International Trade Committee
Oral evidence: Digital trade and data, HC 1096
Wednesday 21 April 2021
Ordered by the House of Commons to be published on 21 April 2021.
Members present: Angus Brendan MacNeil (Chair); Mark Garnier; Paul Girvan; Sir Mark Hendrick; Anthony Mangnall; Mark Menzies; Taiwo Owatemi; Lloyd Russell-Moyle; Martin Vickers; Mick Whitley; Craig Williams.
Questions 110 - 143
I: Rt Hon Greg Hands MP, Minister of State for Trade Policy, Department for International Trade; Rt Hon John Whittingdale OBE MP, Minister of State for Media and Data, Department for Digital, Culture, Media, and Sport; Graham Floater, Director of Trade Policy, Department for International Trade; and Nick Russell, Deputy Director of the Digital Trade Team, Department for Digital, Culture, Media and Sport.
Witnesses: Greg Hands, Mr John Whittingdale, Graham Floater, and Nick Russell.
Q110 Chair: Welcome to this afternoon’s International Trade Committee meeting—our session nearest St George’s Day, one of the highlights of the year. This is the final session on digital trade and data and we are very privileged today to have four witnesses, including two from Government: the right hon. Greg Hands MP and the right hon. John Whittingdale OBE MP. We also have Graham Floater, the director of policy at the DIT, and Nick Russell from DCMS as well. Gentlemen, I will allow you to introduce yourselves briefly before we get going.
Greg Hands: Thank you for the invitation to appear today. International digital trade is now a key driver of productivity and business growth across the UK. Digital trade allows British businesses to reach a wider consumer base, trade more efficiently and cost-effectively and to connect and grow their workforce across different regions of the world.
Outside the EU we now have the freedom to work with partners to shape rules that keep pace with the increasing importance of digital trade and data in the global economy. We also have the flexibility to focus more on what really matters to Britain, such as helping to support our world-leading services sector. Our vision is for the UK to be a global leader in digital trade with a network of international agreements that drive productivity, jobs and growth across the UK.
Our strength in the digital sector is reflected in how we trade. In 2019 the UK’s remotely delivered trade with the world was worth £326 billion, a quarter of our total trade in that year. In the same year the UK ranked third in the world for tech investment, after the United States and China. The fact that we connect digitally alongside more traditional methods also makes the supply of services more resilient to disruption. During the Covid-19 pandemic, digital trade has been at the heart of how many of us have accessed services, kept in touch with loved ones or kept ourselves supplied.
There are, however, still significant barriers in the world to digital trade. While some countries embrace the opportunities that digital trade provides, others are more protectionist. Digital trade is therefore a key priority for our free trade agreements, where we are working with our bilateral partners to achieve ambitious provisions that support British businesses and help them trade. Digital trade is also an important area for the creation of new rules at the WTO, where the UK is actively participating in the plurilateral e-commerce Joint Statement Initiative, aiming to set new global rules on digital trade and reduce barriers for business.
Chair: Sorry, Mr Hands, if I can just—
Greg Hands: Do you want me to end there? I was halfway.
Chair: Yes, I want to end there. We just have an hour. It was a lovely inch that became a mile there, but we heard it and we will explore those interesting points further. Mr Whittingdale.
Mr John Whittingdale: Thank you very much for your invitation to appear this afternoon. I am the Minister for Media and Data in DCMS. DCMS is at the forefront of our ambition to establish the UK as one of the leading digital technology nations of the world. We have seen, particularly in the course of the last year, how important it is that we exploit all the opportunities from digital technology. It is hard to imagine how we would have got through the last year without the use of digital technology.
We have already seen that digital technology and tech business generally is booming in the UK. According to the most recent survey, a new tech business is being launched every half hour in the UK last year. We have recently published our National Data Strategy, which sets out how we intend to use data in order to boost technology and growth and innovation.
One of the key parts of that is through international data exchange and forging new relationships with our partners, so we are very proud that the trade agreements that have already been put in place contain provisions for boosting digital exchange. That is something that we are seeking to achieve with a wide range of countries across the world. The UK now has an opportunity to become a leader in establishing global standards and facilitating data exchange and digital technology around the world.
Chair: Thank you very much. Briefly, Graham Floater and Nick Russell, just introduce yourselves on your own terms.
Graham Floater: Thank you very much indeed. I am Graham Floater. I am the director for trade policy at the Department for International Trade. As part of that role I cover digital trade and services.
Nick Russell: I am the deputy director for digital trade in DCMS, looking after our digital trade interests.
Q111 Chair: Thank you. Before we get going, UK Music has approached me as Chair of the Committee with a couple of questions around this area. I am not sure which Minister would be best to respond—probably Mr Whittingdale. I can say there has been no offer of any recording contract for me to ask this question, unbelievably, or any other bungs whatsoever. What steps are the Government taking to ensure that the European Commission delivers on its draft positive data adequacy decision?
