2
European Affairs Committee
Corrected oral evidence: Data adequacy and its implications for UK-EU relations
Tuesday 7 May 2024
4 pm
Members present: Lord Stirrup (The Chair); Baroness Anelay of St Johns; Baroness Ashton of Upholland; Baroness Hayter of Kentish Town; Lord Jackson of Peterborough; Lord Jay of Ewelme; Baroness Lawlor; Baroness Ludford; Baroness Nicholson of Winterbourne.
Evidence Session No. 5 Heard in Public Questions 50 - 61
Witnesses
I: Nicola Watkinson, Managing Director, International, TheCityUK; Ruth Boardman, Co-head, International Privacy and Data Protection Group, Bird & Bird; Neil Warwick, Policy Champion for International Affairs, Federation of Small Businesses (FSB).
USE OF THE TRANSCRIPT
19
Examination of witnesses
Nicola Watkinson, Ruth Boardman and Neil Warwick.
Q50 The Chair: Good afternoon, everybody. Welcome to this meeting of the House of Lords European Affairs Select Committee and the latest evidence session of our inquiry into data adequacy and its implications for UK-EU relations.
I am delighted to be able to welcome as our witnesses today Nicola Watkinson from TheCityUK, who is joining us online; Ruth Boardman, who is co-head of Bird & Bird’s international privacy and data protection group; and Neil Warwick, who is from the Federation of Small Businesses, where he is policy champion for international affairs. We are delighted to have you with us today for this evidence session, which will be focusing very much on data adequacy as it relates to business. We look forward to your insights on those particular issues.
This is a public session. It is being broadcast and the evidence will be published as part of our inquiry. After the session has concluded and once it has been drafted, we will send you a draft text of the evidence for any errors of recording. If there is anything that occurs to you afterwards that you wish you had said and you had not, or upon which you wish to expand, please do write to us with that afterwards. We will be very happy to take that.
The session will last for 60 minutes. We look forward to responses from all three of you but do not feel that you have to repeat what other people have already said. If you agree, your agreement will be quite sufficient. Could I just remind all members that, if they have any interests, they should declare them at the outset?
I will kick off proceedings off with a general question about the impact that data protection has on businesses. How do you assess the adequacy of the existing arrangements underpinning data flows between the UK and the European Union? Where does it work well and where does it work not so well for business?
Nicola Watkinson: I am the managing director for international at TheCityUK. As many of you may know, TheCityUK is the industry-led body representing the UK financial and professional services industry.
Just to give you some context, our industry contributes about 12% of the UK’s total economic output and employs about 2.4 million people, with two-thirds of those jobs outside London. It is the UK’s largest net exporting industry. The total financial and related professional services trade surplus with the EU is around £29.7 billion per year. So this is an important topic for us.
Our members comprise a range of financial institutions, professional services providers and market infrastructure companies, such as stock exchanges, with operations in the UK. Many of these institutions are headquartered in the European Union, so it is very important for us to be able to talk to you today at the European Affairs Committee about the importance of UK-EU data adequacy.
The free flow of data with trust is crucial to the competitiveness of the UK-based financial and professional services industry. Financial services is one of the most digitalised, globalised and regulated sectors. In fact, 96% of the UK’s financial exports were delivered digitally, based on ONS data from 2023.
The European Commission’s decision in June 2021 to grant the UK data adequacy has allowed the continued safe and free flow of personal data across the channel and provided much-needed legal certainty for businesses. This decision was and remains hugely beneficial to EU-based firms in our industry as well as the UK-based ones that we represent. We all know that this adequacy decision lapses in 2025. This inquiry is therefore a good moment to reinforce the importance of continued data adequacy between the EU and the UK.
Our international regulatory strategy group, which is a joint venture between TheCityUK and the City of London Corporation, has submitted written evidence in response to this inquiry. Much of what I say today will be reflected in that submission and vice versa.
Our industry’s assessment is in line with that expressed by the majority of those who have already given evidence to the committee. We agree that the provisions of the UK’s Data Protection and Digital Information Bill, as amended, should not result in the loss of the UK’s data adequacy status with the EU. A disrupted or inadequacy scenario would clearly have considerable negative impact on the financial and professional services sector, whether based in the UK, in the EU, or, as is often the case among our members, in both. Our industry is resourceful, so operating without data adequacy would be possible, but this would carry both immediate and ongoing additional costs as well as legal uncertainty, which could have a chilling effect on investment in the UK.
Therefore, we recommend that the UK Government continue their active dialogue with EU counterparts to explain how the amendments to the DPDI Bill address the initial concerns raised and reassure them of the UK’s unwavering commitment to robust data protection standards. We will certainly continue to do the same with our industry counterparts and other relevant stakeholders in the EU, as this is really an important issue for us. Thank you.
Ruth Boardman: By way of background, I manage a team at Bird & Bird that advises both UK and non-UK companies on how to comply. I hope I can share some perspectives from the coalface, as it were.
