Examination of witnesses
Anthony Walker and Ruth Boardman.
Q42 The Chairman: Good morning and thank you very much for giving us your time today. I would remind you that this is a public session and there is a live webcast of it. Subsequently, you will be sent a transcript of what you have said to us. Feel free to comment on the transcript or to add any further detail that you think would be helpful to the Committee. We have an idea of the questions we would like you to address this morning. Before we go into the questions, is there anything that either of you would like to say by way of an introduction?
Anthony Walker: Yes, if I could begin, I would like to thank the Committee for this opportunity to give evidence on what we view as an extremely important and pertinent issue. The reason I say that is, on the broadest possible level, there are two fundamental trends that are happening across the global economy at the moment. The first is the process of digitisation where economies as a whole—the UK economy and global economies—are becoming more digitised and, therefore, more data-driven. The other is that globalisation continues to move forward at some pace and the ability for businesses and services to be able to operate cross-border becomes ever more important. Thus we have these two issues of a more data-driven economy and a more global economy. That means that personal data is fundamental to both of those issues, and the way in which personal data is handled is of primary concern to citizens and businesses as well. Therefore, having a harmonised approach, a global and international approach, to these issues is a really core element of what we need to achieve as we think about the future of the UK post-Brexit and the Government’s vision for a global Britain. It is an absolutely fundamental issue to the future of the UK economy.
The Chairman: Thank you. Ms Boardman, do you want to add anything to that?
Ruth Boardman: I agree with all that. I spend a lot of my time advising businesses on how they deal with those issues and, in particular, questions they have around data transfer because they are finding it difficult to do that either as somebody who is exporting data or as the provider who is trying to facilitate that, so it is very important to get it right to avoid unnecessary friction.
The Chairman: Thank you very much. If we could go into the questions—and we have given you some notice of them—starting with an overview, could I reverse the order of the first two and perhaps ask you both: can you give us a sense of the size and the scope of the UK digital sector, and how important data flows are between the UK and the EU to the UK economy? That is really building on your opening statement.
Anthony Walker: We published some work very recently with Frontier Economics on this issue, which I am very happy to share with the Committee. If you look at both the digitally intensive producing sectors of the UK economy and the digitally using sectors of the economy—parts of the economy that rely enormously on digital and data for their products and their outputs in services—we think that it, essentially, makes up about 16% of UK GVA, about 24% of all UK exports and accounts for about 3 million very high-value jobs in the UK economy, so the most digital parts of the UK economy. It is a big chunk of the UK economy and is the part which is the fastest growing. Data produced by the Tech Nation report last year suggested that this part of the economy probably grows about 30% more quickly than the rest of the economy. These are also the most productive sectors of the UK economy and they have the highest levels of productivity growth, so the digital part of the UK economy is extremely important, it is globally significant and, therefore, it will be vital for the success of the UK economy going forward.
The other thing is that there is this process of digitisation happening, so the rest of the economy is also in the process of becoming more digital, which needs to be borne in mind. Our digital economy is big, important and it is becoming a bigger part of the overall economy.
In terms of trade, about 80% of the sector’s exports are in services, which will very often involve the transfer of data because data is a key component of services. In particular, when we think about the impact of the GDPR where we have this new, much broader definition of what is personal data, it means that a huge amount of that data will be subject to the GDPR, and many companies and organisations have not yet fully grasped the broader definition that sits in the GDPR.
Q43 The Chairman: That is a very good lead in to what was scheduled as our first question to you. As you know, we are looking at the four elements of the EU data protection package: the GDPR, the law enforcement directive, the Privacy Shield and the umbrella agreement. Could you build on what you have just said in broad terms as to their implications collectively for the UK in terms of, first, the impact on the UK digital sector as data controllers, including the resource implications of complying with this new regime, and, secondly, on the people whose information is being shared, the data subjects?
Anthony Walker: If we take the package as a whole, it is quite fundamental for the way in which governments, businesses and citizens handle data or the way in which their data is handled, and it provides the legal framework. If we focus, in particular, on the EU data protection regulation and the Privacy Shield, which are the most directly relevant areas for businesses and citizens, for businesses, you have so-called data controllers and data processes, and you have citizens, who are the data subjects. They need clarity, certainty and confidence about the way in which data can be lawfully processed and, in particular for citizens, about their own rights, how their rights are enforced and protected and the rights of redress that they have under that legislation. This is an extraordinarily important set of legislation that governs those issues. As a member of the European Union, obviously we benefit from the fact that it sets a legal framework, which means that it is across the whole of the European Union and, therefore, it governs, essentially, the legal basis for transferring data between member states, which, as I say, is a fundamental enabler of the UK’s trade and services with the rest of the European Union.
The Chairman: Do you see it as a fundamental step change rather than a finessing or refining of the existing regime?
Anthony Walker: The GDPR clearly builds on the data protection directive, which is now 20 years old, but it makes some very significant changes, and Ruth might be able to give more on the detail of that.
Ruth Boardman: You are absolutely right that the regulation builds on the existing law, so, when you look at it, about two-thirds of it or 70% feels very familiar; all the key principles about fairness, transparency, data accuracy and security are there. The key changes though are, first, that it imposes more obligations of accountability on organisations. In addition to saying, “You have to meet these key principles”, it imposes specific obligations on organisations to take certain steps to ensure that they comply by design rather than by accident, if you like, which is one area.
The second is that, in a number of areas, it tries to make things easier for individuals to tip the balance in their favour. To give you an example, at the moment, if you ask an organisation to give you a copy of your data, they have to do that, but quite often there are exemptions that will apply where it may not be appropriate for them to provide the data. At the moment, if you withhold some data on that basis, you do not have to tell the person that you have withheld any, so there is a sort of information asymmetry or imbalance where the organisation knows what it has and what it has withheld, but, as an individual, you do not, so you cannot challenge that. The regulation says that you have to provide more information. That is just one example of where it tends to tip things in favour of the individual to make it easier for them to enforce their rights.