Mr John Whittingdale: We are already well along the road to establishing an adequacy agreement. As you probably know, the Commission conducted an assessment of the UK’s data protection laws, which concluded that the UK did have adequacy, which is not something that we should be surprised at, since our data protection laws are based upon EU law. The GDPR is an EU creation and, therefore, our current data protection regime is very much one created in Europe.
Having established the Commission’s recommendation for adequacy, it then has some further stages to go. We have just received the report of the European Data Protection Board, which has essentially concurred with the Commission’s assessment. It now has to go before the particular Committee of the Council of Ministers.
We had hoped that we would get adequacy in place before the end of the transition period at the end of last year. Unfortunately, because of its linkage to wider negotiation, that did not prove possible, so we put in place a temporary arrangement, the bridge, which allows data to flow in both directions freely until the adequacy assessment is completed. The bridge expires at the end of June this year, but we are very confident we will get adequacy before that time.
Q112 Chair: UK Music is also asking what consideration you have given to maintain that positive decision. Presumably that is after June, but you say you are confident about that continuing.
Mr John Whittingdale: Yes, we see no reason why we should not be granted adequacy within the timescale. So far we are making good progress, and we do not have any reason to have concerns that we are not going to achieve that. Following that, we now have independent control over our own data laws and we are looking at reforms that we can make, but we are absolutely determined to maintain a very high level of data protection standards. It is the case that, in order to have adequacy, you do not need to adopt every dot and comma of the GDPR. As long as we maintain high standards, there is no reason why we should not continue to have adequacy.
Q113 Chair: Have the Europeans said that?
Mr John Whittingdale: Yes, that has always been clear. We will carry out our own assessments. We unilaterally said that we recognise the EU as being data adequate with their own data protection regime. We will review that sometime and they will undoubtedly wish to monitor ours but, as I say, we are not going to do anything that reduces the level of data protection that people are entitled to expect.
Q114 Chair: Excellent, thank you very much. If you hear me singing backing vocals for anybody, you know that something improper has happened.
Moving on to the main meat of this afternoon, Minister Hands, the UK Trade Policy Observatory has described the UK-Japan agreement as clearly showing “the UK’s emerging departure from the EU’s approach to digital governance.” How would you respond to that observation?
Greg Hands: Thank you, Chairman. We are delighted with the UK-Japan deal, let me start off by saying. As you know, it goes further than the EU-Japan deal in certain key areas, one of which—
Q115 Chair: Is it going further or is it a departure?
Greg Hands: It does go further. Things like removing unnecessary rules around data localisation are a massive assistance for a lot of digitally enhanced business, particularly fintech, to be able to operate across borders. In terms of where the agreement is on data protection, there are very strong provisions in CEPA on data protection, and nothing in those provisions undermines or alters the UK’s Data Protection Act of 2018. Privacy is ensured by that Act and that is not threatened by CEPA or indeed any other FTA.
If I might draw reference to one of the other bodies that gave evidence to this inquiry, in written evidence to you, the ICO confirmed no interference of CEPA with the UK data protection regime. In its evidence to you, it does not see significant risk to UK data transferred to Japan arising from the CEPA. Therefore, I see this as a fantastic opportunity for UK businesses looking to set up operations in Japan, while equally protecting our very strong and robust data protection regime here in the UK.
Q116 Anthony Mangnall: I will be very brief because I know we are short on time on this. Minister Hands, thank you for being with us. I am interested in exploring whether or not the Government have a digital trade strategy and whether or not they are going to publish one.
Greg Hands: I would say that we have five pillars for our digital trade strategy. One is to open digital markets, securing access so that businesses can invest and operate across borders—the sort of thing that I talked about earlier with the UK-Japan deal. Secondly, on data flows, we have an open flow of trusted data. That is the way that we describe that. We have a robust data protection regime in place but, equally, we allow the flow of trusted data because we think that will facilitate cross-border commerce and cross-border operation.
Thirdly, on consumer and business safeguards: high-quality rules for online consumer protection and making sure that they are effective and balanced. Fourthly, on digital trading systems: promote things to be done digitally by default, things like customs and border process, so digitally enabled borders. Fifthly, in terms of international co-operation and governance, working at bodies like the World Trade Organisation to make sure that digital trade is moved forward.
That is one of the reasons why we are very heavily involved in a plurilateral JSI proposal at the World Trade Organisation to help facilitate worldwide e-commerce and digital flow. I was about to say “in short”. I guess that was not in short, but those are the five pillars of our strategy going forward.
Q117 Anthony Mangnall: With the greatest respect, that sounds much more like trading objectives rather than a strategy. Is the Government going to produce a strategy document around digital trade itself specifically on this, not least because we are looking at a new arrangement with CPTPP and of course what came out of CEPA? I am interested in whether or not there is going to be a specific strategy document coming out from the Government.