You asked what works well with the current adequacy arrangement then where there are things that work less well. I will look at both of those. In terms of what works well, I absolutely agree with Nicola that the adequacy arrangement allows a low-friction mechanism for data to be transferred. A business in the EU that wants to work with a subsidiary in the UK, a service provider in the UK or a data centre in the UK can transfer personal data to it without having to jump through as many hoops as would otherwise be the case.
If the adequacy decision were not there, it would be slower and there would be more friction for EU businesses, which would make those organisations less attractive. It would also add to their costs because they would have to put arrangements in place to help their customers understand why they could still work with them. There would also be an indirect cost if you had that friction. Increasingly, organisations would question, even if they could work with you, whether they wanted to. There would be a longer-term issue. The adequacy decision works well because it allows that friction-free and easy sharing of personal data.
In terms of what works less well, I would call out two things. The first is data subject access requests. These are frequently used by employees who are disgruntled and have a grievance as a way of deliberately putting pressure on their employers. You might think, “Why is that? Surely individuals have good reasons for accessing data that is processed about them”. Although that is true, the difficulty is that, in order to work out what data to share, businesses often have to rifle through tens of thousands of emails to pick out the odd phrase here or there that is personal data. The cost of that can be enormous. It is often used deliberately to put pressure on an employer to settle, if there is some other dispute. That bit does not work well.
Some of the obligations are also quite bureaucratic, possibly disproportionately so compared to the risks involved. To give you an example to make that more meaningful, GDPR states that organisations have to have privacy notices explaining why and how they process personal data. That is really important but the level of detail that you need can be quite extensive. To give you an example, the Information Commissioner’s own privacy notice, which is written to comply with those requirements, runs to 93 pages online. That probably ceases to convey any useful information. Those are two examples of where the balance is perhaps not quite right.
The Chair: I realise I am asking you to speculate a bit here, but do you see any ways of addressing the two key problem areas you have identified that would still keep us within the bounds of acceptability on data protection?
Ruth Boardman: Absolutely. The subject access one is more difficult but, overall, there are certainly amendments that can be made that would reduce the burden on business without risking adequacy being lost. There are multiple countries with adequacy decisions that approach things in a slightly different way. That difference is possible.
The Chair: This question is for all three of our witnesses. Do you have discussions with businesses and companies on the other side of the divide, as it were, about these issues? Are you able to reach common positions on them? In other words, the kinds of friction that you are describing presumably occur in companies and businesses throughout the EU as well, do they not?
Ruth Boardman: For the examples I have given, yes. They are recurring problems. Subject access requests are probably more of a problem in the UK than anywhere else. It seems to be something that employees in the UK have latched on to earlier than employees elsewhere. To be clear, being able to access your data is important, but something about the balance there is not quite right.
Neil Warwick: I am probably going to give slightly different evidence to Ruth and Nicola. I come at this from three different perspectives. In my day job, I am a partner at Knights plc, which is the UK’s largest regional legal services business. We have offices in 23 towns across the UK. I specialise in EU and competition law, so I think I am here for the divergence side of things. As you kindly said, I am also a policy champion for FSB, looking at international regulation and, previously, Brexit. I am a member of the FSB because I also co-own a not-for-profit with one of my friends, a business called The Experience Bank, which places non-executive directors with pre-revenue SMEs. We have quite a lot of contact at the coalface, as Ruth said.
From an FSB perspective, we have 160,000 members and we represent a sector that covers 5.5 million businesses and sole traders. The problems that we have seen prior to exiting the EU and post EU is that a lot of our members just do not know what they do not know.
It came as a surprise, when Ruth and I were chatting earlier, to hear that SMEs tend to gold plate regulation. Regulation consistency comes out as the biggest problem they face. If they do not understand something and do not have access to legal advisers and accountants, they will try to tackle it themselves. That brings a high direct cost in comparison to their profitability and is a direct drain on their resources because SMEs tend to do it themselves.
From a GDPR perspective, it was a huge mountain to climb. Most seem to have got there, are compliant and get it. It is the third-highest area that they still complain about in terms of compliance. It was at 59% in the last survey that we did, falling in behind health and safety and employment as the two bigger challenges that they face.
I totally agree with Ruth. Any divergence can be solved at a macro level but some of our businesses—we were describing one earlier—export to Dubai, Australia, America and South America. They have to comply with GDPR, as the gold standard. Any form of divergence causes them a lot more of a headache because they do not have the resource to deal with it.
Q51 Baroness Nicholson of Winterbourne: I have a quick question for Mr Warwick and the Federation of Small Businesses. I have always admired the federation’s work. Some 94% of our businesses in the UK are small businesses. The points that you have been putting forward strike us all very hard, I am sure. How much do you find a similarity of point with small businesses in EU member states? Can you join together to strengthen your case at all?
Neil Warwick: Yes, we have. FSB has joined an organisation called SMEunited, which is a global umbrella organisation that covers similar trade bodies to us across the EU. We do see similar problems in other countries. Unfortunately, eight years on, the first piece of feedback we get when we deal with any of our colleagues in SMEunited is, “I can’t believe you’ve done this”. The second part is the same story that we heard during the transition period. About 25% of our members exported and, of that 25%, about 25% stopped. They just paused. Unfortunately, the statistics we have in our surveys do not indicate that they have started again. It is a similar picture with European companies.