On your question of whether it imposes more obligations, yes, it does, but the consensus generally is that, to build a digital economy, you need to get trust and confidence and that the way you do that is not to remove the obligations that organisations are subject to but to have appropriate obligations. When you look at non-EU countries, for example, you see an increasing tendency to try to put in place appropriate legislation to do just that; people are not looking to remove the rules but to have better appropriate rules.
The Chairman: Lord Cormack, did you want clarification on this?
Lord Cormack: Do you believe that the present system is working well and that it would be difficult to replicate it, not impossible of course, when we leave the European Union?
Anthony Walker: We are in a process of transition obviously as we move towards the full entry into force of the new data protection regulation, which will happen before the UK leaves the European Union. A lot of work is ongoing within firms and within the ICO and across government to ensure that the UK implements the GDPR fully, which we fully support. On the question about exactly how things work once the UK leaves the European Union and becomes a third country, there are some questions about how elements of the GDPR would work in terms of the issues around European Court of Justice jurisdiction, the European Data Protection Board and so on.
The Chairman: Forgive me if I suspend discussion on that at the moment, but we will get drawn into that sequentially as we go on. Before we move away from the overview, is there anything more you could say to us about the law enforcement directive? I know that you are not involved directly in that, but is there anything you would wish to add to our knowledge on that?
Anthony Walker: Given that it is an issue that relates more between the public sector and government rather than businesses, it is not an issue that we have looked into in as much detail, so I would prefer not to add anything.
The Chairman: Ms Boardman, is there anything you would want to add on that?
Ruth Boardman: No, thank you.
The Chairman: If we move then from the overview and start to look at the Brexit implications specifically, I would invite Baroness Massey to start that discussion.
Q44 Baroness Massey of Darwen: Assuming that the UK will be treated, as you have said, as a third country on data protection issues once we are no longer a member of the EU, what would be the impact on the digital sector if there were no adequacy decision in place at the point of leaving the EU?
Anthony Walker: The first thing I would say is that the impact goes well beyond this particular sector because the impact will be on all businesses which, essentially, trade in services where there is a flow of data associated with those services, so the impact is probably economy-wide rather than just on the digital sector. The impact is in four things. The first would be a significant increase in the amount of red tape that businesses have to deal with as they would have to put other mechanisms in place to lawfully transfer data. That means cost because there will be significant legal costs associated with putting those measures in place. There is also an element of uncertainty which is about the future legality of some of those mechanisms, including standard contract clauses where there are a number of outstanding cases that will be put before the European Court of Justice about their legality. Finally, there is an issue around competitive disadvantage for UK firms. If our firms in the UK have to jump through a whole set of additional legal hoops in order to transact and do business with firms or customers across the European Union, they will be at a disadvantage versus their competitors who are based in the European Union who do not have to go through all those steps. Red tape, costs, uncertainty and competitive disadvantage would all result if the UK did not have an adequacy arrangement in place with the European Union.
Baroness Massey of Darwen: Can you say a bit more about the legality issues, or will you be doing that later on?
The Chairman: If you feel you want to say something now, please do.
Anthony Walker: This is the issue around standard contract clauses, which is an alternative mechanism that companies can put in place on a contractual basis to create a legal basis for the lawful transfer of data. There is currently a case before the Irish data protection regulator, a civil Schrems II case, which is questioning whether standard contract clauses are sufficient for guaranteeing and protecting the rights of European citizens. Ruth may be able to talk a little bit more about the implications of that case.
Ruth Boardman: Yes, sure. Just standing back a little bit first, there are many countries out there which do not have adequacy decisions, so clearly there have to be alternative ways that allow organisations to share data, so standard contractual clauses, as have been mentioned, agreements between an exporter and an importer which, as a matter of contract law, provide adequacy, and then there are other mechanisms, such as binding corporate rules. If you look at standard contractual clauses, which is a contractual mechanism which provides adequacy, this is the most commonly used way of transferring data because it requires less effort, if you like, for organisations to do it; you sign a contract and then you have a mechanism for transferring data.
Max Schrems, who challenged Safe Harbor, is now challenging the adequacy of the standard contractual clauses, so, when Safe Harbor was invalidated, the alternative that most organisations used to replace that was to put in place these data transfer agreements. Max Schrems asked the Irish data protection commissioner to look at whether those were effective or whether the law that is in place in the States, in particular in relation to surveillance, meant that data transfer agreements do not, as a matter of fact and law, provide adequate protection for EU data. The Irish commissioner reached a preliminary decision that she thought that he had a good point and that standard contractual clauses would not be effective, so she has asked the Irish High Court to make a reference to the European Court of Justice to determine whether standard contractual clauses ought to be invalidated. There is a particularly significant impact for the UK because, if those data transfer agreements are held to be invalid, the main alternative way that businesses would use to allow data to be shared with the UK would suddenly cease to be valid. We are waiting for the decision from the Irish High Court later this month.
The Chairman: Linked to that, Baroness Browning.
Q45 Baroness Browning: The Committee has heard that it is possible that we will not be able to commence seeking an adequacy decision until we have left the EU. I wonder, if that is the case, what thoughts you have about transitional arrangements to avoid that cliff edge, which would inevitably come, and how long you think putting in place transitional arrangements would take because, clearly, the clock will start ticking any day now. How complex would it be to try to put in place those transitional arrangements?
Anthony Walker: This is a really important question. This is an issue that is not unique to the issue of data protection. There will be many aspects of European law and single market legislation where there will be a need for transitional arrangements between the UK leaving the European Union and the entry into force of some new overarching agreement or other forms of agreement, so there is likely to be a need for a bridge. Quite how that bridge is built remains uncertain and is a matter for the Government, in negotiation with partners across the European Union, to determine what that could be. From our perspective, we would really like to see an extension of current processes up until the point that a new relationship enters into force. Our view is that, if there is broad agreement about what the destination should be, we think that there would be a willingness certainly across the European Union to consider such an arrangement, so we think that is possible, but it is very much a matter for the Brexit negotiations.