Greg Hands: I am not aware of a specific strategy document but what we are clear on is what our pillars are, our objectives, and we are also clear on our means. The means are three things: free trade agreements, like the one we did with Japan; digital economy agreements, like the one we are seeking to negotiate with Singapore; and thirdly, through the World Trade Organisation, particularly things like the joint initiative on e-commerce—and fourthly, I should add, through the G7 trade track. Those are our means of how we go forward on making sure that our digital trade policy takes effect as far as we can in all our global doings.
Q118 Anthony Mangnall: In reviewing where we are on free trade agreements that we have come to at the moment, what is the assessment of our success or our progress on the free trade agreements, including data protection, consumer protection, regulation of source code and algorithms? How does the Government think we are doing on this?
Greg Hands: In terms of the UK-Japan deal, it is a little bit early to tell on that. As you know, Mr Mangnall, we do publish a scoping assessment and impact assessment of coming deals, so it would be illogical for us not to look at and review the deals that we have already done. That will be an important part of the work of the Department going forward, but it would be a little bit early to do one on the Japan deal at this stage.
Q119 Anthony Mangnall: If I may, I will jump to question 11, because it relates to this specifically. This is probably one for Minister Whittingdale. We have just heard about the fact that there is a good arrangement under CEPA. Do you think there is any danger of creating a two-tiered system in our ambitions to join CPTPP, as well as what we are trying to have with the EU in terms of data adequacy?
Mr John Whittingdale: You need to distinguish between adequacy agreements and free trade agreements. We have an existing trade agreement and an adequacy agreement with the EU. Both of those contain provisions to facilitate data transfer. Certainly, we would seek to achieve adequacy agreements with a number of other countries.
We have inherited the Japan-EU data adequacy agreement and so we have an adequacy arrangement with Japan. We have also now managed to achieve a trade agreement with Japan that does have digital provisions going beyond that which the EU had. We will be looking to reach adequacy agreements with a number of other countries. They will not necessarily be at the same time or exactly the same countries as we are looking to achieve trade agreements with, but in large part those two agreements are complementary to each other.
Q120 Anthony Mangnall: Japan is a good example here because it has the adequacy decision with the EU but it has a two-tier data system itself. Do you think the UK might move in that direction? Do you think it might mimic what Japan has at the moment?
Mr John Whittingdale: We have made clear that we do not intend to diminish our standards of data protection in a way that could threaten EU adequacy. We are committed to maintaining data protection. Every country has different arrangements as to how they look after data in their own country. Therefore, our assessment in order to reach an adequacy agreement with them is to satisfy ourselves that data is properly protected. How each country goes about that is a matter for them, but we need to make sure that, if we reach an adequacy agreement, we are satisfied that their own laws will protect any data that is transferred from the UK to that country.
Q121 Martin Vickers: My question is for Minister Whittingdale. There are two main approaches to data protection. There is the one taken by the EU, which of course we adopted, but they treat data protection violations as rights violations, whereas the US treats such violations as private law matters. Does the Government intend to stick with the general approach of the EU, or is it reconsidering?
Mr John Whittingdale: What we are intending to stick with is a high standard of data protection, which is what is achieved under the existing regime. As I say, we will look at that. We are consulting at the moment as to what reforms we might make to our own data protection laws, particularly to try to reduce the burdens on small businesses and to facilitate data exchange. That is part of a consultation that we launched in the National Data Strategy, and we will be publishing the consultation response very soon.
I do not think we regard data protection as a fundamental right on its own. We see it as delivering wider rights—privacy of a citizen. To that extent, we do not take entirely the same view of data protection as the EU, but we are committed to maintaining a high quality and high standard of data protection.
Q122 Martin Vickers: Would it be fair to say that, generally speaking, we favour the EU approach over the US?
Mr John Whittingdale: We see an opportunity to demonstrate that it is possible to have high standards of data protection and to facilitate data exchange. To some extent, now that the UK has the ability to set its own laws, we are in a very strong position to promote digital technology and data transfer and we are going to use that through our influence in places like the WTO. We have made it one of the main themes of our G7 presidency.
It is not a question of choosing between the two. The UK is now in a very strong position to take a lead internationally in this way. The fact that we have already managed to achieve a ground-breaking agreement with Japan is a demonstration of that.
Q123 Mark Menzies: Minister Hands, the UK-Japan agreement allows for limits to the free flow of data where such limits are necessary to achieve policy objectives.
Greg Hands: Sorry, Mark, I cannot hear you. Maybe it is just me.
Chair: Maybe move the microphone closer to your mouth, if possible.
Mark Menzies: I might even put it in my mouth if it needs to be. Is that better, Greg?
Greg Hands: That is better.
Mark Menzies: I will start again. The UK-Japan agreement allows for limits to the free flow of data where such limits are necessary to achieve policy objectives. Professor David Collins has suggested that this exception may not be sufficiently broad to allow the UK to maintain its current data privacy regime. What is your response?
Greg Hands: I have not seen that specific bit of evidence. I might bring in Graham Floater from my Department in case he has seen that specific bit of evidence.
