Select Committee on the European Union
Home Affairs Sub‑Committee
Uncorrected oral evidence: Brexit: the EU data protection package
Wednesday 20 December 2017
10.30 am
Members present: Lord Jay of Ewelme (The Chairman); Baroness Browning; Lord Condon; Lord Crisp; Baroness Janke; Lord Kirkhope of Harrogate; Baroness Massey of Darwen; Lord O’Neill of Clackmannan; Lord Ribeiro; Lord Ricketts; Lord Soley; Lord Watts.
Evidence Session No. 6 Heard in Public Questions 69 - 82
Witness
I: The Rt Hon Matt Hancock MP, Minister of State for Digital, Department for Digital, Culture, Media and Sport.
USE OF THE TRANSCRIPT
The Rt Hon Matt Hancock MP.
Q69 The Chairman: Welcome to you, Minister, straight from the “Today” programme.
Matt Hancock MP: Yes, on a slightly different subject.
The Chairman: Indeed. Thank you very much for coming and giving evidence to us today. As you know, this is a public hearing and the transcript will be sent to you after the hearing. We know that you have to go shortly after 11.30 am, so we will go through our agenda briskly.
This Committee has focused quite a lot on data protection over the last year or so. We produced our report, “Brexit: the EU data protection package”, in July. That was discussed at the same time as the Second Reading of the Data Protection Bill on the Floor of the House. There was also a suggestion on the Floor of the House by Lord Stevenson of Balmacara, supported by Members from all sides of the House, that it would be good if this Committee were also to look at the way in which the GDPR is covered by the Data Protection Bill, so there are also one or two questions on the GDPR.
As I said, we are very grateful to you for coming. Would you like to go straight into the questions, or would you like to make a statement before we get going?
Matt Hancock MP: I will briefly say that this Committee’s attention on this topic is very welcome and I have been following what you have been saying closely. The cross‑party support for the Data Protection Bill in this House—and I hope in our House, when it comes in the new year—is important, because there is a very strong degree of consensus on the aim, which is a high‑quality data protection regime with unhindered free flow of data between the UK and adequate other countries, notably the EU, upon exit. That is what we are all aiming for, and the question is how best to get there.
Q70 The Chairman: That is very helpful. Thank you very much. Perhaps I could ask the first question. Looking forward a bit, where will discussions on data transfers fit into the next stage of the Brexit negotiations, now that we have come to the end of phase one and are about to move into phase two after Christmas? It would be helpful to have your thoughts on that, in particular whether there will be separate discussions on data transfers for commercial purposes and police and security co‑operation. We have seen what the Information Commissioner told the Commons Home Affairs Committee recently. Her “best advice to the Government would be to move forward on a comprehensive agreement on data … The best way forward to get it done probably would be one agreement”. I just wondered if that was your view, too.
Matt Hancock MP: We take the Information Commissioner’s advice very seriously and I can certainly see the attractions to that. Having said that, the EU is yet to publish its negotiating mandate in this area, so we are not in a position to answer that question concretely. Having published in August a very clear document setting out our goals, which went down well both here and in Europe, and with the Europeans publishing a slightly different, but shorter, document a few weeks after that, which was also helpful, we are now awaiting the negotiating mandate to answer for certain those sorts of questions. But I can see the ICO’s point.
The Chairman: When negotiations start on phase two, can you tell us a little about how those will be handled? Perhaps you could say at the same time something about the relationship between the DCMS and the Home Office. In a way, this is a hugely important issue that is divided between the two of you. How does that work?
Matt Hancock MP: Yes. The overall responsibility for data protection resides with DCMS. I am the Minister responsible, and hence I am the Bill Minister for the Data Protection Bill. Nevertheless, it is an area that cuts across many different departments, of which the Home Office is the biggest other department. There is a big and very important interaction with the Department of Health, for instance, with respect to health data, and with the MoJ with respect to the offences and the tribunals. There are interactions across government, but the Home Office is the biggest other policy lead in this area with respect to law enforcement and intelligence data. On the Bill, while I am the lead, in both Houses we will have a Minister from each department taking the Bill through.
When it comes to EU negotiations, we will have the same structure. DExEU has set out that in the next phase it will be for individual departments in some circumstances to lead the negotiations. We in DCMS have been hiring over the last year or so in order to make sure that we are ready for those negotiations. That is on track, we are well set and we look forward to them starting. I cannot go into any more granular detail than that because we have to wait for the negotiating mandate to be agreed, but following the successful completion of phase one earlier this month we are now well on the way to doing that.
The Chairman: Thank you. That is very helpful.
Q71 Lord Kirkhope of Harrogate: Thank you very much for that. I am a little disturbed by the remarks of Elizabeth Denham. Looking at it from my background in Europe, it seems to me that we have to be careful that we do not bulk data into one simple package. Look at the difference in safeguards and limitations between commercial agreements and those involved in investigation of criminality, for instance, where there is a much more sensitive level of personal data. In the context of the interdepartmental discussions, whatever the EU sets down, are we making this distinction sufficiently in our considerations? From a European history perspective, there have been very different methods. Even in our dealings with the United States, in some of the agreements, depending on the nature of data, there are different safeguards, limitations and criteria. It is a very different thing. I wonder, when you are dealing with it from your perspective, how you look at it.