Q52 Lord Jackson of Peterborough: I was intrigued by Ms Boardman’s comments on subject access requests. Can you remind us of the evidential rationale for them being in the original legislation? Why was that brought forward? Secondly, on this question, are you recommending substantial reform around subject access requests because they are so onerous?
Ruth Boardman: First of all, why do we have subject access? It has been a core principle. It is not specific to GDPR. We have had a right of access since well before GDPR. The directive included a right of access. If you look at the Council of Europe convention, there is a requirement to have rights of access there. There is a right of access going right back to the Data Protection Act 1988. It is not specific to GDPR. GDPR has increased the focus on it because the sanctions are bigger; it has also raised attention on data protection, which is probably a good thing. Individuals are therefore perhaps more likely to exercise their rights.
You asked what works well and what does not work well. That is the bit that I feel does not quite work, but not because it is found only in GDPR. Even if we did not have GDPR, there would be an issue with that. How it should be addressed is a really difficult one to solve. The consultation exercise that DSIT ran explored some of those difficulties. On the one hand, you have the costs that business incur. To give you an example, if you deal with an employee who has been at an organisation for a long time, the cost of reviewing all that can typically run from £10,000 to £70,000. It is a real cost. Equally, if you simply impose a cost limit, it incentivises organisations not to have good systems. There is a real challenge there.
Something might be done specifically with emails. It is the cost of reviewing emails that takes the time. You can pull information from a core HR system relatively easily. Because emails cover information about the business and other individuals, people need to review them. That takes a lot of time. The value that they provide compared to the cost is perhaps disproportionate.
Lord Jackson of Peterborough: Thank you. I will get in trouble with the chair if I do not ask my allocated question, so I will do so now. Hot off the press this morning is the fact that the EY attractiveness survey shows that the UK is second in EY’s annual ranking of European countries by their ability to attract foreign direct investment. We are the only country in the top three to see project numbers increase year on year. That is good news, but could we do better in terms of data adequacy? Mr Warwick, perhaps you could answer first. What changes would you like to see that could lessen the burden, particularly on small businesses, of the current regime?
Neil Warwick: The changes that are being proposed in the Bill are probably beneficial to smaller businesses, with the softening of some of the provisions. Broadly speaking, we are not here to say that we disagree with the Bill; we are just here to make the usual plea that you get from the FSB. If there are going to be changes, however minor, it is the flow of information to the smaller businesses that is always the sticking point. I tend to agree with Ruth that everything is solvable if we decide to depart slightly from the current regime.
Lord Jackson of Peterborough: Ms Watkinson, what are your views on how things could be better in terms of data adequacy for SMEs?
Nicola Watkinson: I would just agree with the voices of others. At the moment, we are quite happy with the way in which the Bill is configured and would be happy to take that forward. For us, the bigger question concerns what might happen if there were no longer adequacy because that would significantly disrupt the free flow of data with trust, add considerable compliance burdens and costs for business, and create a lot of legal uncertainty, which could potentially undermine consumer trust.
As we know, any changes bring about a need for further change and further adjustments. All those costs could have a negative impact on the competitiveness of the UK and, potentially, a bit of a chilling effect on the nice FDI numbers we have just seen come through from EY.
Lord Jackson of Peterborough: Can I just interrogate that answer a little? There is this concept that there is a balance between not doing things and doing the stuff that we have now on GDPR and data adequacy because you retain or gain the trust of businesses and other stakeholders. Has that ever been monetised? Do we have an estimate of how much that so-called trust amounts to as against the cost and efficacy of the GDPR policy? That is the crucial question for us on the committee, as we are balancing those two competing issues.
Nicola Watkinson: It is a great question. Gathering these really specific figures on the impact of having GDPR or the impact of the absence of data adequacy is challenging. Nevertheless, I could confidently say that we know there would be a range of additional resultant costs were we to lose data adequacy. Those might range from things like procedural fees to legal fees as a result of no adequacy agreement. There may also be some increased legal uncertainty, which would affect the perception of the UK as an investment destination and its attractiveness as an international financial centre.
Your question is a good one. It is quite hard to capture specific figures but business is telling us that, if we were to lose data adequacy, there would be significant costs associated with that in terms of having to negotiate new legal agreements and having to navigate through a whole range of new procedures. That may make them less attractive to do business with.
It is probably more on the negative than being able to quantify the benefit of it, but we know that GDPR is widely accepted globally. Most companies that have cross-border activities are working around a GDPR-compliant system. Being able to have a coherent regulatory framework that works for multiple markets makes life a lot easier in terms of not just cost but efficiency and safety. That leads into a whole range of other benefits that come through for the industry.
Q53 The Chair: Can I follow up on one point with Neil Warwick to make sure I have got this straight? The impression I got from your evidence—correct me if I am wrong—is that the greatest source of friction for SMEs with regard to data adequacy is understanding what they have to do rather than doing it. Is that true? If it is, it is really an internal UK problem rather than a wider cross-border one.
