of lobbyists and corporations drown out the better nature of our policymakers and, more often than not, that is certainly true of the European Union. EU regulations can become so complex and byzantine that new entrants to the field—I am talking from a commercial perspective—from emerging markets are crowded out. I seek assurances from the Minister in that regard.
Some Members will undoubtedly be in favour of protectionist policies, but I believe in free trade. The EU has built a wall from such regulations—a wall that we must be ready occasionally to breach. From my own point of view, the idea of being able to interact with the 3.7 billion humans who are on the internet is not only desirable but vital for the growth of many companies beyond the relatively small numbers within the European Union. We can position Britain at the heart of this global data processing industry. We have a proud history of this—from the Babbage engine to Skyscanner, via the work at Bletchley Park and Manchester 1. In my constituency of Stirling, superb IT companies are already expert in the field of data processing, and CodeBase Stirling, an organisation for supporting emerging companies, many of which will be developing new applications in this field, has recently located there. Students at Stirling University are learning about big data in a master’s programme, and the work carried out there on big data analytics as well as machine learning will bear fruit long into the future.
We in this country have the skills and the knowledge. Members who think that we will sink without the EU have little faith in the spirit of the British entrepreneur. Brexit gives us the opportunity to think globally, and think globally we shall. Rather than the existing adequacy model of the EU, we need to consider partnerships based on shared understanding of privacy rights and a shared goal of ensuring that consumers give informed consent to their data being used. A shared international framework would give surety to companies operating globally that there are common standards to adhere to, at the same time as protecting consumers.
Many people of my generation will be disappointed that instead of personal rocket packs we have mobile phones and Twitter, but there is something about our modern life that fills me with hope. We can come closer together as a world community of individuals living together, with more respect for our fellow beings, as we see the barriers of culture, language and custom fall around us. But we need to be prepared for the times in which we live. We owe it to the people of our country and to our companies to keep our regulatory regime up to date as technology changes and emerges. Our laws should be responsive to change and adaptive to the social and economic changes that technology brings about. I believe we can achieve that far more readily in our own Parliament and that we can make the UK a world class data-safe partner.
Privacy and the protection of our data are vital, given the way we live today. We create footsteps and tracks in all aspects of our life, whether through the purchase of a product at an online shop, the presence of our mobile phone accessing a public wi-fi, or the use of a social media platforms. Every aspect of our lives can be and is recorded by companies that use complex algorithms to profit from this information. Let us be honest: this can often lead to greater convenience for us as consumers. The way we surrender our personal data can be considered transactional. We surrender some of our personal freedom to get access to a product or service that we want. This needs to be made clear to people who often access services without knowing the sacrifices that are being made to their privacy. People might think they are getting things for free when in fact they are paying with their valuable personal data. Sometimes this is a good deal but sometimes it is not, and it is for informed consumers to make that choice. Rights enshrined in law should be clear and easy to understand. The use of personal information should be subject to regulation, but not in such a restrictive way as to make it impossible to handle. Informed consent should be our watchword.
The internet is the best vehicle for economic growth that we have, and with data being produced at a rate of 2.5 billion gigabytes per day, it is not going away. It is also a tremendous opportunity. Our responsibility as lawmakers is to anticipate and follow technological change, and to understand how the technologies and habits that our people form require new protections in law. It is also our responsibility to ensure that the laws that we make are proportionate and do not generate a protectionist climate for our companies, but instead protect our citizens.
I believe that this is another area of public policy where the opportunities presented to us by Brexit are substantial. We can make our laws more responsive; we can break down barriers to trade with consumers around the world; and we can build a proper data protection regime that protects our citizens.
David Cameron has a great deal to answer for. To win support from his party’s right wing for his leadership bid in 2005, he promised during the leadership campaign to withdraw Conservative MEPs from the European People’s party, the main centre-right grouping in the European Parliament, and he delivered on that commitment after the European elections in 2009. By pushing his MEPs to the fringes in the European Parliament, he significantly reduced British influence there and more widely in the EU’s structures, which meant that Britain did not get its way in Europe on an increasing number of issues, by contrast with previous Governments, both Labour and Conservative. The referendum result—the decision to leave the EU—was the inevitable outcome of that spiral of loss of influence, kicked off by his commitment in 2005.
One way to look at the referendum is as a choice between sovereignty and prosperity. In the referendum, the country chose sovereignty, and of course that was a wholly honourable choice to make, but we need to be honest now about the resulting loss of prosperity. Leaving the EU, if it is seen through in the way envisaged now, will make us poorer. Ministers need to stop pretending otherwise, for their own sakes, as well as for the sake of the country, because once the reality becomes clear, the punishment inflicted on the Conservative party will be all the greater if people have not been told what is ahead.
An official in Germany put it to me like this a few months ago: “If you want the benefits of the single market, you have to obey the rules of the single market.” Ministers continue to tell us that we can have the benefits but no longer obey the rules, but that will not be the outcome of these negotiations. It could not possibly be because, if it was by some fluke the outcome, Germany and lots of other Parliaments in the EU would surely vote it down when asked to decide on the deal.
This week, we have at least had some recognition of that reality from the Prime Minister. She has announced that in the transition period from April 2019 we will continue to obey the rules. The writ of the European Court of Justice and the free movement of people will continue into the transition period. As far as I could understand it, the announcement in her statement on Monday seemed to be that we would stay in the single market and the customs union, other than in name. I presume that this is a face-saving device to avoid the embarrassment of a clear U-turn. It would be much better to be honest and commit to staying in the single market and the customs union during the transition period at least, as argued by my right hon. and learned Friend the Member for Holborn and St Pancras (Keir Starmer), the shadow Secretary of State for Exiting the European Union, and my right hon. Friend the Leader of the Opposition. The Prime Minister’s announcement does at least hold out the prospect of delaying the damage to our prosperity for a couple of years, but we need to recognise that that will not avoid the damage to our prosperity altogether.
The challenge is perfectly illustrated by the subject that we are debating this afternoon, and I welcome the fact that the Government have given us the opportunity to have this debate. Mr Speaker characterised my interest in a different area of policy earlier this week with the phrase, “some would say anorakish”. How much more that applies to the area of policy that we are debating this afternoon. The Minister was absolutely right in his opening remarks to underline just how important this policy area is for our prosperity. It underpins the wellbeing of the economy. Indeed, there is growing evidence that one of the reasons why we have failed on productivity growth in the UK in the past few years by contrast with other countries is that the internal management of companies in the UK has been digitised to a lesser extent than elsewhere. If we are to make progress on that—it is vital for our prosperity that we do—then data communications will be even more important in the future than they have been in the past.
I very much enjoyed and appreciated the contribution of the hon. Member for Bromley and Chislehurst (Robert Neill), who chairs the Select Committee on Justice. He underlined, quite apart from the economic considerations, how vital it is for our security and safety that we can continue to communicate personal data with other European Union countries.
The Minister was right to make the point at the outset that our data protection laws in the UK originated with an EU directive in which the UK was very influential. The Conservative Government who negotiated that directive had a powerful voice at that time. Sadly, as I explained earlier, more recent Conservative-led Governments have had a much less powerful voice.
The key foundation stone for data protection regulation in Britain has been article 8 of the European charter of fundamental rights, which states:
“Everyone has the right to the protection of personal data concerning him or her.”
The European Union (Withdrawal) Bill—the Minister and I had an exchange about this earlier in the debate—removes the charter of fundamental rights from UK law, so article 8 will no longer apply. The Select Committee on Exiting the European Union took evidence on that point from lawyers yesterday. Sir Stephen Laws, former first parliamentary counsel, argued that the removal of article 8 was a good thing because nobody can quite know exactly what it really means, so that we end up with judges deciding in appeal cases, which makes the law uncertain. He made a very reasonable case. Far better, he said, for Parliament to decide the detailed law and regulations, so that everyone knows where they stand.
However, Dr Charlotte O’Brien of York Law School pointed out that in practice, judges deciding points of data protection law in Britain often refer explicitly to article 8. A reading of their judgments suggests that article 8 frequently sways the decisions that they reach, so it is likely that its removal will mean that their future judgments will be different from those that they have made up until now. We can have an interesting debate about which arrangement is better, and, as I have said, I think that Sir Stephen Laws made a perfectly good case. Our problem, however, is that we have to achieve a declaration from the European Commission that UK data protection law is adequate. That is crucial for the future of our economy.