However, I would stress that, even if the UK made a request today for an adequacy decision, that process is likely to take in the range of about two years to go through the various stages where the Commission has to commission an independent report, which then is put to an Article 29 working party, or what will be the new European Data Protection Board, and then there is another committee of member states that has to review that decision and so on, so it is quite a lengthy process. Even if that started today, it would take probably two years for it to complete.
Baroness Browning: We would not leap forward a few points in that process because of the status quo at the moment, would we? Would it really be like starting from scratch, or would there be some reason why we would both understand that we were starting higher up the ladder?
Anthony Walker: Certainly the UK will be very well-placed, given its long history of being fully compliant with EU data protection law, on the basis that there is clarity about the way in which the UK is implementing the GDPR, so certainly, on many issues, it would be straightforward. The challenge is that, when you become a third party, there are other aspects of domestic legislation that become relevant, so issues around data retention, rights of redress and so on would come into view, and some of those could be challenging through the course of discussion.
The Chairman: Lord Watts, did you have a supplementary on that?
Lord Watts: I am interested in the point you made, that, if you do not have an agreement and you are outside the EU, people use a standard document to get through that process. Yes, it has been raised that that may not be so. How much of a problem would that be to small and medium-sized companies which had to go through something more complex than the procedures that they are perhaps using now?
Anthony Walker: We think that it is really quite significant for small businesses that are not used to having to put those kinds of arrangements in place. There is a lack of internal knowledge and there will be significant legal costs associated with putting those contracts in place. You also have the complication that suddenly you are going to either your customer or your supplier and asking them to sign a new contract, and they have to understand why they are being invited to sign a new contract, so that can bring in delay and uncertainty. For small businesses, in particular, we think it would be a significant impediment to doing cross-border trade.
Lord Watts: In your experience, is that likely to lead them not to be interested in doing that, in practice? We know that, the more complex the business is, the less likely it is that the small and medium-sized companies will involve themselves because of the cost and the complexity. Is that a likely result if you do not have that agreement?
Anthony Walker: It is one of a number of factors that could make it less attractive for smaller and mid-sized firms to look to expand into international markets or, indeed, to partner with other firms in other markets and so on, so yes, we think it is a significant disincentive at the very time when the ambition is to further drive international trade.
Lord Watts: Thank you.
Lord Cormack: You are a trade association, and I have had a lot to do with trade associations in one way or another over many years. How far can you act collectively for your members, and how many other trade associations are there similar to yours and can you work as a group? The way you have just described things sounds extremely complicated and time-consuming, and I would have thought that this was where a trade association could play a vital role.
Anthony Walker: We do a lot of work in trying to help companies to understand the legal framework. At the moment we are doing a lot of work around the GDPR in helping companies understand the new rights and obligations that have come in through it, so we can help to that extent and we can help in terms of training and how to deal with these issues. We can smooth the path a little, but ultimately these are very commercial issues and they will be highly confidential issues, so it will be for law firms rather than trade associations to support businesses in this activity.
Ruth Boardman: To add a couple of extra points, these agreements are by contract, so, for them to be easily usable, you need two parties to the contract. That is relevant to businesses which are selling direct to consumers in the EU because there will not be two parties to enter into the contract. If you take that kind of organisation which is growing an online business selling direct, although there is a mechanism there under the regulation that can be used, it is not really possible for that kind of organisation. There are burdens for business in doing this. Larger organisations are well-placed and have internal teams that can do it, but it adds cost and complexity. Even for the larger organisations, it is seen as an unattractive feature to have to do that, so you will see a lot of the large cloud service providers offer solutions which are purely storing or processing their data within the EU, in order to meet customer pressure to avoid those complications.
The Chairman: Mr Walker, before we move on, can I make sure that I understood the point you made to Baroness Browning when she raised the issue of an adequacy decision and that, because we are harmonised, it should put us in a strong position? Did you say that there would be extra dimensions coming into play were we to seek an adequacy decision around data retention and so on?
Anthony Walker: Yes, as you become a third country and you leave the single market, the European institutions have competence to look at other aspects, including security legislation and so on, which are not relevant when you are a member of the European Union.
The Chairman: I see, thank you.
Baroness Browning: If I could just follow on from that, nobody has left the European Union in this way before. There must, surely, be a difference between a third country applying from scratch and the status quo that we have at the moment.
Anthony Walker: I think that is true. There is no precedent for what is about to happen and there will be much that is open to political negotiation. This is where the willingness of both the European institutions and other member states to be flexible and accommodating in addressing these issues will be extremely important. We must not lose sight of the fact that this is very relevant to European firms exporting or doing business in the UK. It is just as relevant because we are talking about cross-border flows here, so there are many businesses across the European Union which are just as concerned that there is a smooth transition as UK firms are. Certainly, when we have been talking to our counterparts across Europe in Berlin, Brussels and elsewhere, there is a real willingness on both sides to see this issue dealt with in a pragmatic way. As you said, there is no precedent and we are coming from a good starting point, so you would hope that this can be managed in a positive way.
The Chairman: Thank you.
Q46 Baroness Janke: My question was about alternatives to adequacy decisions, and you have already mentioned contractual clauses and agreements between exporters. If Max Schrems’s challenge is successful, are you looking at other ways as alternatives to adequacy decisions?
Ruth Boardman: There are a range of things that people wanting to transfer data can use. One option is the standard contractual clauses. There is another option of binding corporate rules, which are for groups of companies, and you put in place practical measures to demonstrate that, as a matter of practice and policy in the organisation, you protect data appropriately. They are designed for groups. You have to have fairly sophisticated approaches to data protection and you then have to go to a data protection authority, in fact a group of authorities, and get these rules authorised. To the question about the impact on SMEs, for example, it would require a level of advice and effort which would be difficult to do. You also need presence in an EU member state to seek authorisation for that, so, if you are just a UK company, you could not use that mechanism. It also takes about two years to get them through the approval process, so, even if companies started now, they would not have it in place by the time we leave the EU.