Neil Warwick: I would agree that it is an internal UK problem, in the sense that we tend to be one of the nations that is most compliant with regulation anyway.
Picking up your point in the previous question, we now have statistics—albeit slightly older ones—on the various cost implications and some anecdotal survey evidence about the benefits of GDPR from our members. I am happy to share this now or my colleagues can send it in in writing. We quantified the costs of no adequacy prior to the decision being made; the costs of bringing in the standard clauses; what that would mean to each business; and the impact on it. It did come out very clearly in one of our older surveys that SMEs favour GDPR, as we have all said, as the gold standard. Although they could not quantify it, they sense that it builds trust with their customers, which basically leads to a better sales pipeline.
The core thing for any SME is the regulatory burden, whether it be data, employment or some of the new legislation that is coming down the line. It is about asking, “How do we understand it? How can we possibly comply to the best possible standard that we have? How can we do that without losing out when we do our day job?”
Q54 Baroness Hayter of Kentish Town: I think I know the answer to this question from what a couple of you have said. Actually, I have two questions. From what you have said, it sounds to me that, if we asked European business about this, they would all say that they want the UK to retain its adequacy. Is that an easy answer? For the sake of the transcript, I ought to say that people are nodding, so the answer to that is yes.
Neil Warwick: Yes.
Baroness Hayter of Kentish Town: The second thing arises, in a sense, from what Ruth Boardman said earlier on. She mentioned consumers, clients or customers. I realise that cost is quite a big one because, if it is going to cost providers more money, it will be customers who pay. That apart, what would be the impact on the users of financial services or small business if there were no data adequacy? How would your consumers or customers feel? Would they have to do more in the production of information?
Neil Warwick: In a sense, that is pure guesswork because it would depend on what replaced adequacy. My gut instinct is probably not. The costs of compliance would flow through. You are entirely correct that the cost of goods or services could go up. In terms of compliance, I do not see that there would be much impact on individuals.
Ruth Boardman: I would agree. Primarily, it would be added burden for businesses both in the UK and the EU, especially those in the UK. In addition to cost in external advice, it is about the time that would be taken to meet the relevant requirements. It is harder to see an impact on consumers. I suppose there might be less choice.
Neil Warwick: Yes, I was going to say a lack of choice.
Q55 Baroness Ashton of Upholland: I have a quick follow-up on your 25% of the 25% issue. When I was the EU’s trade commissioner, we were very keen to encourage more small businesses to trade internationally and promote the importance of that. It was running at something like 8% overall, though that is me dredging my memory for the figure.
One of the things that is really important is the chilling effect that anything can have on what we are trying to promote. As a nation, we talk about this a lot. I am not quite sure where the action is, but we talk about wanting to see greater emphasis on entrepreneurial activity and on having businesses move from small business to medium-sized business in order to grow and get the benefits from international trade.
In the context of GDPR, I have a two-part question. First, can you tell us anything about where you feel that chilling effect is in the context of GDPR itself? In other words, are there things that make it less likely that businesses will move into or go back into trading across to Europe? Linked to that—you may not want to answer this now—you have talked about specific things that could change. As a committee, it is really interesting to get the practical things that we could do, which may or may not require legislation. What sorts of things could be added to the weight of evidence to persuade businesses and help them think about the advantages of being part of an international group of companies that trades across to the EU?
Neil Warwick: I should make it clear that the first point, the 25% of the 25%, does not have anything to do with GDPR—it is about the customs arrangements—but the divergence point is analogous. During the transition period, there were several delays to all of the different border control measures. There was relaxation and a sense that things kept getting moved down the road. There still is, to a certain extent. We have been promised the border target operating model but we still do not know what that means.
Initially, for a micro-business, if they do not understand what they are doing, they will pause and try to figure it out. Micro-businesses are then finding that they may have to pay additional taxes equivalent to the value of the goods. They are not going to trade on that basis. For carnet trading, when you are trying to send multiple goods, you have to fill in different parts of forms. That is another big objection.
Let us stop, pause and understand what is happening. The fact that we have not landed on what is happening with the trade barriers has meant that that pause has now become a cessation. The fear factor that the FSB is trying to highlight is that, if you take the certainty we have in GDPR, which has probably replaced some of the lost business from physical trade with platform trading, and inject another form of uncertainty, you may have the same effect.
Q56 Baroness Ludford: Can we look at the risk of losing adequacy and what concerns you might have about the DPDI Bill’s direction of travel? At the beginning, Nicola said that she did not think the Bill should lead to the loss of data adequacy. I wonder what either of you thought about that.
In that context, can I highlight one example? The European Parliament has expressed concern about the change in the definition of personal data so that pseudonymised data would not count as personal data. I am not an expert on the Bill. There seems to be some question about whether that is an accurate perception. I do remember, because I was an MEP at the time, a long debate about anonymised and pseudonymised data and the definition of personal data in GDPR. The European Parliament does not decide on data adequacy but it has the possibility to put pressure on the incoming commissioner after the European elections. Ruth, let me start with you. How high is the risk of a loss of adequacy?