There is a perfectly good case for arguing that it is better not to have these slightly vague declarations, because the law is clearer if it is all spelt out in legislation that has gone through Parliament, but our problem is that that is not how the matter is looked at in Brussels. Over the next year and a half or so, the Minister has to persuade people in Brussels that our data protection is adequate, and if we no longer have a clear statement in UK law that everyone’s personal data is protected, that task will be a good deal harder.
I am grateful to the Minister for committing himself to seeking that adequacy agreement. Like the hon. Member for Argyll and Bute (Brendan O’Hara), I was slightly concerned about what he meant when he referred to something “akin to” an adequacy agreement. What we need is an adequacy agreement that is formally defined. We need that declaration from the Commission, so that UK businesses can continue to exchange personal data with businesses in other EU member states.
We also need this to be clarified soon, because otherwise businesses will have no alternative but to make arrangements to shift the activities into the other EU countries to avoid the risk of them no longer being lawful—and if this is left to the last minute, with some late-night deal at some distant point, these companies will have gone.
I want to make a final point about the Data Protection Bill and postal direct marketing. I welcome the fact that the Government are implementing the GDPR, or general data protection regulation, but the Bill changes the basis for opting out of postal direct mail communications. At present, if somebody does not want to receive advertising addressed to them through the post, they can opt out by signing up to a register. As I understand it, the Bill will change that and companies will not be allowed to send people postal direct mail unless they opt into receiving it. I think that is the current arrangement for direct email, but there has been an opt-out arrangement for postal direct mail until now. There is a lot of concern that that change would be very damaging to the UK direct mail industry, which is a substantial industry, and that it is not required by the wording of the GDPR; indeed, legal advice has been taken on this point and the GDPR does not require that change to be made. If that is right, the Government are gold-plating the regulations that have come to us from the EU. They are absolutely right to be implementing the GDPR and to be doing so scrupulously, but they should not be gold-plating them, as I fear they might be in this case.
I am grateful to have had the chance to set out to the House a bit more fully the thinking behind my amendment to the European Union (Withdrawal) Bill, and hope I might have persuaded the Minister that, after all, it might be an amendment that he can support.
The past five months have been extraordinary, and it is a great honour for me to represent Warwick and Leamington, a constituency that also includes the town of Whitnash and a number of villages. I wish to place on record my thanks to them. I would also like to thank my predecessor, Chris White, for the work he did as a constituency MP, and specifically his support for the charitable sector and the local games industry. He served the community well, and I wish him well. It is work that I will most definitely build on.
It is a happy coincidence that my maiden speech should coincide with the news, published yesterday in The Independent and by the BBC, that Leamington has been declared the happiest town in the UK. Delightfully, the survey that led to this finding was conducted after 8 June, which doubtless explains everything.
My constituency is not only the happiest place in the UK. Apparently, it was one of the first provincial towns in England to possess the other key attribute of happiness —a good range of Indian restaurants. You do not need to take my word for it: whilst a predecessor, Sir Anthony Eden, liked to quote from Shakespeare, in this instance I am going to quote from the historian, Lizzie Collingham, author of a definitive history of curry:
“Leamington was one of the first provincial English towns to have a selection of Indian restaurants. The area’s very proximity to Coventry and Birmingham, where many of Britain’s Bangladeshi and Pakistani immigrants found work in the car industry, made it, where Indian food is concerned, one of Britain’s pioneering towns. It still is.”
As if to underline that, one of our very many local establishments was proclaimed winner of Midlands Curry House of the Year and shortlisted for the national awards. So none of you should need any inducement to visit the locality—and you will be most welcome.
But good eating is not all it has to offer. My constituency has been home to such luminaries as Joseph Arch, a 19th-century pioneer in unionising agricultural workers and in championing their welfare. Arch also agitated for the widening of the franchise—ambitions that were to some degree fulfilled in the Representation of the People Act 1884. In the ensuing 1885 general election, Arch was returned as the Liberal MP—we can all make mistakes—for North West Norfolk, making him the first agricultural labourer to enter the House of Commons.
My constituency was also home to Randolph Turpin, who was considered by some to be Europe’s best middleweight boxer of the 1940s and ’50s, and went on to become the undisputed middleweight champion of the world, in defeating no less than Sugar Ray Robinson. And it was home to Sir Frank Whittle, one of Britain’s greatest inventors, the creator of the jet engine, and indeed once to my hon. Friend the Member for Chesterfield (Toby Perkins), the as-yet-unknighted Toby Perkins.
Warwick is famous for its glorious castle, the seat of the legendary kingmaker Guy of Warwick. It is the medieval county town for a shire that once included both Birmingham and Coventry. Today that would be some county. Leamington, its noisy neighbour, is perhaps now the happiest town in the UK but was certainly not favoured by the late John Betjeman in his poem “Death in Leamington.” Fortunately, Betjeman saved his greater wrath for elsewhere, famously inviting “friendly bombs” to rain down upon a different town. In fact, despite being a major manufacturing centre, the constituency was not the victim of significant bombing in the second world war, unlike neighbouring Coventry, sadly, but during the war it was the seat of an important team of camoufleurs—artists and engineers who played a leading role in developing the art and science of camouflage. It is interesting that one of the constituency’s most significant contributions to the defence of our country back then was through design.
Design and innovation permeate the recent history of our towns. In the post-war period, the legendary Donald Healey set up his car business on the Emscote Road in Warwick, going on to produce some of the finest sports cars the world has ever seen. Not far away, Malcolm Sayer was designing the E-Type Jaguar. I am proud of my constituency’s impressive contributions to design and technology and its continuing role in developing innovative technologies of all sorts. That continues to this day with the world-leading Warwick Manufacturing Group, which is part of the University of Warwick and has collaborated with industry, Government and other universities in developing battery cell technology, new materials, and digital applications. It is therefore no surprise that what is still referred to as the gaming industry finds itself home here. Along with Dundee, it leads the industry with more than 50 local businesses, employing 2,500 people and generating £188 million in turnover, and it is about to grow exponentially. I am proud that it is leading the revolution in not just virtual reality, but augmented reality. I can honestly say that I have seen the future—through a headset.
The constituency’s relative economic buoyancy is exactly that: relative. It has depended on the single market and the customs union, together with our openness to attract the best in the world. Football clubs, such as my beloved Arsenal, have benefited similarly. Warwick and Leamington is an exceptionally diverse, international and multicultural community. Engineers, designers, academics and working people of all sorts from Europe and around the world have made the area their home. As Leamington’s proud restaurant history reminds us, it has also long been home to distinguished communities originating from the Indian subcontinent, who have played, and continue to play, an important role in the economic and cultural life of the west midlands. By way of example, our magnificent gurdwara is now celebrating its 50th year. That diversity explains in part my constituency’s openness to international business and migration. It voted remain in the EU referendum. Since the vote, residents and representatives of Warwick University, Jaguar Land Rover and other businesses have consistently voiced their concerns to me about the impact of Brexit. They tell me that they simply want clarity and certainty—urgently. Economic matters are critical in their planning, and they expect Government responsibility, not party infighting. I am confident that they would agree with me: no deal, no way. They are right to worry.
The prolonged lack of clarity over the post-Brexit landscape on the British economy is an issue for the majority of my constituents. Some have already voiced their concerns about potential exclusion from the EU’s data protection framework, which would impede the continued free flow of data among EU and EEA states, without which businesses and the economy will suffer. The Lords EU Select Committee states that we are facing a dangerous cliff edge in that regard. Data is critical in our society and for our businesses, but we need strong safeguards. I echo the words of my hon. Friend the Member for Cardiff West (Kevin Brennan) about what data means, particularly for the younger generation, who, interestingly, can be viewed as a data commodity, but we must not allow our young people to become a commodity.
My constituents are already noting Brexit’s impact on the region’s ability to attract and retain the talented skilled workers on which it relies, and they are worried about the continuing weakness of the economy overall. The economy is extremely fragile and vulnerable to currency fluctuation and interest rate changes. Since 2015, we have witnessed a surge in unsecured household debt, which has reached levels not seen since 2007-08. Consumption growth—the sole driver of the UK economy for nearly a decade—is faltering, partly because much of that growth was driven by the £35 billion windfall that households received in PPI repayments. That is some economic stimulus by any measure. The effect of that short-term windfall is now tailing off. Since 2011, that extraordinary, one-off cash injection helped to fund, for example, higher retail car sales and new kitchens, but for little longer. Car sales have been falling since April 2017, which is as good an indicator as any that consumer confidence is declining significantly. Investment growth—the real driver of wealth—has failed to return to the UK after the financial crash of 2008, but only here. Growth in all other developed nations now exceeds the UK’s.