The other mechanisms are to do with getting consent or being able to demonstrate that the transfer is strictly necessary to deliver a contract with somebody, but those are both quite limited; they are not the kinds of arrangements that you can proactively and easily put in place. It follows from that that, if standard contractual clauses are invalidated, not only do we have a problem here, but everybody in the EU has a problem because data flows everywhere will be massively disrupted, so it would be a wider and shared problem.
Baroness Janke: I thought you were saying that contractual arrangements were an alternative to the adequacy arrangements which, within the EU, we do not need.
Anthony Walker: In a way, this is our concern, that quite quickly you could potentially have a scenario where you run out of options. If you are no longer a member of the single market you would not have an adequacy agreement in place. If there were a scenario where standard contract clauses were no longer available, very suddenly you would run out of options.
To give one point on BCRs, we know one very large, very well-known company which has been seeking to get BCRs in place for more than five years, working with data protection authorities, and is yet to achieve that. The BCR process will have very limited applicability and the GDPR makes consent a very unreliable mechanism as well. The real risk here is that the challenges being brought before the European Court of Justice, combined with the impact of Brexit, where the timescales are also not helpful in terms of a decision of the court on the Schrems II case, could come just towards the end of the Brexit process, all of which means real uncertainty.
The Chairman: If it stacks up in that worst-case scenario, what then will happen? Will that be a catastrophic situation?
Baroness Janke: On the back of that, for companies, some of which in the digital world are quite small and are affected by freedom of movement issues, does it help for them to relocate within Europe? That is something that I have had put to me by people.
Anthony Walker: Yes, if you are small enough and nimble enough, relocating could be one option. Another option could be to try to move some of your data operations into different markets. However, having said that, if we lose standard contractual clauses as a reliable mechanism, that has wider implications for trade between the EU and other jurisdictions, so there will be considerable political pressure to try to resolve that and put something else in place, but you then have to think about the various third parties you are negotiating with.
Ruth Boardman: Could I add to that? It is certainly something which, if you are a UK-based service provider which is offering digital services to people across the EU—maybe you have a data centre or you are providing HR-type services—you can see that customers would be concerned about that scenario; that the UK will cease to be adequate and that these agreements may be invalidated. It immediately makes your offering less attractive than that of a competitor which is based in the EU or can move data in the EU.
The Chairman: Perhaps we could move on to the UK’s ability to influence data protection standards and start with Lord Soley.
Q47 Lord Soley: How influential is the UK in setting global data protection standards?
Anthony Walker: Data protection is still a European Union competence. Having said that, the UK has been extremely influential in the EU in establishing the principles and the framework that underpin data protection legislation in the European Union. Certainly that was the case with the data protection directive that was put in place in the 1990s, and both the UK Government and our regulator, the ICO, were very influential in the discussions that led up to the agreement on the general data protection regulation. From my perspective, our data protection regulator, the ICO, is very highly regarded. When I talk to my counterparts across Europe and the people who work within the European institutions, they view the UK’s input on these issues as being extremely important. Up until now, I would argue that the UK has been influential in shaping legislation.
Going forward, if we are no longer a member of the European Union, I still think the UK has opportunities to influence. There is an open question about whether the IC could have observer status or some other status on the European Data Protection Board, but we can have direct influence in talking to data protection authorities across Europe and we can have influence in talking through these issues with Governments across Europe. In a speech late last year, the German Chancellor Mrs Merkel talked about having to think more clearly about the way in which the GDPR was implemented to ensure that it had a positive impact both for citizens and businesses. We can be part of a bilateral dialogue with the German Government, so there is continued opportunity to influence, but we will have to use our soft power as opposed to our ability to directly vote in the Council.
The Chairman: Do you agree with that, Ms Boardman?
Ruth Boardman: Yes, absolutely.
Lord Soley: There are two ways of looking at this, are there not? One is to say that we will lose influence because we will be outside the system and no longer setting the standards. The other way to look at it is to say, “Right, we are outside, but we have a very high standard already and we have been setting high standards in Europe, so why don’t we become the gold standard, not only for Europe but other countries, and make sure that we stay ahead of the game by setting these standards?”. Is that a possible option or not?
Anthony Walker: If you start from the prospect of a vision for global Britain, one of the things that we have to understand in terms of developing trading relationships around the rest of the world is that data protection norms, legislation and practices become really fundamental. We want to drive a more harmonised approach internationally that makes it easier for businesses to trade and means that consumers and citizens are confident and clear about the way in which their rights are protected. Having said that, we have to remember the size of the UK market versus the size of the European market and that we will have to do that very much in partnership with the European Union, rather than simply boldly striking out by ourselves and hoping others will follow.
Lord Soley: I understand that, but we will be outside the EU, so that is your starting point. So you either go for something such as an adequacy agreement, where you are, in a way, following what happens in Europe; or you start saying, “Right, we are going to start setting the standards because we are already largely doing that, and we are going to make sure that we are ahead of the game within the European Union and looking at other areas of the world too, and make sure that we are on the front line all the time”. It should, presumably, make an adequacy agreement easier and, secondly, make it easier if you are dealing in a global market. Is that not right?
Anthony Walker: It depends what, in practice, that would mean. I would first argue that we have been through a very complex, detailed process of establishing the GDPR and right now, from a business perspective, businesses would like to see a settled regulatory framework that they understand, that they can be sure that they are complying with and which they can help citizens and consumers to understand. To that extent, stability is good and I think we would want to stay, and that is why we would argue that we need a stable framework certainly for the next few years. In terms of the future evolution, yes, we can try to be at the forefront of thinking about how things need to change, but we would need to bring the rest of the European Union with us, and it is not clear to me exactly how we would do that.