Ruth Boardman: Taking those points in turn, a lot of the changes being proposed are the kinds of things that Neil has welcomed, such as reducing compliance burdens—especially for smaller businesses. As an example, at the moment, organisations must have a record of the processing that they carry out. That can be jolly useful but, equally, if the processing you carry out is low-risk, there is a cost to compiling that. The DPDI Bill alters the balance there slightly. To my mind, those kinds of changes are helpful. They are absolutely within the bound of how different countries with adequacy decisions do things differently. Therefore, they will be helpful and should not pose a risk to adequacy.
If you look at the definition of personal data, personally, I do not think it poses a risk. I also did not find the change particularly helpful. There are some provisions in the Bill that take provisions that everyone knows and understands and rewrites them, perhaps for no benefit or for a limited benefit. Whenever you rewrite something that you know and understand, you risk introducing something that is less certain. Unless there is a real objective to doing it, it risks becoming counterproductive.
On the specific point about pseudonymous data, the Bill tries to make it clear that, if you share data with somebody else and it is not reasonably likely that the other party will be able to know who the individual is, you ought to be able to go ahead and share. You might still know but the recipient would not. As an example, that can be really important in medical research. The organisation that started out with the data will know who somebody is. If you mask the data carefully, somebody else may be able to use it for really important research with no chance of knowing who the individual is. At the moment, there is a lot of uncertainty as to where that boundary is, which then causes a reluctance to share data. The Bill tries to make that clearer. That is somewhat helpful and should not pose a risk to adequacy.
The other area that MEPs have flagged as posing a risk is the independence of the Information Commissioner. I know the Information Commissioner himself has said that he does not think that would really affect how his office operates but, in principle, perhaps with a different commissioner or a different commission, it might have an impact.
We should look at other regimes that have adequacy. I did a bit of research on this. I spoke to law firms that I work with in other countries that have adequacy. Certainly in Switzerland, Canada, the States and Israel, the reaction was, “No, our authority is firmly independent”. Apparently, Israel specifically discussed this when the EU was considering its own adequacy arrangement and decided to strengthen the independence of its authority.
Neil Warwick: If we talk about risk first, you have to measure likelihood and impact. If you looked at having a loss of adequacy overnight and not knowing what the system would be, that would have an awful impact on all three witnesses’ client bases today. At the minute, the likelihood of that seems low. As a lawyer, I do not like guessing, but it looks as though—Ruth will be able to keep me right since she is the expert on this—we are not diverging too much.
From being out in Brussels occasionally, our sense is that the EU is watching our body language. The “recognised legitimate interest” change from “legitimate interest”, coupled with the proposed fettering of some of the ICO’s independence, was one of the biggest worries. They looked at that from a human rights perspective as opposed to a data perspective. Some of the arrangements that we have with America are perfectly sensible and work, but moving towards some of the other bodies that the US is involved with is making the EU slightly nervous.
I am not going to tell a bunch of politicians how to read things but it is an election year in Europe as well. They have to be shown to be on top of things. My personal feeling is that, if things stay the way they are, we will retain adequacy and there will be some changes that will probably benefit our members. That is a good thing. We are really concerned about the whole cliff edge thing again. If it just dropped off, what would happen?
Baroness Ludford: “Do not take unnecessary risks” would be your message. Nicola, do you want to add anything?
Nicola Watkinson: The other speakers have covered a lot of the issues. From our industry perspective, the UK is one of only two full-service international financial centres in the world. It really relies on its ability to act as a global place where people can come and do business and have as much regulatory interoperability as possible.
Many of our companies, for example, have bases in Europe. We have a number of EU-headquartered companies here in the UK. Being able to preserve adequacy is absolutely important for the ease of doing business. We produced a report back in 2019 that looked at how data flows within the financial services industry. You might have a centre in somewhere like Poland doing KYC—know your customer—work. Data may move from one place to another in order for a particular function to be carried out because there are global centres of expertise. That data may then need to move back. The ability to have data adequacy is therefore really important for this industry in a way that is aligned with the most common standard, which is GDPR. For us, it is really important. The point about the cliff edge is very important, too. We would really like to see some certainty on this issue as soon as possible.
Perhaps one extra point is that the UK is perhaps the only place that has a sunset clause in its data adequacy arrangements with the EU, rather than a periodic review process. Again, something that we might be able to do as we move forward would be to look at this and see whether we might be able to provide long-term certainty in this area. If there were to be a loss of data adequacy, as the other speakers have said, we would need a really long lead time to try to adjust for this and to manage all the different new compliance and legal procedures that would need to be implemented.
Baroness Ludford: I know you expressed the view that you did not think the Bill would risk data adequacy. Is there a level of unnecessary risk being taken when you take things like the definition of personal data, the definition of legitimate interest for processing, which is another fraught subject, or the independence of the ICO? If you put that all together in, as Neil pointed out, an election year in Brussels, when there will be hearings for the commissioners in September, is that going to produce some unnecessary jitters in Brussels that could have been avoided?