It is strongly our view that the CEPA does not have an impact on our domestic data protection regime. It does not create a legal basis for the transfer of UK citizens’ data to Japan or stipulate the conditions for any onward transfer of UK citizens’ data from Japan to other jurisdictions. We think our data protection regime domestically is extremely robust.
Graham, have you seen that specific evidence? Do you want to add something to what I had to say?
Graham Floater: We have discussed this with the ICO and we have taken legal advice. That has all told us that this has no impact on the UK’s Data Protection Act or the way in which that operates. To confirm what the Minister said, the CEPA does not in any way impact on the legal vehicle of the Data Protection Act, which is the mechanism through which data of UK citizens is protected not only in the UK but also as it leaves the UK as well. We see no evidence for that, and the ICO has confirmed that.
Greg Hands: I might just add that that ICO evidence, as I mentioned earlier, is part of the written evidence that it sent you. That is freely available for members of the Committee.
Mark Menzies: That is great. Thank you.
Chair: We might pick up on that point a little later, but first I would like to go to Mr Whitley.
Q124 Mick Whitley: My first question is for Minister Hands. The data protection provision in the UK-Japan agreement lists “the enforcement of voluntary undertakings” as an acceptable protection measure. What was the intention behind including this?
Greg Hands: Thank you, Mr Whitley. I know that the inquiry has focused on the voluntary undertakings in the footnote, and I have gone out and investigated this. The footnote lists the three ways in which a party can comply with the obligation to adopt or maintain a legal framework. This is typical and, by the way, it is repeated in CPTPP, broadly, that all parties to CPTPP—which we may be coming on to—must have a strong data protection regime in place.
The footnote lists three ways. First is the comprehensive privacy of personal information and personal data protection laws, which clearly we do. Secondly, sector-specific laws concerning privacy, or thirdly, laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy. This is obviously the third part of this footnote.
This does not imply that these provisions mean that UK personal data can be transferred to a country that relies on self-regulation as its only means of data protection, which I think is what some commentators have drawn out, or attempted to assert, as a result of that footnote. That is simply not correct.
There are three things I would say. First, the CEPA data protection provisions are a way of promoting data protection laws internationally, to say, “The counterparty to this agreement must have good data protection laws domestically.” Obviously with Japan we know that but, with CPTPP, that is an important thing to assert. It is not obvious that all 11 members of CPTPP would necessarily have strong domestic data protection laws, so that is a very helpful thing for UK trade going forward.
Secondly, they do not provide the legal basis for the transfer of personal data from the UK. That is all provided for by our domestic legislation, which is not affected by the FTAs.
Thirdly, going back to Mr Whittingdale’s evidence about the importance of equivalence and adequacy, they do not recognise other countries’ data protection regimes as equivalent to our own. It just asserts that, according to the agreement, they must have a strong and robust system of domestic data protection. In short, some of the attention that has been drawn to that footnote is misplaced.
Q125 Mick Whitley: Thank you. Minister Whittingdale, does the Government consider that the enforcement of voluntary undertakings is an appropriate and sufficient measure to protect UK citizens’ data?
Mr John Whittingdale: As I said earlier, particularly in terms of CEPA, the protection of UK citizens’ data is achieved through the adequacy agreement. We are very clear that, if UK citizens’ data is going to be transferred to another jurisdiction, there have to be appropriate safeguards. The best way we can do that is through an adequacy agreement, where we have carried out an assessment and we have satisfied ourselves that the rules in that particular country provide the level of protection that we expect.
However, there are other ways in which we can safeguard data—even if an adequacy agreement has not been reached—through what they call alternative transfer mechanisms. That is essentially where you put conditions attached to the transfer of data to ensure that it is properly protected in the jurisdiction to which it is going. In terms of data protection, it is the adequacy agreement that is the recognition that UK citizens’ data will be properly protected if it is transferred to that alternative jurisdiction.
Q126 Lloyd Russell-Moyle: Why was it felt that it was needed to put in the words on a voluntary undertaking when those deviate from other agreements that the EU has with Japan? What was the intention behind including that and needing a separate set of wording on that?
Greg Hands: I am not sure I have anything to add to what I thought was a comprehensive explanation earlier but I might ask Graham Floater if he wants to add anything.
I think the voluntary undertaking has attracted some attention, as often trade agreements do. Most trade agreements are 700 or 800 or more pages. Inevitably there is something in there that attracts attention, but I think this one has been significantly misinterpreted. Graham, do you have anything to add to the answer I gave earlier on the voluntary undertaking?
Q127 Lloyd Russell-Moyle: I will go to Graham in a second. The difference is that international agreements are thick and most of them are based on pre-existing law that is tried and tested. Our pre-existing arrangement with Japan was the EU-Japan arrangement. When things deviate from that or are slightly different, everyone pores over those differences to understand why there was a difference, because those differences will be tried out differently in courts. That is why I am trying to explore why there was a slightly different approach taken in that from the existing arrangement.