Lord Soley: This is what I am trying to say, that you either run in front or you run behind. Ms Boardman, if I can ask you, the British legal system is well-respected around the world and this is, very largely, governed by laws which we devised, to a large extent, too: why can those not set the standard?
Ruth Boardman: There are a number of points there. First, I absolutely agree with Anthony that positioning yourself as having strong data protection laws can certainly be an advantage in demonstrating that you are a good place to do digital business. Within the EU, it will be a tough ask for the UK to persuade other trade member states in the EU that we are the gold standard because we are widely perceived as being the pragmatic, moderating voice rather than the country which is pushing at the edge of this.
To give you an example, when the EU looked at adequacy decisions for the territories which have UK-inspired data protection legislation—Jersey and Guernsey, for example—the Article 29 working party had to give an opinion on the adequacy of the laws there, and it expressed concerns about some of their laws precisely because they replicated UK law. While the UK is a member of the EU, that is irrelevant because we are automatically adequate, but it is an example that shows that we are not seen as being the gold standard, but as, to put it kindly, the pragmatic, moderating influence, so I think we would have a credibility challenge doing that within the EU.
Lord Soley: Am I right in thinking that the UK is seen as more business friendly in its approach and less concerned about the absolute protection of privacy? Is that right?
Ruth Boardman: I would not say less concerned about the absolute protection of privacy, but there is certainly a recognition that having laws on paper which cannot be infringed in practice is not a helpful approach.
Lord Soley: But that does not mean that, in global terms, you are more attractive as a business.
Anthony Walker: For very many companies that are global, they want to put in place a single set of processes. It is important to remember here that the risks of falling foul of data protection law are not insignificant. There are very significant new fines introduced into the GDPR, which is a risk that businesses have to be very mindful of. Therefore, if you are running a global operation, you will want to have consistent processes across your business. What we are seeing is that global firms based outside of the EU are taking the GDPR as the norm for their business and are building their processes around it, so, for very large companies, there is no desire to diverge from the GDPR—the opposite, because they worry about falling between the gaps.
Lord Soley: On that point, I was not arguing the case for being outside—I voted to remain—but I have to face the fact that we are out, so we either run behind the European Union or we try to run ahead. When you say, as you did just now, that they want that model, yes, they do, and either we have to do an adequacy agreement to keep up with it, which I understand is an option, or we say that we will make sure that we meet that existing standard and, if we can improve on it, we will.
Anthony Walker: In a way, if we meet the standard, we should be able to get an adequacy agreement, and that would remove the burden from business. I would also say that we can continue to shape the nature of European legislation around data protection going forward, but we will have to use other routes to do it, as I was saying. In terms of bilateral discussions with other major EU countries, engaging with the European data protection authorities and being on the front foot in talking about the issues, the challenges and where we will need to shape and adapt data protection law going forward, that probably means we need a more outward-looking ICO. I certainly think it means that we need a better-funded ICO so that it can engage internationally, and it means that the UK Government need to be at the forefront of thinking about how we get this balance right in the protection of citizens’ rights, security matters that need to be taken into consideration and making sure that we are dynamic, innovative economies going forward. We can still be at the forefront of the debate.
The Chairman: I think Baroness Massey and Lord Cormack want some brief clarification.
Baroness Massey of Darwen: This is a bit of a naive question, and it is not about laws or clauses but about the nuts and bolts. I assume that systems and technology will develop and change in the next few years and keep on developing and changing. If that happens, what influence do we have on how the technology is working, and how do we share those changes between countries?
Anthony Walker: That is a very good question. Yes, absolutely, technologies are developing at an extraordinarily rapid pace and issues around what that means for individuals and for privacy and so on will remain at the forefront as a fundamental democratic issue that we all need to pay very close attention to, and yes, laws and the legal framework will have to adapt and keep pace. The GDPR was designed to be able to cope with change, but, as we see new technologies emerging, such as the internet of things, there will be areas where the GDPR will have to adapt and change.
The GDPR tries to introduce this concept of privacy by design, so we are trying to encourage businesses to think right from the outset at the design point about products and services and how they both protect people’s rights and empower people to understand and make choices. The technology is evolving and many people are trying to think about how we build stronger protections into that new technology, but this will be a live issue for many years to come.
The Chairman: Lord Cormack, you have a supplementary.
Lord Cormack: I must make it plain that, like the Irishman, I would not start from here, but I have felt increasingly that we have to build stronger bilateral relations within the EU. I referred to that in the House yesterday and you referred to it just now. Where do you think, from all your expert knowledge, we should be concentrating our bilateral efforts within the EU?
Anthony Walker: Clearly, on the large economies—Germany, France, Spain and Italy—and the economies that are at the forefront of digital innovation, so that is the Scandinavian countries and the Baltic States. As techUK, that is exactly what we have been doing, so we have been spending time in all those countries over the last six months talking about these issues and trying to understand where the mutual level of knowledge and understanding is. I would argue that, when we talk to our partners within the technology sector, there is a striking commonality of view, and we have to open up all the channels to engage with those countries. We have also been doing quite a lot of work at the G20 where we have been raising exactly these issues with the German presidency, which is currently ongoing, and with our counterparts in Japan and the US. We are very focused on that issue of building those relationships internationally so that we can develop a common international understanding across major markets about how we can create the kind of framework that our businesses and our citizens will need going forward.
Q48 Lord Watts: You have already touched on some of the points that I was going to raise in my questions, but I will give you the opportunity to add something, if you wish to. The first part of the question was: how much room for manoeuvre do you think the Government, in practice, will have with data protection if they wish to maintain flows of data from both the EU and the UK? You have covered that extensively, but, if you wish to add anything, please do. The second part is: what assessment have you made of the position if the Commission changes the rules? Will Britain be obliged to follow those rules, will there be some flexibility, or is the best thing for us to fall in line with the Commission? The next part is about the adequacy for third-party countries. Do you once again think that, if the Commission accepts a standard, we would have to follow that standard as well? It is really just trying to work out whether we will follow that standard and whether we have any ability to manoeuvre, or whether we just have to accept the Commission’s position on these issues.