Nicola Watkinson: In many cases, this is really about perception. The goal has to be to address any of those perception issues that may be arising in Brussels. We have seen that along the way in other areas as well. There is sometimes a bit of a movement that starts to challenge something, which may not be based purely on the evidence but does create a strong perception.
That is why we feel it is really important that we address those issues in Brussels in a really active communication campaign in order to reassure our colleagues in the EU that the UK remains committed to robust protection standards and will remain adequate in terms of its data provisions. It is not necessarily that we have increased the risk, but perhaps we have increased the perception that there may be a risk. It is going to be important to address those perceptions at a time when there is heightened sensitivity around an election period.
Baroness Ludford: We would not want a Schrems III concerning the UK.
Nicola Watkinson: Indeed.
Q57 Lord Jay of Ewelme: We have talked a lot about losing adequacy. It has rather given the impression that you either have or do not have adequacy. Is that really the case or is there a gradation of losing it? Could you lose part of your adequacy, lose it for certain sectors or lose it over time? Is it that we either have or do not have it, or is it more complicated than that?
Neil Warwick: It is more nuanced than that. At a very simple level, yes, you either have adequacy or you do not. If we were to lose adequacy, we could overcome a number of the problems by declaring that the EU GDPR system is adequate for data transfers into this country.
I cannot stress enough that it is about the uncertainty. Although we come at it from different angles, Ruth and I agree that this Bill is broadly okay. Baroness Ludford hit the nail on the head: it is the combination. We might not have an independent commissioner; we might have excessive national security provisions; and there may be different definitions that teeter towards it looking like it might not be adequate. Certainly, the changes that have been proposed bring it much closer to being just slightly different, which will get adequacy.
The changes fall into two camps: ones that we can live with and ones that seem plain strange. For the life of me, I do not understand why we have taken away the need to have a UK representative in this country for data transfers in. That directly harms a number of our members who are micro-businesses providing that service. It makes it easier for the EU and harder for us. Some of the things do not seem to have been thought through very well.
Lord Jay of Ewelme: Ruth Boardman, do you want to add anything to that? I am trying to get at this question of all or nothing.
Ruth Boardman: Adequacy is a bit like varieties of Heinz soup. There are definitely different flavours of adequacy. Let me give you some examples. If you look at the data bridge between the UK and the US, that covers organisations subject to Federal Trade Commission supervision, which means that there are organisations in the US that do not benefit from that scheme. If you are a not-for-profit, a government body, a communications company or a financial services organisation, you are not subject to FTC jurisdiction so the scheme does not cover you. If you look at Canada and Japan, there are also limits to the adequacy decisions there.
The direct answer to your question is that adequacy does not have to be all or nothing. However, an adequacy decision is linked to the law that you have and who that law applies to. If you look at the data bridge, the bridge only covers those organisations because that is the jurisdiction of the Federal Trade Commission. The points that are being raised in relation to the UK reform, such as the definition of personal data or the independence of the commissioner, are not sector-specific. They are fairly fundamental and all-encompassing. If there were a finding in relation to adequacy, it would be all or nothing for the UK.
Lord Jay of Ewelme: It would be all or nothing.
Ruth Boardman: To my mind, yes. If the EU thought it was more limited, it would be open to it to have a decision that was specific to certain sectors or, indeed, specific to certain supplemental protections.
Lord Jay of Ewelme: Thank you for that. Nicola Watkinson, do you want to comment on that point? What about the question of which sectors it might apply to?
Nicola Watkinson: I do not have anything further to add. It has been explained very well.
Lord Jay of Ewelme: There was a mention of Schrems. Baroness Ludford said that we do not want a Schrems III. What about Schrems II? What effect did that have on businesses here? Who wants to say something about that?
Neil Warwick: We looked into the research and could not find any impact that it had had on our members.
Lord Jay of Ewelme: Is that your view, too?
Ruth Boardman: No. We definitely had people toiling away and helping organisations when Schrems II happened and every organisation had to look again at how it transferred personal data. That meant two things. First, for transfers to the US, it meant putting new agreements in place. If you apply that to the UK, UK businesses that receive data from the EU would have to be working with their EU customers to say, “These are agreements you can use”, which would add friction.
In addition, everybody had to carry out transfer risk assessments or transfer impact assessments, which means doing an analysis of the law in the country to which you want to transfer data. This is analysis to the same level that the Commission—or, in the case of the UK, the Secretary of State—is supposed to carry out when it reaches an adequacy decision. It is a pretty burdensome and difficult analysis because it is comparative law.
In that situation, businesses in the UK would have to be helping their EU customers to understand the nature of UK law. It would not be just data protection law; it would be the powers that law enforcement authorities and our national security bodies have to access data. There would be an extensive exercise that had to be undertaken there. That was the kind of work that went on after Schrems II.
Lord Jay of Ewelme: Thank you, that is helpful.
Nicola Watkinson: What we learned from Schrems II was that, as described, there was a lot of analysis work that had to go on. It had to be undertaken by each individual business. That means there is room for different interpretations, which can create this legal uncertainty that we have talked about before. If you are relying on an individual assessment that has to be made about whether the UK company you are dealing with is compliant with data adequacy requirements, that is quite an arduous process and can be open to different levels of interpretation.