Graham Floater: It is a very good question. The first thing to say is to reiterate that the legal vehicle that counts here is UK domestic legislation. Nothing in the CEPA affects that. That is the first thing to say. The second is that, as the Minister said, these additional provisions actually go further. They go further than the domestic legislation that protects citizens’ data in the UK and flowing out of the UK by saying that we want to go further and establish that in the regime of our trading partner, they will have legislation in place that ensures that there is a strong domestic legislative framework in their own country.
The voluntary undertakings are simply part of a number of different ways in which that country can meet that provision, but it is additional to the protections that already exist for UK citizens. In a way, the voluntary undertakings are there in order to go further and to cover a wider range of eventualities within the domestic regime of that country, but it has no impact on the protection of UK citizens’ data, which, as I say, comes under the Data Protection Act.
Q128 Lloyd Russell-Moyle: Are you saying that the European agreement is weak on data and we needed to add in extra clauses to strengthen it? When you add in a new clause you have to do an analysis of why you need to add that, and what is the risk of carrying over what you already had, to justify a new set of wording. I understand your theoretical justification but are you saying that the EU rules were too weak and we had to enhance them?
Graham Floater: I would not say that the EU rules were too weak. The fact is that in their FTAs with other countries traditionally they do not have the data provisions that we have set out here, so it is fair to say that these provisions that we are putting in place are stronger.
Q129 Lloyd Russell-Moyle: Thank you. I appreciate that. Mr Hands, you touched on this earlier. You are saying that UK data is protected by UK law so it cannot be transferred further on. In terms of enforcement, what protections do we have if a company does pass them on and it is based in Japan? I can understand if a company is based and regulated in Britain and then passes that data on to Japan, you could tackle that company. If a company is based in Japan, what protections are there to stop that company passing that British data on, in terms of enforcement?
Greg Hands: That is slightly outside of my area of expertise, so I might have to bring in Mr Floater or Minister Whittingdale. I would imagine in that case that that is an offence caused under the UK Data Protection Act and potentially an offence caused under Japanese law as well. I am going to defer to Graham or John, who know more about the domestic UK situation.
Mr John Whittingdale: I would only add that our assessment of the Japanese data protection laws is that they offer adequate protection, hence we have the adequacy agreement. That would mean that, in the circumstance that you have described, that would be a breach of Japanese data protection laws and would be a matter for the Japanese data protection authorities to enforce the rules there. We have reached an adequacy agreement because we are satisfied that Japanese law protects UK citizens’ data that is transferred to a company in Japan.
Q130 Lloyd Russell-Moyle: I do not quite understand how that works. I understand if there is a dual company that is registered in Britain and Japan it can freely flow data between the two and, therefore, it is subject to British law and the GDPR. But Japan has signed a free-flow data agreement with the US and with Britain. If it is a Japanese company, they will be complying with Japanese law to pass that data on to the United States but they would not be in compliance with British law in that case.
If it is British people’s data, because the company is operating as business to consumer—Japan direct into the consumer market in Britain, which is allowed under this agreement—what protections do we have in terms of remedy? There is always leakage of data, and the key is to contain and then remedy. What remedy methods are there if it is a Japanese company that is complying with Japanese law and passing that data on to America?
Mr John Whittingdale: The data from the UK would be still subject to the protections that exist in UK law. It would be for the Japanese, as part of the agreement, that they have to recognise that and offer that protection.
Lloyd Russell-Moyle: So there is a requirement for Japanese authorities to enforce British GDPR if it is British data.
Mr John Whittingdale: Let me see if Nick Russell can add any more detail to this, because he is in charge of our international data exchange and may have more knowledge of exactly how enforcement would work.
Lloyd Russell-Moyle: I am not trying to catch you out; I am just genuinely interested about how it will work.
Mr John Whittingdale: It is a perfectly legitimate question and I want you to get a properly detailed answer, hence I am going to ask Nick if he can add to that.
Nick Russell: I will try to add something to it. I do not look after the transfer regime mechanism from DCMS, so I do not want to go into too much of the specifics in case I go off track.
What is important to say here is that, if Japan has free trade agreements with the US or the UK or any other country, they do not override the commitments in the adequacy agreement that will be made between the UK and Japan. It would not be acting under Japanese law to then go on and transfer that data onwards without adequate safeguards. The safeguards are baked into the adequacy agreement, which is able to be taken on, using the exceptions, in the free trade agreements that the UK and Japan have signed that allow such transfer mechanisms to be put into place.
When we are looking at this from a strictly trade perspective, it is important to look at the two separate tracks that exist here. Yes, there is a track that deals with adequacy and personal data transfers, but that is quite different from the track that we are talking about in terms of the impact that CEPA or other free trade agreements that Japan might have.
Q131 Lloyd Russell-Moyle: I understand what you have said. I am not quite sure I understand how that practically relates to this scenario of a Japanese business to consumer who gets British data and how, if it is leaked deliberately or by mistake, enforcement happens. In the adequacy agreement, is it a requirement that the Japanese authorities take enforcement measures to continue that adequacy?