Anthony Walker: As we understand it, the GDPR will enter into force and be implemented in the UK before the UK leaves the European Union. As a regulation, that legislation will be brought into UK law through the great repeal Bill process and, clearly, then the UK Government have the freedom to determine their own course of action after that. We would urge caution in the early stages. We would say that the best thing for the UK economy and for UK citizens is to stay closely harmonised with European law. Over time, areas might emerge where it makes sense to diverge, but we would have to make a very careful analysis of the pros and cons of diverging and, if the impact of diverging meant that an adequacy agreement would not be possible or would no longer be valid, you would have to question very carefully whether that was the right thing to do. However, there may be areas where the UK can tweak the legislation to do things differently.
On the issue of the divergence that happens from the point of departure from the great repeal Bill, as it were, we do not want to see a process of accidental divergence happening as the European Union continues to legislate in areas where the UK does not. There needs to be a process that enables us to carefully track what is happening at a European level and determine whether or not those changes should be implemented into UK law. In many instances, I would argue that it will make sense to implement them into UK law.
Ruth Boardman: Part of your question was also to do with adequacy decisions. At the moment, for example, Israel, Switzerland and a number of other countries have adequacy decisions. Part of your question was whether the UK, once we are outside the EU, would adopt those adequacy decisions as our own and whether we would be obliged to do that. Because we will have implemented, if you like, the GDPR by that stage, we will be subject to the same rules on restrictions of data as other EU member states, so we will need a mechanism to judge countries as being adequate. We will need something to replace decisions taken by the Commission. We would need to do something to the law to allow the Information Commissioner, for example, to issue decisions or somebody else to issue decisions. We would need something to take the place of that process. I would have thought it would be sensible to allow the UK to follow EU decisions. That is because there is a lot of concern about what are called “onward transfer rules” so that, if the UK gets adequacy, it is a ship in which it is safe to put EU data. If our rules on onward transfer are too lax, then there are lots of holes in the ship and that data can escape, so it affects your own adequacy decision. That is an incentive, if you like, for trying to follow the EU approach very closely, unless there are good reasons to depart from it.
Lord Watts: Just to be absolutely clear, it is both your view that we are best served by adopting the Commission’s rules now and, when we leave, to adopt any changes in the rules, unless we give it careful consideration and take into account how a change in direction would affect the UK? Is that a fair summary?
Anthony Walker: Yes, and, in particular, how it would affect the ability of the UK to establish relationships with other third countries for the onward transfer of data. It is a bit like putting together a jigsaw that enables data to flow between different jurisdictions, and what we want to do is to, piece by piece, put that jigsaw together, but it has to be mutually compatible in the process.
The Chairman: We move on to the EU-US Privacy Shield, and Lord Soley would like to explore that.
Q49 Lord Soley: Can you tell me how important the EU-US Privacy Shield is to the digital sector of the British economy and, outside the EU, do we need to negotiate with the US a similar shield? Also, how would that relate to the European Union?
Anthony Walker: As a member of the European Union, the UK has a particularly strong relationship with the US both in terms of UK trade with the US and with the UK being a destination for foreign direct investment into the EU from the US. Compared to other EU member states, the UK has a higher proportion of US firms that are based and located in the UK and, partly by nature of geographical position, a lot of the data transfers between the US and the EU emanate from the UK, so I would argue that it is disproportionately important for the UK within the European Union. There are about 1,800 firms which have signed up for the Privacy Shield in the US, and a lot of those are large firms that are doing large volumes of data transfer, so the Privacy Shield was of particular importance for the UK and it remains the easiest mechanism to enable UK and US-based firms to transfer data lawfully.
Q50 Lord Soley: Could we do an EU-UK privacy shield as an alternative to adequacy?
Ruth Boardman: Not really.
Lord Soley: Why not?
Ruth Boardman: The Privacy Shield is a form of adequacy decision, so it is not an alternative; it is one way of achieving adequacy. The Privacy Shield achieves a number of key things. It sets out EU-standard data principles, which US participants agree to follow. In the UK, we would not need those principles because, as was said earlier, we already have very good data protection law. We do not need a privacy shield to create those standards as we already meet them.
The other thing that the Privacy Shield does is explain how the US deals with national security concerns, for example. Again, we have legislation in that area which very comprehensively sets out the UK approach, so we would not necessarily need some separate arrangement to explain that to everybody.
Lastly, the Privacy Shield deals with enforcement and redress. We would try to argue that the UK has excellent arrangements for providing remedies and redress to people already and we do not need some new legislative or self-regulatory arrangements to provide for that. We would try to argue that our existing arrangements are the gold standard that you described earlier and, therefore, should be recognised as being adequate.
Lord Soley: The technology is changing constantly, as you indicated earlier, which means that you have to keep changing your systems, have you not, to some extent? Obviously, certain basics remain the same, but you have to keep up with the technology, which means that, whether it is coming from the EU, from here or from the US or wherever, you have to work out systems that work not only within the EU but in the wider world. Is that right?
Anthony Walker: I would argue that the regulation is trying to put the principles in place and that those principles should be fairly durable as innovation takes place. To an extent, yes, you have to make sure that you are fit for purpose, but many of the fundamental principles are quite flexible to changes in technology.
Lord Soley: Yes, but, from listening to you, you are talking about negotiations not just with the EU but about Japan and other countries where we are doing it. In fact, I would suggest we are evolving towards a universal system for business and privacy which would be a good model. It may be that I am confusing it by using the term “gold standard”, but one of the ways of dealing with being, like it or not, outside the EU is to make sure that we keep up with the standards not just in the EU but in the wider world.