It not only raises the cost but increases the complexity and affects the ease of doing business. That is what we have learned and what we would like to avoid because, of course, businesses always have a choice of where to do business and who to trade with. If we make it too difficult, we may reduce the opportunities to UK businesses and the amount of investment that we are able to bring in from the EU.
Lord Jay of Ewelme: Thank you. Can I just take you back to something you said in your initial intervention? You talked about the chilling effect on investment of not getting adequacy. Were you talking about financial services investment or more generally? Do you all agree that not getting an adequacy ruling would have an impact on investment across all sectors or in some sectors? Is that just surmise? What is your view on that?
Nicola Watkinson: It definitely could have a chilling effect. When we look at international investors, we look at the criteria they use for assessing where they invest around the world. There is a whole range of factors that come into play in terms of the talent pool, the infrastructure, the size of the market and so on, but they also look at ease of doing business and the cost of regulatory compliance. That is where we think a chilling factor could come into play.
Certainly in our industry, the EU represents just under a quarter of all the foreign direct investment into our industry here in the UK. Back the other way, it is about the same. We would see that as a potential risk. I would not like to say whether it applies to other industries; I will leave other colleagues to talk about that. It is not definite but there is certainly a risk that it would dampen the attractiveness of the UK as an international financial centre.
Lord Jay of Ewelme: Ruth Boardman and Neil Warwick, do you have views on that? Neil, you go first, on SMEs.
Neil Warwick: The answer to this is similar to the answers we gave about Schrems II. It had an immediate impact on Nicola’s sector and it made Ruth very busy. As SMEs, we did not really notice it to start with other than in the news. The problem was fixed before we had to address it.
It feels to me like that is the way things tend to go. It is back to the cliff edge point again. If it were not addressed, it would be disastrous, but I do not think it would have an immediate impact on SME investment per se because, like a lot of things, it would probably go unnoticed for a while.
Ruth Boardman: I find it harder to comment on the impact on investment, but there would be a risk of an indirect impact over time on the willingness of organisations to trade with UK counterparts. You can do those transfer impact assessments and put clauses in place but I agree with Nicola that people can reach different conclusions. If you think the laws are not adequate and you do not think you can mitigate that, you are not supposed to transfer data to that country.
At the moment, when we work with clients in that space, every time they look at a new initiative or they want to onboard a new service provider, we have to look at where the data is being processed and check that assessment. If the data is being processed only in the EU or in a country that has an adequacy decision, everyone breathes a sigh of relief because you know it is going to be straightforward. When that is not the case, you know it is going to be more difficult. If you are a provider offering that service where you do not have that adequacy decision, the risk is that, over time, your customers will perceive you as a more difficult choice.
Q58 Lord Jackson of Peterborough: I declare at the outset that I was a special adviser in DExEU. Even when we were working towards a potential no deal, we still had lines of communication; we still had Article 50 working groups in the EU and regular dialogue. I am slightly concerned to hear that we are talking about mood music, body language, et cetera. Indeed, there is room for mistakes. Even the Information Commissioner alluded to the fact that the relevant committee in the EU Parliament had misconstrued the rights, responsibilities and obligations of the commissioner vis-à-vis the new legislation.
This is my question to you, as professionals. As we come up to the decision next year, are the governance structures adequate to avoid these mistakes and misunderstandings between the two sides? Are the formal structures enough to make sure that they know what we think and we know what they are thinking in order to have a seamless transfer and continuation of the agreement on data adequacy?
Ruth Boardman: In the course of reassessing adequacy, there will be extensive and detailed discussions. The short answer to your question is yes. The mechanisms will be in place. I cannot remember who made the point but somebody said that there will be a need to explain why. That is absolutely right. Legislation dealing with data protection is important because it is an important human right. It is a fundamental right from an EU perspective. Whenever you change that, you invite questions as to whether you are lowering standards. Therefore, it will be important to have a good narrative to explain how the important points are preserved while still securing benefits for business.
Neil Warwick: The communications between the UK and the EU are good. Business relations are good. Not everybody fully understands the routes of communication yet. That is just common sense. We had set structures for 40 years and now we are working together to find different ways to communicate and come to a concession.
It is right to say that some of the questions we get include, “Why does the UK want to do this?” It is impossible for a representative of a business organisation to second-guess the drafts that people are doing. Things could be better—any form of communication could be better—but I sense that there is a willingness to find compromise.
Nicola Watkinson: Since the Windsor Framework, we have seen a marked uptick in engagement and communication, which has been very welcome. Industry certainly talks a lot, as you would hope it would. We are now looking forward to seeing more of those government channels, as well as some of the committees and forums that have been created, becoming used more. On the whole, it is much better. We hope that the communication will continue to be productive and active. As we all know, consistent and active communication is the best way to address perception issues in any relationship.