Like so many of the Government’s claims, assertions about Conservative economic competence have proven ill founded. UK debt has continued to rise. The Government have failed to meet their own economic targets. Real wages have fallen by 15% for many in the public sector and have been stagnant for most. CPI inflation is rising and will soon exceed 3%. Household budgets are being truly squeezed. Sterling has fallen by up to 20%; by contrast, personal unsecured debt has sky-rocketed.
Individually, those elements would be concerning enough; together, they augur serious concern. At the same time, the cost of housing is rocketing. In my constituency, average rents have increased by 26% in the past six years. In the past 10 years, only 50 council homes have been built in the area although 2,400 people are on the housing waiting list. Last year, 705 people applied as homeless to the local authority—130% up on 2010, compared with a 29% increase nationally over the same period. Some 3,600 people in my constituency regularly use our food banks. There are several night shelters in our towns and in recent months the numbers attending have doubled. The work there is increasingly important and I place on the record my thanks to Margaret, Chris, Susan, Vishal and all the other volunteers.
Quite simply, the housing market is broken. As has been confirmed by a Prime Minister not known for her Marxist principles, the energy market is also broken. As with so many Government announcements these days, it is too little, too late. Energy is ripe for revolution and it is vital that we should take this opportunity to democratise it. That will bring prosperity to all, as well as address the urgent crisis of climate change.
In his maiden speech in 2010, my predecessor stated that Warwick and Leamington had excellent frontline services. He was right: in 2010, we did. Seven years on, we do not. We have lost police—in Warwick, we have lost the police station. We have lost teachers, full-time firefighters, and health professionals from the NHS. Many are demoralised. I will not continue because all hon. Members face the same reality in their own constituencies.
What can we do? The International Monetary Fund has one suggestion: rebalance the tax system. A report just published by the IMF finds that higher income taxes for the rich would help reduce inequality without having an adverse impact on growth. Perhaps implementing some of the Labour party’s policies would be a good start to getting us on to a more secure economic footing as we face the enormous disruption of Brexit. Perhaps that is an announcement for next week. My constituents, whether residents or businesses, need, now more than ever, a strong Government ready to protect jobs, deliver a shared prosperity and enable all to flourish. Above all, I will speak for them. That is the vision that I will represent in Parliament. I thank hon. Members for their attention.
This debate is vital. Data is the lifeblood of the modern economy. Our ability to analyse vast quantities of it has totally transformed our understanding of the planet in which we live, of how we interact as a society and even of the very make-up of our bodies. Data is revolutionising our healthcare with amazing personalised medicines. The chief executive of our civil service explained earlier this year how data is fundamentally changing the delivery of the civil service, with huge benefits to improve the experience of the citizen, make Government more efficient and boost business in the wider economy. Consumers benefit, too: data flows mean we can access online goods, services and digital content never before thought possible; we get increased choice through cross-border platforms and cloud computing; and this underpins so many of those key financial services that consumers take for granted today.
The digital world is borderless, and the ability to transfer data seamlessly across borders is what underpins so much of our trade with Europe today. As I said in my earlier intervention, techUK suggests that the UK is home to more than 10% of all global data flows, with three quarters of those flows being between the UK and the rest of Europe. That data flows because of trust, and data protection is key to keeping that trust and fundamental to maintaining this trade. There are no World Trade Organisation backstops for data, and, as the Minister has said, securing an adequacy agreement is a priority, as it must be. Crashing out of Europe without a deal on data would not be a good deal, for our tech, medical and medical research sectors, for consumers or for our financial services. That is why it is so important that we make sure that there is an adequate deal on adequacy.
The GDPR set the global standard on data protection, and, as some in this House have mentioned, the UK was crucial in delivering that deal. The committee in the Parliament was chaired by a British Labour MEP, and a lead negotiator was a British Conservative MEP who now sits in the other place. On this side of the channel we should not underestimate how sensitive the issue of the treatment of personal data is. In Britain we have a long history of freedom, but in other countries in Europe people have sometimes found that their personal data has been abused by their state and their liberty has been constrained. The right to privacy of personal data is a treasured, fundamental right, which is why it is such good news that our Bill on data brings the principles of the GDPR—the European regulation—into British law. As we leave the EU, if we are to have that deep trading partnership in the future that the Prime Minister wants to deliver, we need to reassure our European neighbours that we will continue to act responsibly on personal data. We need to put the GDPR into British law, as the Bill does.
As the Minister correctly said, the digital world is continually evolving, so we need to be ready to evolve our digital legislation continually. That is why I was extremely pleased to hear the Prime Minister talk in her Florence speech not only about ensuring we have the same standards and regulations as we leave Europe, but about how she is committed to delivering an ongoing regulatory dialogue on such key issues and areas.
I do not wish to underestimate how challenging it will be to ensure that we deliver the data adequacy agreement. I remember spending time in Washington and Brussels during the EU-US privacy shield negotiations, and that was the No. 1 issue being discussed in the Oval office and at the top of the European Commission. It was the top priority, rising above everything else on the agenda. Nevertheless, on data there is good will on both sides to get a deal.
Some people seem to think that European politicians want no deal; I do not believe that to be true. From the conversations I have had, I believe that the vast majority of politicians throughout Europe want an ongoing, deep, bespoke partnership with the UK, and data is just one of the many areas in which they want that. Just this morning I welcomed to the House a colleague from the European Parliament: the Spanish lady MEP who helped me to deliver, through the EU, the end of mobile phone roaming charges. She is a leading light in digital policy and an excellent ally on digital issues. She explained to me how right now, throughout Europe, they are looking at the free flow of non-personal data. The UK called for legislation in this area, and Europe is now delivering. The leadership on the issue in the European Parliament has just been allocated to a member of the European Conservatives and Reformists—the Government’s European sister party.
We continue to want to lead and work on these issues, not only up to the time of Brexit but in co-operation thereafter. I say again: crashing out of Europe with no deal will not be good for the UK or for Europe, and it is not what the vast majority on this or the other side of the channel wants.
Let me make a few points about the Bill, as I do believe that it is great. As Opposition Members have suggested, techUK has raised concerns about whether the withdrawal Bill will give all the necessary powers to bring the GDPR into British law and whether the right to personal data is clear enough in British law. I was very pleased to hear the Minister say that he wants to ensure that there is an absolutely seamless transfer of what is currently held in European law on to the British statute book. We need to ensure that the tech sector is absolutely happy with the way that that is worded. That does not necessarily need to happen through the amendment to the withdrawal Bill, but we need to ensure that the Minister’s stated intention of a seamless transfer is delivered.
I wish to ask the Minister one question. One of the fine details of the GDPR is to make sure that it is implementable without putting an unnecessary handbrake on businesses or other organisations that need to be able to analyse data to use it for the benefits of society. There is some concern that the Intellectual Property Office in the UK may be gold-plating a little through some of its draft guidance. In particular, the data controller is asking organisations to name third parties who would rely on an ongoing transfer of data, whereas the GDPR says that they need to give only the type of category—not the name of the individual organisation. We need to be especially careful that we do not gold-plate, or cause companies to have to put in extra constraints.
Fundamentally, the ability to collect, communicate and understand data is pivotal to a modern economy’s success. It needs to work not just in the UK, but across borders. This is a massive step in ensuring that we will continue to act as good neighbours both to Europe and others in the way that we treat personal data. I am delighted to see that we are moving on with that process.
Some have described the movement of data across Europe as the fifth freedom. In fact, my hon. Friend the Member for Cardiff West (Kevin Brennan) made exactly that point. I suspect that most of us, and most of our fellow citizens, are only dimly aware of what actually happens to our data, but it does really matter. The design, extent and provisions of the British data protection framework will have profound implications for the nature of UK-EU trade relations. Today’s debate is particularly timely given the proceedings on the Data Protection Bill that are already under way in the other place. It is vital that we get this framework right.