Anthony Walker: Yes, I think that is true. I would also say that we have to be mindful that, while we may well think that it makes sense to be at the forefront of a process of building a wider international framework, there are others who might argue that these issues can also be used to drive a protectionist agenda, which we see in some jurisdictions around the world, or that some national security legislation could be such that those jurisdictions are not seen to be a safe place for UK data or for European data and so on. There are tensions in this and it is not an automatic process.
The Privacy Shield obviously came out of the previous Administration in the US and it is up for an annual review process, and we do not yet really know what the view of the new US Administration is on it. There are some real uncertainties on the other side of the Atlantic about that and it is not clear yet what that means for us.
The Chairman: Do you judge that the US might have an appetite for a privacy shield-type agreement with the UK, or is that not particularly relevant?
Anthony Walker: It is certainly seems to be apparent that the US is keen to do a free trade agreement with the UK and, as I was trying to suggest earlier, these arrangements around data protection and privacy and so on are becoming fundamental enablers of trade, so it would have to be part of some kind of trade agreement and it is likely to have to be addressed in that area. We simply do not know what US trade policy is going to be yet. The key departments of the US Government still do not have the key people in position, so it is too early to judge.
The Chairman: It would have to have Twitter exemption.
Anthony Walker: Yes.
The Chairman: Linked to that, the challenges to Safe Harbor and the Privacy Shield tended to be from privacy organisations or privacy-minded individuals. Is there a new industry waiting to emerge which is about challenges for competitive advantage? You hinted earlier that either countries or large multinationals might start to use challenges to gain competitive advantage? Is that a burgeoning industry, do you think?
Anthony Walker: I am not sure that I would describe it as a burgeoning industry. Do I think there is potential for that? Yes, we have to be very mindful of that. Regarding mechanisms for protectionism, this is clearly one, and Governments can frame it in the way of protecting the rights of their citizens when that may not be the driving purpose. We have to be mindful of that in a changing global context.
The Chairman: As we are drawing towards a conclusion, can we focus on the impact of UK domestic legislation and the impact on it? Baroness Pinnock would like to ask a question.
Q51 Baroness Pinnock: We have talked a lot about adequacy this morning. From your perspective, what would be the impact of a partial adequacy finding from the Commission after we leave the EU? Secondly, as I might as well put the two questions together, the Government have said that they will put the GDPR fully into UK law, but what aspects of the GDPR is it not possible to keep after we exit the EU: for example, the Data Protection Board and so on?
Ruth Boardman: First, I do not see how partial adequacy would work. We would either be adequate or we would not.
Baroness Pinnock: So there is no middle ground?
Ruth Boardman: Not really.
Baroness Pinnock: That answers that question then.
Ruth Boardman: The reason that some countries have partial adequacy is that, if you look at the US where, if you are in the Privacy Shield, you are adequate, or Canada where you have less adequacy if you are subject to PIPEDA, there is no legislation in those countries which covers everybody, which allows the country as a whole to be considered adequate. The UK would be in a different situation. We would be saying, “We have excellent law, excellent remedies; you can judge us as a whole to be adequate because we have that framework”. It follows that it is kind of all or nothing, and the reason why it might be nothing would be if there was no political will or if our national security legislation precluded an adequacy decision.
Baroness Pinnock: Could you give us an example of that?
Ruth Boardman: At the moment, because we are a member of the EU, national security concerns cannot be used as a reason to prevent a free flow of data within the UK; it is outside the Commission’s competence to do that. Once we leave the EU, those concerns can be raised, so, in the same way as we saw with Safe Harbor, where those concerns lay behind its invalidation, they could be used as a reason for arguing that the UK ought not to be adequate, so that is the concern there.
Coming on to your question about the GDPR and which bits would not work, the GDPR is trying to achieve ever-closer union in the data protection space. One of its objectives was to remove unnecessary differences between member states and to try to achieve a consistent approach. If you have a law where you are taking decisions through data protection authorities at member state level, there is the potential for that to diverge over time and for that harmonisation to be undermined. There are a number of mechanisms in the GDPR which try to preclude that and which bind authorities to take decisions together. It is this idea of the lead authority and decisions being taken by the new European Data Protection Board, which has a specific status under the regulation; it can issue formal opinions and it acts almost like a tribunal. When we are no longer part of the EU, we will not be able to participate in those formal institutions, so we would need to do something different there. We would need to allow for decisions through the UK courts and there would be the obvious possibility that the UK would, therefore, diverge in approach over time, which could be a good thing and might allow us more flexibility. But it would equally mean that in any adequacy determination, those points would be kept under review.
The Chairman: Can I just follow up something as I may have misheard? Are you saying that, at an earlier point, by leaving, we are indirectly extending the reach of the European Court of Justice into areas such as national security?
Ruth Boardman: Not exactly. At the moment, our approach to those areas can already be challenged and, indeed, is subject to challenge. However, the way that we approach national security concerns cannot be used as a reason to stop data coming to the UK. We already have the Watson decision which says that indiscriminate data retention of the kind allowed in the UK is unlawful, but that does not stop other member states sharing data with us, so it cannot be used as a reason to stop data transfers. When we leave the EU, that could be asserted as a reason why we could not be adequate.
Q52 Baroness Janke: We took evidence from the Information Commissioner, and she said that non-membership of some of these corporate bodies to some extent restrained her scope of activity. What do you feel about that with regard to the GDPR in operation? Also, generally, do you feel that her role as a regulator is helpful to you in your sector, is it constrained, or does it need to be strengthened in any way?
