Lord Stevenson: We can't let Ministers play fast and loose with UK data protection laws after Brexit
We must take precautions against allowing Ministers excessive powers to bring forward regulations without guaranteeing due and proper parliamentary scrutiny, says Lord Stevenson.
Although we are in the midst of a detailed scrutiny of the EU Withdrawal Bill, one of the first ‘Brexit Bills’ to reach the Lords was the Data Protection Bill. A ‘Lords starter’, this completed its stages at our end of Parliament earlier in the year and has recently had a Second Reading in the Commons.
It is a ‘Brexit Bill’ in two senses. First, by giving effect to the EU’s General Data Protection Regulation (GDPR), which will operate once we leave the EU. And second, by aspiring to ensure UK rules governing personal data satisfy the European Commission that our legislative framework offers a level of protection of fundamental rights and freedoms equivalent to those within the EU. The importance of getting such an‘adequacy agreement’ cannot be understated. A failure to do so would make it illegal to exchange personal data with the remaining member states.
As an EU regulation, the GDPR will – as of 25th May this year – be directly applicable in the UK without the need for an Act of Parliament. Confusingly, the Data Protection Bill does not reproduce the wording of the regulation – noting instead that this will need to be legislated for via the Withdrawal Bill. But as things stand, this would be done by delegated legislation.
It is also hard to see how business will be reassured by this state of affairs. Following Brexit, both the UK and the EU will have a shared interest in the continued flow of personal data in an increasingly digitised world. Indeed, 43% of EU tech companies are currently based in the UK and 75% of our data transfers with EU member states. Even if the Data Protection Bill successfully aligns UK law with the EU framework, it is no panacea for the future.
A major concern with the Withdrawal Bill relates to how Clause 7 effectively gives so called ‘Henry VIII’ powers to Ministers to make regulations to amend ‘retained EU Law’, albeit under certain restrictions. Given that the Data Protection Act will contain substantial amounts of retained EU Law, it must surely follow that the regime it establishes needs to be preserved and not left subject to vicarious amendment.
That is why we are looking to make changes to the Withdrawal Bill that strengthen the chances of a positive adequacy ruling by making it clear the Data Protection Act is only amendable via primary legislation.
One theme woven like a golden thread throughout the Lords debates on the earlier Bill was the importance of ensuring that the UK’s legal position on data protection was of such a high standard that it would stand up to post-Brexit assessment by the EU. That is why it makes sense to take precautions against allowing Ministers excessive powers to bring forward regulations without guaranteeing due and proper parliamentary scrutiny.
Lord Stevenson of Balmacara is a member of Labour’s frontbench team in the House of Lords.