I chair the all-party group on data analytics, and I have seen at first hand the way in which data has moved to the centre of every sector. Wherever we go, people are talking about data. I hope that the Minister will accept an invitation to meet the all-party group fairly soon to talk about how we can build awareness not just of how transformational this is likely to be, but of how complicated it will be to ensure that we get it right.
As we have heard, data is an increasingly valuable commodity, with the UK conducting three quarters of its cross-border data exchange with the European Union. The EU data economy was worth €272 billion in 2015 and has continued to grow rapidly since.
We have played a key role within the European Union in developing the GDPR, which will come into effect in the UK from May 2018. The European Commission proposed this new legislative framework back in January 2012 as an update and a levelling mechanism to protect citizens across Europe. It has taken five years of discussion and hard work for the regulation to be agreed. This significant measure for the UK does a number of things. It significantly widens the definition of personal data, transforms the notion of consent, carries severe fines for companies in case of non-compliance and fundamentally alters the way in which companies can store and process personal data.
Back in February, the Minister told the House of Lords EU Home Affairs Sub-Committee that the GDPR was a “good piece of legislation”, and I welcome the Government’s sensible decision to adopt the GDPR into UK law. But, as many have pointed out, there are problems ahead, not least with some elements of the relationship with the Investigatory Powers Act 2016. Both techUK and Ukie—the Association for UK Interactive Entertainment—which covers things such as video games, highlighted that concern when the Government published their paper in August, and both noted that the paper did not address an issue that the Government knew to be problematic.
Why would it matter if data flows were interrupted? Well, we are good at data in the UK. Our digitally intensive industries account for 16% of gross value added, 24% of total UK exports and 3 million jobs. The digital sector is growing 32% faster than the national average. We are at a significant competitive advantage in the digital economy. At 10% of GDP, the digital economy makes a larger contribution to our economy than that in any other G20 country, so it really matters to us. Beyond that, it is a vital enabler in the overall UK economy and society. We are increasingly digitised, with all sectors increasingly reliant on data flows. They underpin retail, health, finance, manufacturing and the automotive industries, to name just a few. The Government have confirmed that:
“Over 70% of all trade in services are enabled by data flows, meaning that data protection is critical to international trade.”
That confirms that they do understand and appreciate the importance of data protection.
Additionally, data flows benefit consumers, allowing innovation in products and services, streamlining performance in industry and improving global communication. They reduce business costs, leading to more investment in research and development, and improve productivity. In some ways, the problem is that our membership of the European Union gives us special advantages. In a profound irony, we actually have more control over our own privacy regime when we are within the European Union than we will have when we are outside it. Let me explain how that comes about.
Outside the EU, we become a third country in terms of our relationship with the European Union. The Government say that the best way forward is an adequacy agreement, or something akin to one, which would need to be secured with the European Commission. There are alternatives, but they are difficult, unstable and particularly ill-suited to UK businesses, especially small and medium-sized enterprises. The large corporations may be able to manage, but the small businesses will not. UK firms, particularly the start-ups in my part of the country, would have to jump through hoops and hurdles that their European counterparts would not have to. While our companies would be spending time and money agreeing standard contractual clauses with customers, their EU counterparts and competitors would simply be getting on with business.
I fully recognise the points made by Government Members. They understand a lot of this and say that an adequacy decision would be the best possible solution to ensure the
“unhindered exchange of data within an appropriate data protection environment”.
The partnership paper clearly states that future data protection co-operation
“could build on the existing adequacy model”.
If we are to achieve that objective, ensuring the continued alignment of the UK’s data protection framework with the EU’s will be key. That should, therefore, be the primary consideration in any discussion of the provisions of the Data Protection Bill. Any deviation from the provisions of the GDPR could put at risk achieving a successful outcome as we seek an adequacy decision.
We also need to look to the future, because if we do get that adequacy agreement, given the close alignment of UK and EU data protection frameworks, the Government must prioritise ICO involvement in the formulation of future EU data protection provisions. As we have heard, the EU will inevitably update the GDPR as time and technology progress. However, we risk these changes being dictated to us, and a duty needs to be placed on the ICO and the commissioner to maintain regulations that keep the UK adequate with the latest version of EU law. Even if we can achieve that, there is a great irony here, in that we will, effectively, be dictated to—it is not quite the taking back control that some were seeking.
Perhaps more important is that just saying that we would like an adequacy agreement is not the same as actually getting one. We might wish for one, but will we be able to have it? Will others agree? There are various problems, which I hope the Minister will address. The first is time. Obtaining an adequacy decision is feasible only for third countries. It follows that, to get one, the UK will need to have left the EU at the time of the ruling, which leads to the very real danger of a data protection cliff edge. In evidence to one of our Committees, Stewart Room, head of data protection at PricewaterhouseCoopers, said that obtaining such a decision could take “many, many years”. So this week’s talk of no deal is highly risky when it comes to data. The risk of a cliff edge is very real and very dangerous.
Then there is the Investigatory Powers Act. There is a danger that some of our neighbours may no longer be inclined to share data with a country that takes a different view on privacy issues from them. As members of the EU, our different traditions are respected; as a third country, things could be very different. The provisions in the Investigatory Powers Act, and the current investigatory practices in our intelligence services, which allow the police to access personal data such as communications or internet data without a requirement for independent judicial approval or for the issue being investigated to be of a certain seriousness, will be a legitimate concern for some countries in the EU when negotiating an adequacy agreement. Perhaps the Minister can tell us what work has been done on this and what assurances have already been received.
The ruling of the Court of Justice of the European Union in the Watson case with regard to the UK’s surveillance and bulk data retention regime is also important. The Court’s decision stated that the UK’s surveillance and data retention laws—then the Data Retention and Investigatory Powers Act 2014—exceeded the EU’s view of what is strictly necessary and appropriate. That model of retaining communications data is broadly mirrored in the new Investigatory Powers Act—the replacement for DRIPA. It is hardly inconceivable, therefore, that the EU could decide that the UK does not reach its standards for adequacy. On this rather complicated set of issues, I should say that I am grateful to Renate Sampson of Big Brother Watch for explaining some of these points to me.
My next concern was about the European charter of fundamental rights, but it has already been touched on in the excellent discussion triggered by the contribution from my right hon. Friend the Member for East Ham (Stephen Timms), whom I will be supporting in his efforts to secure amendment 151 when we discuss the European Union (Withdrawal) Bill.
There is a further point about that Bill. We know that it is controversial and that there are concerns that ministerial alterations can be made without parliamentary votes. If the GDPR were to be altered during the repeal process, and citizens’ personal data rights were in any way diminished, we could be prevented from being anywhere near the level of protection deemed adequate by the EU. The Information Commissioner has made it clear that for the UK to achieve the gold standard of data protection regulation and enforcement, the right way forward is to fully adopt the GDPR, and that position must be maintained.
UK businesses and organisations have already started preparing for the GDPR, which is good. That should stand us in good stead when it comes to an adequacy discussion. It is vital that we enshrine the GDPR in our law permanently in a clean Data Protection Bill, so that data can still flow, businesses can still run and communications do not just stop. However, it is of the utmost importance that we commit to these rules for the long term and provide certainty for individuals and businesses. The economic consequences of not being able to move personal data would be very serious, with companies having to double-store data. That would take a long time to implement, and it would have serious economic and environmental costs, and run the risk of our not being able to operate properly across borders. It would, at a stroke, put at risk the UK’s place as a global hub for tech and other data-intensive industries. There is a huge amount at stake.
There is, of course, a simple alternative that looks more and more obvious with every passing day to some of us, as Brexit morphs into wrecks-it. But until we reach the point at which sense prevails, I hope that the Minister will share with us information on the work being done, especially on fine-tuning the relationship between the GDPR and the IPA, to ensure that the data keeps flowing and we can remain part of the modern world.
The transfer of data is critical for the functioning of our economy. The proper management and control of data is increasingly a matter of civil liberties. Roughly 70% of the UK’s trade in services is reliant on the free flow of personal data. The EU’s data economy is expected to be worth £643 billion by 2020 and millions of UK citizens share their lives online. To be able to operate, UK businesses require clarity on the legal basis for data transfer post Brexit.