Mr John Whittingdale: We have accepted and transferred an EU existing adequacy agreement with Japan on the basis that we are satisfied that the Japanese data protection regime is sufficiently robust to offer the protections that we expect. Therefore, if data is either leaked or lost in the way you have described, that is a breach of the data protection laws in Japan and we would expect action to be taken on that basis.
Q132 Lloyd Russell-Moyle: Yes, but the issue is that it might not be a breach in Japanese law if it was passing over to an American firm but it would be a breach in British law if it was passed over to an American firm. What I am trying to work out is whether there is an undertaking that the Japanese would enforce that, because the data would have originated from Britain and they say, “We understand that we are going to enforce some of the British rules here for those parcels of data.” It might well be something that we can come back to in correspondence.
Mr John Whittingdale: I am happy to get you details. As I said earlier, it is the Japanese regime that we have assessed—or the EU assessed—and decided offered a sufficient level of protection. Therefore, your theoretical scenario in which data passes from Japan to a third country in a way that is against the data protection offered by the UK but not against the data protection offered in Japan—it is quite difficult to see how that can come about. We believe that the Japanese regime offers as high a level of data protection as we have in the UK, which is the basis on which the adequacy agreement was achieved.
Lloyd Russell-Moyle: There is a slight difference between adequacy and equivalence but I take your point. It would be good if we could have some correspondence in writing about how that enforcement in Japan works, but I appreciate your response to that.
Mr John Whittingdale: I am very happy to supply you with some further detail on that and we will do so.
Chair: Having made these assessments that the Ministers have referred to, are the UK Government now guaranteeing that there will be no onward transfer to third countries of any data that has been shared between the UK and Japan? That is the nub of what we are looking for, and hopefully in correspondence we will see that. Ministers understand what we are pushing here to understand. If data is being moved to Japan, how secure is that data after it arrives in Japan? It is all right to talk about the movement and during this and during that, but once it is handed over—these are the answers we are looking for.
Q133 Martin Vickers: Minister Hands, Which? magazine have described the consumer protection provisions in the UK-Japanese agreement as a “positive first step”. Would you agree with them that there are further provisions that need detailing in future agreements?
Greg Hands: I read the Which? report on digital trade. In fact, I have it just here. It was an interesting report. I did not agree with all of their findings. We take consumer protection extremely seriously as a Government overall. That includes in our trade agreements. We are open to having specific consumer protection chapters in trade agreements. I do not agree with Which? on CEPA. There are a lot of good things in their report in terms of things like consumer e-signatures, banning customs duties from digital trade, making sure we can regulate on online harms—all of those aspects of their report I would agree with.
I do not agree with their assessment of CEPA—the UK-Japan deal—that it sets a worrying precedent for consumer interests, for many of the reasons we have just been discussing. There is a bit of a misunderstanding in relation to the impact of a free trade agreement on our domestic data protection regime. I am always happy to engage with Which?. I know them quite well. They sit on one of our trade advisory groups and I am happy to engage with them further on this. Overall, I would say that their report was helpful in many ways.
Q134 Martin Vickers: You do not see the existing provisions or further additional provisions as proving a particular hurdle to future FTAs, particularly, for example, with the US?
Greg Hands: Every negotiation is separate, but we do not think that data protection provides a hurdle for doing a free trade agreement with the United States. Clearly, that is a negotiation that is ongoing at the moment, but we do not see that data protection presents some kind of previously unknown obstacle for doing a free trade agreement with the United States. The important thing is that free trade agreements do not impinge in that way on our domestic data protection legislation, which remains extremely strong with the 2018 Act.
Q135 Mick Whitley: Minister Hands, the US negotiating objectives for an FTA with the UK include limiting platforms’ intermediary liability for non-intellectual property infringements. How does this align with the UK Government’s approach to online harms?
Greg Hands: I have been asked this question in the Commons by the Member for Folkestone and Hythe. To the best of my knowledge, the US has not asked for this provision in our free trade agreement negotiation and it is not something that we would agree with. It is there within the US MCA—the US-Mexico-Canada agreement—but it is not something that the United Kingdom would agree to.
Mr John Whittingdale: Can I add a word to that? As far as we are concerned, as the Department responsible for the online harms legislation, it is an absolute priority and we would not accept anything that weakens our ability to put in place a very strong protection regime. It is quite interesting that more and more countries are coming to recognise the need to take measures of a similar kind to this. You will find quite an active debate going on in the US now as well. Obviously it is matter for them how they treat their platform liability but, as my colleague Greg Hands has just said, it is not something that has been raised to date. It may well be that the position of America is shifting somewhat, so we are monitoring that with some interest.
Q136 Paul Girvan: Minister Whittingdale, what plans are in place to modify or reform the UK GDPR?