Anthony Walker: Particularly as this new legislation comes into force and as more of the UK economy becomes digitised, having a strong, independent and well-resourced regulator becomes ever-more important, just as an enabler of the economy. Businesses need to be able to rely on the regulator for advice and for clearance in some instances and they need that regulator to have the resources to be able to respond quickly. We fully support, for example, the commissioner’s aim to employ an extra 200 staff in her team; we think that is absolutely necessary and, going forward, there will be a need to continue to ensure that the ICO is well-resourced. It is also important because, as some of the formal routes to influence are no longer available, the informal routes become more important. This will impact the UK as a whole post-Brexit, and we will have to find other ways to shape thinking and so on. The ICO can be a very powerful advocate on an international stage. It can be an advocate for good practice in getting the balance of practical and pragmatic regulation right—regulation that means something and is not just words on a page, as it were. I would argue that the ICO has an extremely important enabling role for business and for citizens, and an important role to try to engage and shape the regulatory framework as we go forward and to work with our counterparts internationally, and it needs the resources to be able to do that.
Q53 Lord Cormack: We will be making a report in due course and, clearly, we are a long way from coming to decisions, but what do you think would be most helpful for us to recommend?
Anthony Walker: First, it would be to state the importance of these issues for the UK economy and for UK citizens. As I said, clarity, consistency and confidence in these legal mechanisms and frameworks is extremely important in an ever-more global and digitised world. They are of fundamental importance to the Government’s vision of a “Global Britain” and the ambitions in Global Britain. This is absolutely a strategic issue right at the heart of that ambition. It is about recognising the complexity that is brought about by the Brexit negotiating process and by the other things happening in this environment, in particular, the question marks that arise through the Schrems II case and the uncertainty about the US Government’s position vis-à-vis the Privacy Shield and so on. It is about understanding that there is real uncertainty there that businesses are having to deal with.
The question then becomes what government can do to reassure businesses and citizens that there is a clear plan in place for putting together a very robust framework for data protection in the UK that is based on the implementation of the GDPR, and that we are doing everything we can to make sure that the UK is a great place to export digital services from, both to the European Union and to the rest of the world. That depends upon these international agreements being put in place and a recognition that putting all the onus back on individual firms creates a very bureaucratic environment that does not make the UK the best place to build, scale and run a digital business. Let us take the complexity and uncertainty away from individual firms; let us take the red tape away and let us establish the UK as a leading jurisdiction for data protection, which I think it can be.
Baroness Janke: Do I understand you to be saying that, although there is less formal power through these corporate institutions, it will be a more important role in terms of influence and advocacy? Is that what you are saying, effectively?
Anthony Walker: Absolutely, yes.
Lord Soley: It is a really core issue here because, if I were a Brexiteer, which I am not, I would be saying, “Look, you are so panicked by the fact that we are coming out of the EU yet there are all these other opportunities”, and you have talked about them, and we have talked to Japan and all the other places. Why can we not be a good standard, which not only fits with Europe but fits with the wider world or can be adjusted in those cases? Do we have to say, “This is a total disaster and we are all going to die”, or do we say, “If you look at the other side, this could be an opportunity, as long as we meet what is a very large part of our obvious market, the EU, for those basic standards”?
Anthony Walker: I think we can and that absolutely should be the objective, but we have to recognise the constraints that the GDPR puts on that flexibility. If you lose the ability to have an adequacy arrangement or some other arrangement in place that makes it very easy for businesses to do business with each other or for UK firms to sell direct to consumers across the European Union, then you lose the benefit of the flexibility. As I said, it is about carefully putting together the jigsaw so that all the bits fit together. If we are really smart, we can do a good job at that while also seeking to influence and shape future thinking in the European Union about the future direction of law in these areas.
Lord Soley: Ms Boardman, I take it that this can go in your next encyclopaedia on data protection?
Ruth Boardman: To your point of whether there is a Brexit bonus that we should be trying to get out of this, the regulation is not perfect; there were many things that could be done differently and better. However, not getting adequacy or doing things which would make it is harder for business is likely to be very disruptive and give competitors a good argument to have against us. Also, businesses and public bodies are having to prepare, assuming that the GDPR will come into force in full. While there may be opportunities to alter things and do things better in the medium term, trying to do it in the short term risks being hugely unsettling; it stops you planning, you have too much change and it risks impacting on adequacy.
Anthony Walker: I would add to that that we have had repeated conversations and interviews with hundreds of our members ever since the referendum last year and this is the constant message that we get back from our members, large and small. It is absolutely the majority view that the UK should seek to adhere as closely as possible to the GDPR framework.
The Chairman: In your dealings with the relevant government departments handling these issues, are you reassured by what you hear in their planning, knowledge and acceptance of the challenges?
Anthony Walker: Immediately following the referendum, we identified this as being one of the three key strategic issues, in particular for digital businesses in the UK, which we would try to describe as the need for a digital passport. We were very reassured by how quickly Ministers and government departments picked up on that and made assurances that there would, indeed, be unhindered data flows post-Brexit. In terms of the recognition of the issue, we are pleased and reassured about that.
Regarding having a clear route forward, there are still a lot of question marks. It is unclear to us yet whether the UK Government are really committed to the adequacy route. Potentially, they could look at other routes in trying to address this issue within a new treaty arrangement between the UK and the EU, whether it is the overall new relationship or in a specific data protection treaty. There is some interest and willingness that we detect on the part of the European Union in addressing these issues in a treaty-type relationship. A paper published by the Commission in January started to talk about these issues. There could be other routes to that, but, as with all aspects of Brexit and the negotiations, the negotiations will be complex, there are a lot of interests out there across the European Union which may diverge from the UK perspective and there will be some knotty issues along the way, so it is by no means automatic.
One thing we worry about is that, on the long list of issues that are priorities, when you come to the very end of the negotiations, this one drops off the list and is traded away, which would be extremely problematic for the UK economy. It is essential that that does not happen and there has to be a clear route for addressing this through the new relationship, and there may well need to be transitional arrangements, but this is of strategic importance to the UK economy.
The Chairman: Thank you very much indeed. Your evidence and responses to our questions have been extremely helpful. If, as a result of today’s session, anything occurs to you that you think might be helpful as we prepare our report, please do not hesitate to send us further information. In the meantime, thank you very much on behalf of the Committee.