As the Minister asserted, the Government’s future partnership paper presents the adequacy model as the basis for a future UK-EU agreement on exchanging and protecting personal data. As my hon. Friend the Member for Cambridge (Daniel Zeichner) said, the alternatives—making use of binding corporate rules or standard contractual clauses—would be burdensome, costly and create considerable uncertainty for individuals and businesses. Given that a post-Brexit UK will find itself in a position of unprecedented alignment with existing EU laws and norms, it does appear that an adequacy agreement is the most sensible way forward. The UK—it is hoped—will be designated by the European Commission as providing adequate protection for personal data, and it will be business as usual.
As the House of Lords European Union Committee has made clear, however, even if the UK positioned itself in perfect alignment with EU rules as it exits, it is very likely that the EU will amend or reform its data law in the near future, thus threatening the UK’s adequacy status. Divergence between the EU and a post-Brexit UK may come sooner rather than later.
In 2009, the EU’s charter of fundamental rights became legally binding. The charter codified existing EU rights and principles and is now the source document for EU fundamental rights. Article 8 of the CFR covers the protections of personal data—the right to privacy and the right to data protection that serve as the foundation for the EU’s data protection law. The European Union’s general data protection regulation, which will apply in the UK from May 2018, creates and enhances data protections and rights for EU citizens in continuity with the principles of article 8 and the CFR more generally.
Much is made of the EU’s novel right to be forgotten, but the GDPR also speaks to the issue of algorithmic decision making and processes that significantly affect users every moment of the day for most of our citizens—the Minister is probably being affected right now, as he is on his phone. It also creates a right to explanation whereby individuals can ask for details on how decisions about them were made—for example, on access to credit. As such, the GDPR creates a requirement on those designing algorithms and evaluation frameworks to avoid prejudicial decision making and to enable easy explanations for users.
Those rights and norms are at the cutting edge of global data protections law and are essential for our tech industry in the UK. They are possible because the EU is developing its data protection laws in accordance with the principles expressed in the charter of fundamental rights. However, the Government have made it clear that the charter will not form part of domestic law on or after exit day. As such, significant divergence from EU data protection norms may begin sooner than expected, putting our tech industry in incredible jeopardy.
Once the UK has surrendered its place at the EU’s decision-making table, as is the Government’s intention, our ability to exert influence on the future of EU data law will be greatly diminished. Not only are we presented with yet another possibility of the UK being demoted from rule maker to rule taker, but the constant anxiety that the UK may fall out of compliance with EU data laws is deeply unhelpful to individuals and UK businesses of whatever magnitude. If compliance with the charter of fundamental rights is required in practice to secure regulatory harmony and thus business confidence, the Government’s commitment to jettisoning the charter appears increasingly odd.
Securing the free flow of data, especially for an economy such as ours that is largely service-based, should be a pressing imperative for the Government. Ensuring that individuals are protected by rigorous data protection laws should be a top priority for the Government. I think it prudent therefore that the Government look again at their intention to bin the charter of fundamental rights as part of their EU withdrawal plans.
I was somewhat confused when I saw this debate on the Order Paper, not least because the Data Protection Bill is in the other place and scheduled to arrive here in due course, as the title was, “Exiting the European Union and Data Protection”. I therefore came with great hope—indeed, hope is the watchword of today—that the debate might be about some updates on how we will seek an agreement on adequacy with the European Union. Given that we are relying on hope and on some form of adequacy agreement—to proceed without an adequacy agreement would be, much like the rest of the Brexit policy, completely incoherent—I hope that the Minister will keep us posted on the progress that is being made towards an agreement, the timelines for doing so and the headway made in conversations about it.
We have a very short period in which to implement complicated and wide-ranging new laws. The Data Protection Bill, as we have heard today, incorporates not just GDPR issues for non-EU areas of competency, but matters of law enforcement and other things that have wide-ranging implications for our country and our laws. Those things must fit around the GDPR, which, as I said in my earlier intervention, will probably become law through a statutory instrument under the European Union (Withdrawal) Bill. I restate my ask of the Government that we should have the opportunity to debate that statutory instrument in substance in this House, not least because some of its important provisions require debate to guide businesses in my constituency and across the country on their application. An example concerns the right to human intervention when a decision has been made using profiling and automated processes—things such as algorithms. Many of my hon. Friends and other members of the Select Committee on Science and Technology will be looking at that issue, but some have grave concern about whether, when we bring in machine learning and changing algorithms, it is even possible to deliver the right to human intervention.
The Bill, which already covers many areas of law, is the start of a wider conversation that includes the network and information security directive and—to go to the important question of marketing, which my right hon. Friend the Member for East Ham (Stephen Timms) spoke about—the e-privacy regulation. How will those fit together? How will businesses, charities and other organisations, many of which do not have rooms full of lawyers and compliance specialists to help them to implement the law, know how everything fits together?
The Prime Minister and—dare I say?—her most ill-informed Brexiteer MPs seem happy with the idea of a no-deal hard Brexit. Many people can visualise lorries on the border, unable to export British goods to the continent. The same would be true for data. With a hard Brexit, there would be a standstill, and there would be blockages on the border for data. Much as with the goods in those trucks in Dover and in the port of Avonmouth in Bristol North West, that would be a disaster for business, consumers and importantly, as we have heard, for policing and the prevention of criminal activity.
I am looking forward to the Data Protection Bill and I am excited about the Committee stage, but I will take this opportunity to address some of the strategic issues that many Members have mentioned: first, the basis of data protection law in the European charter of fundamental rights, on which I will not revisit the arguments already made but will, I hope, add something interesting and new to the debate; secondly, the incoherence between the necessity to mirror EU law and the Government’s illogical policy approach on Brexit; and lastly, the rights and protections of children.
First, as we have heard in this debate, the Government have made it clear that the European charter of fundamental rights will be revoked under the European Union (Withdrawal) Bill. The Minister said that the GDPR in effect says the same thing, but article 8 of the charter, which underpins the GDPR, is referenced in article 45 of the GDPR. If the GDPR is referencing out to statutory, fundamental rights and we take that anchor away, we must replace it elsewhere. I will therefore support the amendment to the Bill proposed by my right hon. Friend the Member for East Ham, to ensure that that happens.
I want to mention the right of collective address. Under the GDPR, bodies can campaign and bring actions against data controllers in the interests of consumers and data subjects as a whole. This works very well in other areas of the law in this country, such as the Consumer Rights Act 2015. Under that Act, Which?, as a private enforcer against unfair terms, can act on behalf of consumers. For some reason, the Government have decided not to adopt such an approach in the Data Protection Bill. I look to the Minister in his closing remarks to explain why he does not think organisations should be able to bring actions for collective redress on behalf of data subjects. Many data subjects may not be able to enforce their own rights as individuals but rely on such organisations to act in their interests.
On fundamental rights more broadly, I am still confused. I hope that the Minister will provide clarification in this final debate of the week by showing how, although we must maintain fundamental rights, we are also removing them. It is much like being in the single market and leaving it, much like being in Europe but not being in Europe, and much like protecting fundamental rights and not protecting them. What is the answer? The Data Protection Bill seeks to ensure transparency and accountability, and in the light of that theme, I hope the Minister will respond on fundamental rights.
Secondly, if we are successful in seeking an adequacy agreement, it is then for us to maintain equivalence as part of that developing area of EU law, as other Members have said. That will require the UK to adopt the decisions of the newly created European Data Protection Board, which is subject to the jurisprudence of the European Court of Justice. Yet the Government insist that we can be both in and out, which is ludicrous, as I have said. They also say that we can be in it without being subject to the rules, but we know that that is a fallacy. Will the Minister confirm whether the Government’s policy is to get an adequacy agreement either this year or next year, only for it to be revoked in a few years’ time because we do not want to be subject to the jurisdiction of the ECJ? We must be subject to its jurisdiction if we are to maintain adequacy, but we will be forever on the cliff edge of being concerned that adequacy will be removed—as it was from the United States of America by the European Commission—and that is the risk our businesses, our consumers, our charities and others fear.
Lastly, I wish to address the rights and protections of children. I will return to this topic in detail on Second Reading. It is a great disappointment that the European Union has backtracked and pulled back slightly on this issue, so that instead of having a harmonised rule saying that children deserve extra protections—especially in the context of understanding how their use of online products and services means giving over personal data, how that personal data is profiled and how advertising is targeted on children—the European Union decided to provide member states with a range of ages to choose from, from 13 to 16.