Mr John Whittingdale: As I said in my introduction, we have published a National Data Strategy, which was an opportunity for all stakeholders to respond and set out where they think improvements can be made. GDPR is certainly not perfect, and in some areas it has proved to be quite burdensome. We are not seeking to dismantle our entire data protection regime but certainly we are interested in making what changes can be achieved that will make it easier for data to be shared, while not diminishing the standards of protection. As I said, we will be publishing a response to the consultation.
To some extent it is in part because people do not always fully understand GDPR. There are a lot of assumptions that you cannot do things, which are not correct. One of the lessons we have seen from the last year of the pandemic is that the ICO has been very good in setting out exactly what is possible, and the sharing of data during the pandemic has been absolutely critical in terms of establishing effective treatment and establishing spread of the virus. Having achieved that during the course of the pandemic, we are quite keen that those lessons should continue to be learnt and applied in future. There may well be further changes we can make to facilitate data exchange. That is all part of the consultation and we will be coming forward with proposals in due course.
Q137 Paul Girvan: I think that GDPR is used by some as an excuse to tell you nothing. That is maybe not just dealing with trade, but in many other areas it is an excuse.
Mr John Whittingdale: I share that concern. GDPR or a regime to have a high level of protection is essential, but at the same time data sharing and exchange is an absolutely essential part if we are to achieve the ambition we have to grow digital technology in the UK. It offers tremendous benefits. Therefore, data exchange should not be seen as a threat. It obviously needs to have proper protection, but it offers huge opportunities for consumers and citizens to benefit.
Q138 Paul Girvan: The Secretary of State for DCMS originally stated that the UK should take a “slightly less European approach” to data protection. What is the Government’s strategy for departing from the European approach while maintaining data adequacy from the EU?
Mr John Whittingdale: Until we became an independent country outside the EU, our data laws were entirely written in Brussels and we were required to adopt whatever measures were agreed there. I remember that when I was last in Government and GDPR was first going through, we did not always agree with some of the measures, particularly in terms of the impact on small businesses and suchlike. Now that we are no longer bound by European law and have the ability to set our own rules, that is an opportunity that we will certainly take advantage of.
In order to maintain adequacy, as I say, we simply have to continue to have a regime that delivers the high standard of data protection that UK citizens are entitled to expect. What it does not require is that we adopt every dot and comma of the GDPR regulations. The Secretary of State was absolutely right to say that now we have this opportunity to make some small tweaks, some amendments to our data protection laws, to help us achieve the ambitions we have while at the same time not reducing the overall level of protection.
Chair: Thank you. I think Anthony Mangnall has covered all he wanted to cover as regards CPTPP. If not, he will come back on. That allows me to move on to Mark Garnier.
Q139 Mark Garnier: Greg, can we turn to the WTO? We obviously have these ongoing negotiations with the new e-commerce rules, but I gather that our negotiating positions are currently subject to restricted access. Could you possibly give us a bit more flavour in terms of what our ambitions are with regard to all of these e-commerce negotiations?
Greg Hands: As we know, the WTO has not really kept up to date. I have to be careful of my criticism of the WTO, but the rules have not kept up to date with the reality of the world that we live in in 2021. There have been various attempts over many years now to do something on e-commerce, digital trade and so on. There is now the plurilateral JSI. Most things in trade carry with them a slightly bizarre title. It is called the Joint Statement Initiative, which is one of the least attractive titles I can think of.
The other thing to know about trade—as you will know, Mr Garnier, as a former Trade Minister—is that normally the more obscure sounding the thing, the more important the measures. The Joint Statement Initiative, which is what is called a plurilateral initiative, or a coalition of the willing, is exploring new rules on e-commerce. You can see the proposals that we submitted. We submitted them on 16 November last year across a whole range of areas—customs duties on e-transactions, which we have always been opposed to, and Which? are very supportive of us on that; personal information protection; cross-border transfer of information by electronic means; data localisation; source code and so on—a whole series of really helpful and useful initiatives for the JSI. We will be looking to promote this as part of our G7 trade track and moving forward to the MC12 conference towards the end of this year in Geneva.
That does not necessarily guarantee its success, and you will know that things in the WTO rarely move quickly, even plurilateral initiatives. There is still work to be done. Overall in the UK we are going to benefit. We are going to be one of the world’s great beneficiaries in digital trade. We are always one of the great beneficiaries from the rules-based international system. We need the rules to work well, as a country. Making sure that WTO rules on e-commerce and electronic trade work well is absolutely in our interests.
Q140 Mark Garnier: Now that we are the new global Britain, liberated from the clutches of the European Union, do you see us taking a lead role in the WTO in terms of being a country that demonstrates the right way forward? You are the Trade Policy Minister, but do you see it as part of your job for the UK to be a lead in the WTO?
Greg Hands: Absolutely. Liz Truss, Secretary of State, had a very good introductory call with Dr Ngozi, who is off to a great start as director-general of the World Trade Organisation. She did that introductory call last month and we are looking to move forward. We are in a good position with the G7. COP26 also increases our ability.