Q59 Baroness Anelay of St Johns: We have heard some encouraging information from our three witnesses today about why the Bill should not be seen as something that could lead us to lose data adequacy. There has been a lot of reasonable explanation from the real world about tweaks to be made and diplomacy behind the scenes. I would like to go into that “what if” world a bit more, if I may. For SMEs, what if we do lose our data adequacy? Specifically, what support would SMEs need at that stage? I am reflecting back. I am sorry, Neil—I know you said that, as a lawyer, you do not like to guess—but what specific support would SMEs wish to have? Is that going to be different if they are medium, small or micro-businesses? Should that assistance come from the federation and professional groups, or is there a role for the Government in that?
Neil Warwick: There is always a role for the Government in that. If you look at every response the FSB has ever made and every survey we have done, we have made it clear that, the more information you can get out there quickly in a simplified manner, the better it is for businesses.
To your point, is it different for micro, small and medium-sized businesses? Yes. It is a resource thing. Quite often, micros are sole traders. They are the people about whom we probably worry most at the federation. The only resource that they tend to have is to add another hour on to the day. There are enough hours being added on to the day anyway.
In terms of not wanting to speculate—thank you—this is going to turn into a typical weaselly lawyer’s answer. It depends. If it were a cliff edge immediately and we put nothing in place, it would be pretty bad, but it would probably be worse for Nicola’s and Ruth’s clients. The big businesses, particularly financial institutions, would be hit immediately on day one. From an FSB perspective, we would like a transition period to try to help our members adjust and understand. I am speculating here but, if you are wanting a quick fix, getting an education piece out and getting the standard contractual clauses in place, as an Elastoplast fix for anybody doing trade with the EU, would probably be the way you would go if there were a cliff edge. I just hope that we would have a more balanced transition, to be honest.
The Chair: We have reached the end of our time but, with your forbearance, Baroness Nicholson, Baroness Hayter and Baroness Lawlor have a few quick questions to ask, if that is all right.
Q60 Baroness Nicholson of Winterbourne: I have a quick last question for Mr Warwick. It rolls back to my beginning one on whether you had difficulties in communicating with Brussels. In my experience in Brussels, we saw much too little of you in that sense; maybe we did not reach out to you in the way we could have done.
The big companies have enormous resources to do this, although there are not that many really big companies. You are 94% of all our businesses so you are the front-runner and the most important one. I wonder whether, irrespective of government, Parliament could do anything to help. For example, because we have left the EU, we have a cross-parliamentary committee between the EU in Brussels and here. Would you like to give us any thoughts on that, though not necessarily now? We parliamentarians are very energetic, and there might be ways in which we can help. Small to medium-sized businesses are the ones we know best from our constituencies, the ones we mind most about and the ones that tell us most. Most of us, in some way or another, are probably connected with small businesses in any case.
Neil Warwick: I would like to reflect on that, talk to colleagues and come back with a more reasoned and formal answer. Through our role in SMEunited, we have very strong connections with Brussels. That may have come as a surprise to the committee today, but it also typifies the world post leaving the EU. We all have strong connections but we are perhaps not telling each other what those strong connections are.
The Chair: It would be very helpful if you could come back after consulting with some thoughts on that.
Q61 Baroness Lawlor: I would like to pick up on something that Ruth Boardman mentioned when discussing pseudonymised data and how helpful it could be in medical research, for instance. In making that point, you also mentioned that there was a desire to recognise that different countries do things differently. You made some interesting comments about certain countries—as I recall, Switzerland and Israel were included—for whom it was quite important to be independent and to be able to do things differently.
My question is this. They were granted adequacy before GDPR; four countries had adequacy even before GDPR came into being. Is this recognition of difference something that will guide the EU, or is it something that will be driven by other countries that want to do things differently and maintain their independence in a legal sense?
Ruth Boardman: If you look at the countries that have adequacy decisions from the EU, there are some whose regimes are EU-inspired, if you like, either from GDPR or the directive. Those will tend to be closer to the EU approach. However, there are countries whose law does not start from that same set of building blocks and where there can be more variation. If you look at Canada or Japan, their law has not been taken from GDPR. You can get variations. If you look at personal data, for example, you get different boundaries to that in Japan than you would in the EU. It is not that adequacy has to be identical; that is why I said that a lot of the changes ought to be within that margin. The EU will take account of that.
Having said that, if we want to maintain our adequacy status, it is important to engage on the things that are really important and, potentially, to make changes or limit the changes that we want to make in order to ensure that those points that are really important are maintained.
Baroness Hayter of Kentish Town: Apologies to you, Chair; I am really sorry. I should have declared at the beginning, particularly because Nicola Watkinson is here from TheCityUK, that I am on the board of the ABI, which is obviously one of the main parts of the financial world.
The Chair: Thank you very much indeed to our three witnesses. A special thank you for extending the time slightly so we that could get a couple of extra questions in. In this inquiry, it is crucial that we get a decent perspective from companies and industry. You have certainly given us that today.
As I said at the outset, we will send you a draft transcript to check for errors of recording but, equally, we have already talked about some issues that you are going to come back to us on. If there is anything else on which you would like to expand or which you would like to include that we do not already have, please do so in writing. Meanwhile, we are enormously grateful to you for your very helpful evidence. With that, I bring this formal session to an end.