As my hon. Friend the Member for Cardiff West (Kevin Brennan) said, the UK opted for the age of 13 as the minimum GDPR requirement. I think that is the wrong decision and, according to polls by YouGov, 80% of parents agree with me. However, I encourage us to be intelligent about the way we regulate to support children. It is obvious that if we put in these frameworks children may find ways to use the systems anyway. No doubt there are a number of children under the age of 12 and 13 using social media sites today. We must make sure that the regulation is—dare I say?—with the kids. It needs to make sense and it needs to work properly. I look forward to having that debate and no doubt a shared aim.
As we prepare for the arrival of the Data Protection Bill, this is the first glimpse of a major piece of proposed legislation that highlights the enormous challenges with implementing Brexit. It is not just an issue of primary law for many of the issues we have talked about today; it is about clear rules and about compliance by those subjected to it. On clear rules, I refer to comments made by the Baroness Lane-Fox on Second Reading in the other place, when she pulled out a particularly entertaining section the Data Protection Bill, which reads:
“Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies for the purposes of the GDPR… In this Chapter, ‘the applied Chapter 2’ means Chapter 2 of this Part as applied by this Chapter”.
Other than that sounding like something out of the “Yes Minister” comedy series, it says to me, as a former lawyer, expense. People will be concerned—quite frankly, charities and other groups will be terrified—about getting this wrong. They will have to endure huge compliance costs in trying to implement what should be clear rules into their business.
Following on from what the hon. Member for Chelmsford (Vicky Ford) said—she is not in her place—on compliance and guidance from the ICO, I stress this point with the Minister: many businesses want to do the right thing. They wait on guidance from the ICO and others to tell them what the law means and how they will seek to enforce that law. However, much guidance has either been delayed or is not yet with us. The guidance that has been provided is not, in many cases, sufficiently clear either. We must support the ICO properly to ensure it can provide that service, and we must make sure that people know how to comply with the law.
The UK is, as we have heard, one of the world’s leading digital economies. Bristol is one of the largest digital economies outside of London, and we lead the way on these issues in the world. We have the opportunity to set the tone in becoming a global hub for the world’s digital economy based not only on trust, accountability and security, but on business innovation and leadership. I look forward to helping the Government in this House to get that right.
The cross-border general data protection regulation will be brought in by the EU and be applicable here in the UK in May 2018, but there is no clarity on how data protection will be regulated in post-Brexit Britain. That is entirely a matter for the phase 2 negotiations and we have not even started them. Business needs clarity. Data protection regulation is a vital issue for the technology sector. This will affect the sector in every way, whether it is for individuals buying something online or logging on to Facebook, or for large companies operating internationally. As we have also heard today, the tech sector is one of the UK’s success stories. It provides 10% of our GDP, 24% of our exports and over 3 million jobs.
Data protection is central not just to the tech sector but to our whole economy. Any business of any size needs to be able to transfer data across borders safely. If we leave without a deal on data protection, British businesses will not be able to operate internationally. So much for the Government’s vision of a global Britain! We have already seen how Brexit is beginning to damage the economy. The uncertainty facing the tech sector is just another example of how serious a no-deal scenario would be for the whole economy. Conservative Members cannot claim to be the party of business if they can seriously say that no deal is better than a bad deal—no deal is the very worst deal possible.
The Government say they will negotiate an adequacy agreement or even an enhanced agreement, but as we see time and again, what they say they will get and what they actually achieve are often very different things. While the EU general data protection regulations will come into effect in 2018—before we leave—the European Commission will still have to agree that the UK is providing adequate data protection after we leave. A few years ago, however, the European Court of Justice deemed aspects of the UK’s Data Retention and Investigatory Powers Act 2014 as illegal. Ironically, the case was brought to the ECJ by the right hon. Member who is now the Secretary of State for Exiting the European Union.
That demonstrates that the UK has a history of failing to comply with EU data protection laws. Once outside the EU, the Commission will regularly review whether it thinks UK data protection regulations are acceptable. We will have to agree with its regulations, which are under ECJ oversight, but without having a say over them. That will be the reality post Brexit, and it is important that we all come to terms with it. Frankly, I doubt whether the Government in the Brexit negotiations will even get to the issue being discussed today. This week has been full of talk of no deal. The clock is ticking, and as we heard today, the negotiations in Brussels are deadlocked. It is for the Government to unlock that deadlock. The Prime Minister has the cheek to say the ball is in the EU’s court. I say that the Government have failed even to pick up the racket, let alone hit the ball over the net.
It is hard to pick up a newspaper, listen to the radio or follow the news today without hearing about Brexit and its impact on the UK. Normally when there is good news, it is presented as being in spite of Brexit. That kind of rhetoric is not helpful. The fact is that a majority of 17.4 million people, of whom I was one, voted to leave the EU. A majority of my constituents voted to leave as well. We are now upholding that decision, as is only right in a democratic society. Of course, it is right and proper, as we are doing today, to discuss the implications and solutions surrounding the decision and to recognise the opportunities that Brexit can bring for the people of the United Kingdom of Great Britain and Northern Ireland.
In July, the House of Lords European Union Committee examined the impact that Brexit would have on data protection in the UK. At the time, the conclusion was that there was a lack of detail about how the Government would maintain the flow of data post Brexit, as others have said. Under the EU’s data protection framework, a country outside the EU and EEA is classed as a third country, and personal data can be transferred to a third country only where adequate protection is guaranteed. Since the Lords Select Committee published its findings, the Prime Minister has announced a transitional period after the UK leaves the EU in March 2019, meaning that we can safely secure an adequacy decision from the European Commission. Since the Government have continually stressed their desire to secure the unhindered flow of data between the UK and the EU post Brexit, that seems a very desirable solution. I believe it is one that everyone in this House—everyone who has participated in this debate and those who have not—would want to see.
Regardless of Brexit, it is important to remember that we are already experiencing a change in our data protection laws. The Queen’s Speech included plans to secure a data protection framework that is suitable for a new digital age. Unsurprisingly, the way in which data is used and processed has changed significantly since 1995. The purpose of the new Bill will be to implement the general data protection regulation. Research shows that some 80% of people feel that they do not have complete control over their data online. The Information Commissioner’s Office, the data protection regulator, will also be given more power to defend consumer interests and issue higher fines. Implementing the GDPR, which the UK is due to do on 25 May 2018, will ensure that the UK meets its obligations while remaining an EU member state, but it will also help to put us in the best position to maintain our ability to share data with the EU and internationally when we leave. Given that more than 70% of all trade in services is enabled by data flows, it is not surprising that data protection is so critical to international trade.
There is a lot of doom and gloom among some sections in this House and also outside, but it is important to remember how successful the UK is, particularly in data protection—something that I am confident will improve even further with the new Data Protection Bill, as I am sure the Minister will confirm in his summing up. The UK is one of the leading drivers of high data protection standards across the globe. Data flows are important for both the UK and EU economies and for wider co-operation, including in law enforcement. I think we can all agree that it is vital for keeping our countries safe, which is a critical factor.
In 2015, the EU data economy was estimated to be worth €272 billion, which is around 2% of EU GDP. Estimates suggest that its value could rise to €643 billion by 2020, or more than 3% of GDP, although this is subject to legal and policy frameworks being put in place. Estimates suggest that around 43% of all EU digital companies are started in the UK and that 75% of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries and has an economy dominated by service sectors, in which data and data flows are increasingly vital. The UK accounted for 11.5% of global cross-border data flows in 2015, compared with 3.9% of global GDP, but the value of data flows to the wider economy is even greater. Surely these statistics are evidence of the need to continue and secure the flow of data between both the EU and the UK.
The GDPR has a number of provisions, including the transfer of personal data to third countries and international organisations. To that end, it puts the Commission in charge of assessing the level of protection given by a territory or processing sector in a third country. Achieving an adequacy decision from the European Commission, while completely possible, is not guaranteed —other Members have also put questions about that. For example, Canada has been approved for only certain types of personal data. If for whatever reason the UK’s laws are not considered to meet the adequacy standard, businesses in the UK would be subject to the same restrictions that currently apply to data transfers from the EU to the US. Surely early certainty about how we can extend the current provisions, alongside an agreed negotiating timeline for longer-term arrangements, will give businesses on both sides certainty for the future. I understand that everyone wants to secure an agreement on data sharing with the European Union as quickly as possible, but will the Minister clarify the Government’s position on what will happen if we do not achieve approval from the Commission?