The UK as a newly independent trading nation in that sense, and having retrieved our independent seat at the World Trade Organisation, has a fantastic opportunity. A lot of our traditional friends and allies and free traders are looking for the UK to play a significant role at the WTO. We have had a brilliant ambassador until now, Julian Braithwaite. We have another excellent ambassador coming in, Simon Manley, and we are looking forward to playing an active role at the WTO.
We also have to recognise that the WTO is not the easiest organisation. Things never move quickly or have not moved quickly in recent years there, so we must not get too far ahead of ourselves, but definitely the UK role is a great opportunity for us.
Q141 Mark Garnier: I am sure you agree it speaks volumes that our candidate for director-general of the WTO got through to the last three, having been a rank outsider at the very beginning. That can only be a good sign.
Greg Hands: Dr Fox did very well indeed. You are quite right that he defied expectations. There were a lot of naysayers last summer, but he put the hours in and I pay tribute to him. I was involved in helping his campaign, and I absolutely pay tribute to his campaign. Notwithstanding that, I think Dr Ngozi is off to a good start and we are working well with him.
Chair: We would all agree that we would like to have seen Dr Fox make it, but he did very well. We would also concur as a Committee with the kind words meant for Julian Braithwaite, the excellent ambassador to the WTO. He has been fantastic to this Committee.
We are moving on to the closing stages, coming up to the final lap and passing the baton over to maybe the fastest of us all, in the beautiful scenery of Wales—Craig Williams.
Q142 Craig Williams: I echo all that about Dr Fox and the WTO. I look forward to the Committee getting over to Geneva soon.
I want to focus more domestically, in terms of consultation with the creative industries, with privacy advocacy groups and with civil society groups around digital trade and data policy. Minister Whittingdale, do you think the consultation is good enough or will you be doing more around those three stakeholders and more?
Mr John Whittingdale: I have had a series of roundtables and one-to-one consultations when we were formulating the National Data Strategy. We did seek to talk to all those with an interest, ranging from the big tech firms through to those campaign groups who are concerned with privacy. The National Data Strategy has achieved a very good response and we will be publishing that very shortly.
The consultation response will be published, and you will see, when that comes out, the extent of the input we have had. We are also setting up a national data forum, so it was not a one-off and then we will go off and do our own thing. We want to continue to maintain a dialogue as we look at what reforms can be made.
You mentioned not just the privacy groups but also the creative industries. I am very conscious, for instance, in terms of the audio-visual sector—one of the areas that I have taken a long-standing interest in—that there are certain interventions that the Government make in support of the audio-visual sector in the UK that are absolutely critical. I have been able to reassure them that that will not be in any way affected by our position in FTAs.
Q143 Craig Williams: Minister Hands, before you jump into answering that more broadly, Which? and TechUK have said that they would very much welcome much more information. As a Committee, we have talked about the timetable around FTAs and the information being forthcoming at a timely pace, so that all the industries and groups we just discussed can engage in a much more proactive way. Could you react to that in your broad answer?
Greg Hands: We have our strategic trade advisory group and we have our trade advisory group. Here particularly the relevant one is the technology and telecommunications trade advisory group. This is where, as the Committee knows, we bring in technically competent third parties to be involved, broadly speaking, on trade policy but also on specific trade agreements to bounce particular items off them confidentially as well. That has worked very well so far. We also have a trade union TAG, and we have different TAGs for other parts of civil society as well.
I meet with Which? quite often, and we have a very good exchange with Sue Davies and others on Which?. I am a subscriber myself, so I follow what Which? does very closely. They make the point that the consumer voice is so important in all of this; the business voice is vital but the consumer voice is vital as well. There would not be any point doing these trade agreements—in my weird and wonkish world of trade policy, you could easily spend your life writing and designing 700 or 800-page trade agreements, but if they do not benefit consumers and businesses at the end of the day, then they are just pieces of paper. So interacting with groups like Which? and other consumer groups and business groups is a vital part of it. That is why we are right behind the TAGs and other different consultative panels and roundtables that we do.
Craig Williams: Just remember that we have to read those weird and wonkish papers, so anything you can do on that consumer protection front—I had better declare an interest as a subscriber to Which? Chair, I will pass from mid Wales back to you.
Chair: Thank you very much. It is a good publication to subscribe to, so we applaud that declaration of interest.
We have done an hour, as we promised and agreed beforehand. I thank both Minister Whittingdale and Minister Hands for attending the meeting and of course their advisers, Graham and Nick, for being here. I hope that we will have the correspondence that we discussed; I can see nods from the Minister.
It is a beautiful, sunny afternoon here in the Outer Hebrides. The broadband is maybe too good, but that is what happens when the Scottish Government can roll out broadband into crofts in the Hebrides. Without further ado, I will bring the proceedings to an end and, hopefully, we shall see you in the not-too-distant future, Ministers. Thank you all.