I want to conclude with some remarks about Northern Ireland, because it is important to get this on the record. We are all aware in this House of the special case that those of us in Northern Ireland find ourselves in. We are the only part of the United Kingdom that will share a land border with an EU member state. As with many other things, specific thought will need to be given to the impact of data protection matters not only in Northern Ireland, but across the whole United Kingdom. For example, if for whatever reason we are unable to secure an agreement or an adequacy decision, any Irish company with a UK base will find itself in a difficult position, which could have implications for us in Northern Ireland.
Earlier this year, KPMG considered this issue and found that where an Irish company has a UK-based operation and holds, for example, payroll data about Irish or other EU nationals in that UK base, it may need to start considering whether it relocates that base to another EU state. Alternatively, the company may instead have to adopt standards compatible with the new EU rules, such as binding corporate rules. Otherwise, unless and until the UK receives Commission approval, or some form of bilateral agreement is reached, any transfers of payroll data from Ireland to the UK post Brexit will fall foul of the GDPR. It is also worth noting that any company that is found to have transferred payroll data in breach of the GDPR may be subject to a fine amounting to 4% of its global turnover, or €20 million. If a company had offices in Dublin and Belfast or Dublin and London, for example, that could—or would—present a significant problem.
When it comes to our joint security, sharing personal data is essential for our wider co-operation in the fight against serious crime and terrorism. Between October 2014 and September 2015, the UK Financial Intelligence Unit received 1,566 requests from international partners for financial intelligence, at least 800 of which came from EU member states. The UK is instrumental in contributing high-quality information, analysis and expertise in areas such as passenger data and financial intelligence. It also gains considerable benefit from the information provided by other member states in bringing criminals to justice within its own borders.
Data-sharing is a vital part of our counter-terrorism strategies. The Europol website recognises the importance of working not only with the EU but with its international partners. It points out that
“organised crime does not stop at international borders…it is also essential to have cooperation initiatives with… non-EU States and international organisations”.
That makes clear the shared understanding that keeping our countries safe is widely accepted as being non-negotiable, both within Europe and internationally.
Often, when we consider threats of terrorism, we look at the physical attacks, but while that cannot and must never be overlooked, we must also consider the way in which the use of data is changing. It is changing continually; it is changing as we sit here. As it becomes more sophisticated, the number of cyber-threats from state and non-state actors increase, and those threats do not respect borders. Earlier this year, the WannaCry ransomware infections caused thousands of simultaneous cyber-attacks to be recorded across the globe, affecting more than 100 countries in a co-ordinated breach of IT systems in both private and public sector bodies. As technologies evolve and cyber-threats grow, it is vital that law enforcement keeps pace and develops capabilities to stay ahead of attackers whom we must work together with our European and international partners to defeat.
As has already been mentioned, the increasingly international, borderless nature of criminal activity makes the swift and efficient availability of data essential to modern law enforcement. The ability of law enforcement agencies to conduct point-to-point data exchange is critical to developing lines of inquiry, identifying suspects, and taking appropriate action.
I will end my speech now, because I have been told by the Whips to conform to a certain time. I appreciate that I have covered a number of topics—as have all the other speakers—but I think we can all agree on the importance of securing an agreement with the European Union, so that we can continue to share data in the same way as we do now. That will ensure that businesses in the UK, and those from EU states with UK bases, can operate as they have done previously. It will also enable our countries to continue to co-operate in vitally important areas, sharing data and information in the fight against terrorism and criminality.
I look forward to hearing the Minister’s comments. As a Brexiteer, I am sure that we are moving forward in a constructive and positive way.
This has been a very interesting debate. It has, in a sense, been the First Reading of a Bill, which is an innovation on the Government’s part. Although the Bill is currently in the House of Lords, I suspect that there may be a degree of repetition when it eventually comes here for its Second Reading. However, I am sure that the Minister’s Second Reading speech will be completely original, and will not contain any of the information that he has given us this afternoon.
The debate has also been very well informed, and we have heard from Members on both sides of the House. The hon. Member for Bromley and Chislehurst (Robert Neill) drew attention to the importance of tech companies in London and to the importance of bespoke arrangements for when Britain leaves the European Union. The Scottish National party’s Front Bench spokesman, the hon. Member for Argyll and Bute (Brendan O’Hara), expressed many of the views that I think we share, and I am sure that they will be developed on Second Reading and in Committee. The hon. Member for Stirling (Stephen Kerr), who is no longer in the Chamber, spoke about the accountability and ethics involved in data use and said that he was a champion of free trade. I was not entirely sure that I grasped how his point about adequacy fitted in with what the Minister had said about something “akin to” adequacy, but he gave his own explanation nevertheless. My right hon. Friend the Member for East Ham (Stephen Timms) was, as usual, erudite and informed, but never anorakish, in his contribution and made some extremely important points [Interruption.] The Minister is shouting “Rubbish”; I know he is not doing so about the content of my right hon. Friend’s speech, because my right hon. Friend made some extremely important points about the EU charter of fundamental rights and clarity on the adequacy agreement. I know the Minister was listening carefully, because he intervened on my right hon. Friend, but I hope he reflects on what my right hon. Friend said before the Bill comes to us on Second Reading.
We then had the immense pleasure of a maiden speech from my hon. Friend the Member for Warwick and Leamington (Matt Western), which is indeed a very beautiful and happy place. My daughter recently spent three years in Leamington Spa while a student at Warwick University—and was a member of the Leamingtones singing group—and I can confirm that it is a very happy place. My hon. Friend rightly paid tribute to his predecessor. I hope his predecessor does not mind my saying—this is not meant in a mean-spirited way—that I was quite pleased when he lost his seat, because for some reason people thought he and I looked alike. That was perhaps something to do with our stature or our glasses, and from time to time we were mistaken for each other. I wish him well outside the House and look forward to people no longer saying to me “You must have a double,” every time I was mistaken for him around this place. My hon. Friend rightly paid gracious tribute to his predecessor, and his maiden speech was very witty and erudite, as well as serious. We wish him a long and successful career in this House, and I am sure he will make a great contribution.
The hon. Member for Chelmsford (Vicky Ford) made her contribution, and then my hon. Friend the Member for Cambridge (Daniel Zeichner) made a very thorough speech. He told us of his chairmanship of the all-party group on data analytics. We should thank it for the briefing it supplied ahead of this debate, which was very useful, and should also mention other briefings that were supplied but not referred to during the debate, such as that from the Association of British Insurers, many of whose points have come out in general debate in any case.
Showing the talent on the Labour Benches, we also had excellent contributions from my hon. Friends the Members for Leeds North West (Alex Sobel) and for Bristol North West (Darren Jones), and I hope they will serve on the Bill Committee, as they could both bring great forensic analysis to the scrutiny of the Minister, who I know, having debated with him before, welcomes that immensely from the Opposition in Committee. I am sorry that my hon. Friend the Member for Bristol North West outed himself as a lawyer in this area, as I was hoping that we might spring him as a surprise on the Minister, but now I know he will be going away and doing research on my hon. Friend. We also had a contribution from the hon. Member for Bath (Wera Hobhouse), who pointed out the importance of a good Brexit deal and the damage that uncertainty is causing to business.
Finally, we heard from the hon. Member for Strangford (Jim Shannon), a very popular Member of this House, who was still able to make a very good speech in spite of Brexit. As ever, he was fluent and assiduous in his contribution, and he pointed out the special position of Northern Ireland, having a land border with the EU post Brexit, which we must never forget is a key issue.
I will not repeat the points I made in my speech, but I remind the Minister that I asked him to explain, and hope he is able to, the thinking behind the Government’s derogation on the minimum age for a child consenting in respect of the processing of their personal data at 13 years rather than 16 years. If he can rehearse that for the House at this point, it will perhaps be helpful when we consider it further down the line when the Bill comes before us, as it will if he also responds to the key points made in the debate by me and other Members in relation to adequacy, security and so on. We look forward to hearing the Minister’s response to the debate.
The subject of the debate could not be more important. The digital revolution is one of the biggest things happening to this country and the world. Indeed, I think the digital revolution as a whole is bigger than Brexit. The right hon. Member for East Ham (Stephen Timms) thought this would be an anorak-like debate, but hoped it would not. Well, I think we could liken the debate to an anorak because in some circumstances anoraks are incredibly important. The debate may have been detailed and technical in parts, but it is vital to get these things right for our country’s future.
As others have said, what a pleasure it was to hear the fine maiden speech by the hon. Member for Warwick and Leamington (Matt Western). He even introduced a word that I had never heard—camoufleurs. What a description! He spoke well of his new constituency, especially the design industry, and the gaming industry that is so important there. He spoke of history and the future. As the Minister for the gaming industry and for VR and AR, I am thrilled to hear that he will continue to champion them; I look forward to engaging with him often.
I was delighted to hear that Leamington is the happiest place to live. Funnily enough, I thought that was Suffolk. I give the hon. Gentleman a gentle warning about hostages to fortune: he very gently and elegantly took the credit for Leamington’s being the happiest place in the country, so now we all know where to look if it all goes wrong.
I almost called the Labour Front-Bench spokesman, the hon. Member for Cardiff West (Kevin Brennan), my hon. Friend because we have spent so much time together in Committee in the past. I look forward to doing so again in future. I was surprised to learn two new things about him. I am astonished that he has university-age children; he looks as though he has barely left university himself. And he says he is delighted that the former Member for Warwick and Leamington, Chris White, is no longer in the House because he is a double. He can imagine how I felt when Mike Hancock was defeated!
The hon. Member for Cardiff West asked some serious and important questions. First, he raised the question of parental consent at the age of 13. There is flexibility in the GDPR legislation to set the age of parental consent at any age between 13 and 16. In the UK that age is effectively 12 at the moment—although it is not set in the same way—which means that we are raising the age. We of course recognise the fundamental role that the internet plays in the lives of teenagers, and we agree that it is vital to educate children, not only on the positives of the internet—coding has been in the curriculum for three or four years—but on the risks. The internet safety strategy published yesterday stated that we will do more to educate children about safety, but online platforms also give children educational and social resource, and the rules need to be realistic if they are to work. We do not want to introduce an unworkable rule.
This is a balanced judgment, but I believe we were right when we chose the age of 13. It was suggested that we did so because the Irish Government decided on 13, but the point about GDPR is that what matters is whose data it is, so it is not a question of the dataset in which the data is stored; it is a question of how old the child is.
The hon. Member for Cardiff West, and several other hon. Members, asked about the adequacy of our national security legislation. We are already compliant with EU law on data protection, with the Intellectual Property (Unjustified Threats) Act 2017, and we will be after exit. We are confident that that legislation should not present a significant obstacle to negotiations, not least because we have one of the most robust oversight frameworks in the world, and we brought in judicial oversight as part of the move from the Data Retention and Investigatory Powers Act 2014 to the Investigatory Powers Act 2016.
We heard an excellent speech from my hon. Friend the Member for Bromley and Chislehurst (Robert Neill), who argued that how data rules relate to finance is a huge issue to be tackled. He is absolutely right, and we do have regular discussions with the financial sector. None of us should forget his point that it is in the interests of both the UK and the EU to get things right. We will help to ensure that Gibraltar has market access to the UK, which my hon. Friend cares about. That may require a degree of regulatory equivalence, and he knows that those discussions are ongoing. Our intention to maintain the data relationship for law enforcement purposes is clear, which is why we are putting the law enforcement directive into UK law as part of the Data Protection Bill. We want to continue to have a strong partnership with the EU. There is no legal barrier to the EU establishing an international agreement giving third countries access to SIS II and the European Criminal Records Information System. We are exploring a full range of options, but much of the detail will obviously be down to the negotiations.
I am delighted that the Scottish National Party supports our approach, and I am grateful for the support of both the Scottish Government and the SNP Members here. When the hon. Member for Argyll and Bute (Brendan O’Hara) said that what I had said previously was absolutely right, I started to worry a little—we do not usually hear that, from the SNP Benches—but he then asked specifically about a no-deal scenario. In the annex to the paper we published in the summer, we outlined other ways to ensure the flow of data, and we do consider all options. There are alternative means of legal transfer of data, but we fully expect a good deal. The hon. Member for Strangford (Jim Shannon) made the same point, but he stressed that this is about not just the future EU-UK relationship, but the UK’s relationships all around the world and our ability to get strong trading relationships underpinned by data that is protected with good cyber-security.
My hon. Friend the Member for Stirling (Stephen Kerr) argued powerfully that data protection must be based on trust—my hon. Friend the Member for Chelmsford (Vicky Ford) made a similar point—and mentioned the advantage of future flexibility in a position in which Britain can lead across the world. He mentioned our history on that topic and the computer Manchester 1, which my mother worked on, and Stirling’s growing digital economy. He asked us to raise our eyes to the horizon and ensure that we get this right across the world.
Like the hon. Member for Cambridge (Daniel Zeichner), my hon. Friend the Member for Stirling asked about the EU-US privacy shield and post-Brexit data flows. We of course want to maintain the current protections for UK citizens under the privacy shield after exit. We want to ensure that data flows between the UK and third countries with EU adequacy decisions, like the US, can continue on the same basis. That is part and parcel of what we are trying to achieve.
The hon. Member for Cambridge also asked about dialogue with the EU on the future partnerships paper, and that is ongoing. For example, the Secretary of State for Justice is at the Justice and Home Affairs Council this week and will be speaking about that paper, setting out in particular the argument that we are approaching Brexit from a point of harmonisation. Keeping the Data Protection Bill harmonised with the GDPR will be critical as we take the Bill through both Houses, and I am glad for the Opposition’s support in maintaining that position.
The right hon. Member for East Ham made a characteristically excellent speech. I hope he is not on the Bill Committee, and I mean that as a compliment. However, he was wrong about the loss of influence, and my hon. Friend the Member for Chelmsford, who was in the European Parliament at the time, pointed out just how influential both Labour and Conservative British MEPs were in ensuring that we got a good piece of GDPR legislation.
I want to make it absolutely clear that our goal is an agreement that builds on the existing model of adequacy. We are seeking an arrangement at least as strong as adequacy—stronger, in fact. There was a bit of debate about whether how I put things in my opening speech implied that we were moving off adequacy. We are not. I say again that we are seeking an arrangement at least as strong as adequacy—stronger, in fact—as part of the negotiation.
On mail and direct marketing by post, I should like to correct the right hon. Gentleman slightly. Data controllers will need a legal basis for this under GDPR, but article 6 sets out a number of potential legal bases, not only consent. That does not change the reality on the ground from the current data protection arrangements. I hope that I have provided adequate reassurance.
The right hon. Gentleman and the hon. Member for Leeds North West (Alex Sobel) raised article 8, as did others. I am clear about the strength of the assurance that I have given and I hope that Opposition Members accept it. When private businesses consider their future arrangements, I hope that Members on both sides will make clear our determination to get a deal that is as good as adequacy, if not better. We want people to continue to do business and thrive here in the UK.
My hon. Friend the Member for Chelmsford, whom I have mentioned a couple of times, made a powerful and informed speech. Of course we think that the passenger data transfer is important; the referendum does not change how important it is. The EU already has third country arrangements in place with others, so we see no reason why the issue cannot be fixed. I am also sure that Chelmsford is a happy place to live; I wonder whether that is down to my hon. Friend or her ebullient predecessor.
I also agree with my hon. Friend that we must be vigilant and not gold-plate the Data Protection Bill through Information Commissioner’s Office guidance. No doubt we will discuss that during the passage of the Bill. I have regular conversations with the ICO about exactly that issue. We want guidance to come out early. In some cases, the ICO is having to wait for guidance from the Commission and that causes the delay—it is not the fault of the Information Commissioner. But we do want guidance to be in clear, simple language, not gold-plated, and to come out as early as is reasonably practicable. I thank the Information Commissioner and all her team for her excellent work.
This has been a very productive debate and I am grateful for the largely very well-informed and detailed discussion, all of which has been good natured. I look forward to continuing this over the months ahead. There is a shared mission in this House to have a high-quality data agreement with the European Union to make sure we have high-quality data protection and the free flow of data. I hope I have given assurances about the actions we are taking to deliver that and to support the digital economy, through Brexit and beyond.
Question put and agreed to.
Resolved,
That this House has considered Exiting the European Union and Data Protection.
Contains Parliamentary information licensed under the Open Parliament Licence v3.0.