Matt Hancock MP: Yes, those distinctions are very important. In fact, we are setting them out in law in the Data Protection Bill. The Bill covers personal data, where the GDPR applies in some circumstances, law enforcement data in a separate part, and intelligence data in another part. These are the three broad areas of data law, but we put them together in one Data Protection Bill so that there is a full spectrum data regime in place and in one place.
Until the withdrawal Bill becomes law, the GDPR will apply directly, but the Data Protection Bill is designed so that the GDPR from EU law will slot directly into it. Pre Brexit, the Data Protection Bill is a full‑spectrum UK law for those areas of data protection that are under UK jurisprudence. Until exit, the EU law applies with respect to that personal data that is in the jurisdiction of the EU. Then, upon exit, the EU law will slot in consistently with the Data Protection Bill. That is why it is structured in the way that it is. The result is that, post Brexit, we will have a full‑spectrum data protection regime in one Bill.
The same three categories apply with respect to the negotiations. In a way, whether you deal with them under one or separate headings, they all have to be dealt with. They are all a matter of fact. By 28 May next year, subject to the will of Parliament, they will all be in law, whether EU or UK law.
I take your point about the tonality of the negotiations with Europe, but we need to make sure that they are all covered. We are working very hard to make sure that we get that right.
Q72 Lord Condon: Good morning, Minister. We have assumed, based on the evidence that we have received, our report and information after the report, that the seeking of an adequacy decision or adequacy decisions is the most likely way forward for the UK Government. The Information Commissioner reminded us that, because those are with third countries, it is unlikely that one could be obtained before Brexit. Have you and your colleagues had a chance yet to help us with some thoughts about timescales over adequacy once it starts? If the Information Commissioner is right and it will not be in place by Brexit, how will the interregnum be managed when we are out and there is no adequacy decision?
Matt Hancock MP: This is a very important question, because it is critical that we have uninterrupted, unhindered free flow of data. Both for the rest of the EU and the UK, it would be a very serious problem if we were not to have the unhindered free flow of data, or even if there were to be an interruption of the free flow of data. This is where the time-limited implementation period is important.
As we set out in August, we are seeking that unhindered free flow of data. An adequacy decision is one way of achieving that. That could be achieved by having an agreement to roll over the existing position during the implementation period and then finalising the adequacy decision during the implementation period when we are no longer members of the EU. I would hope to do that as quickly as possible. I want to provide as much certainty as possible.
Having said that, that is not the only way of doing this, but what matters is the unhindered free flow of data. As we also set out, we are not just looking for an adequacy decision, but we are proposing that at a technical level—not in rule‑setting, but in discussions about the technical interpretation of the Section 29 working party—the ICO continues to be involved, to make sure that the UK expertise, which is very great in this area, continues to inform EU decisions.
Lord Condon: If there is no rollover for the current arrangements in anticipation of an adequacy decision—as you have said, it is not the only route—what is plan B to ensure continuity? What is the next preferable route if there is no rollover or you choose not to seek a rollover?
Matt Hancock MP: There are alternatives, but an alternative that does not provide for the uninterrupted, unhindered free flow of data will not be as good. I am confident that we will be able to get the rollover that we seek.
Lord Condon: There is no plan B mechanism that you can articulate to us today.
Matt Hancock MP: There is a series of alternative options. Between third countries that are not deemed adequate by the Commission, it is possible to transfer data based on contractual agreement. These things are possible, but it is just cumbersome.
Lord Condon: They are very much second best.
Matt Hancock MP: That is right. We are not aiming for that.
Lord Condon: No, you want a rollover.
Matt Hancock MP: We want to make this as easy as possible, because it is very clearly in the interests of both the UK and the rest of the EU. There are alternatives, and we set them out in an annexe to the paper in August.
Q73 Lord Soley: Can I ask about the implementation period, which is crucial? Do you see this as being a series of things that you know in advance you will need to address, or do you see it as a rolling negotiating period where you smooth out the problems, some of which you may not have been aware of at the beginning? Do you see what I mean? The implementation period is critical.
Matt Hancock MP: Our goal is that there is one moment of change for business at the end of the implementation period in this area. Because the free, unhindered flow of data is so important, we hope that that change will not be at all significant. Because one of the options on the table for getting that goal, which is the adequacy decision, requires us to be outside of the EU in order to get it, that makes the implementation period important. If we get the rollover, it does not matter when within that period we formally get the adequacy notification because the unhindered free flow can continue.
Lord Soley: I understand that, but does it not imply that at the end of that there has to be a continuing close engagement between the UK and the EU on implementation, because it will be constantly changing?
Matt Hancock MP: I see. There will have to be continued close involvement, as there is with other jurisdictions, because the nature of data is that if you send it to one country it can be sent to another. There is already a regular review under EU adequacy rules with other third countries. Other countries that are nothing to do with the EU and have free flow of data relationships with each other also check that their data protection is adequate. The big picture here is that you have to have confidence in another country’s data protection regime in order to have the unhindered free flow of data.
That close co‑operation and discussion has to happen with any country that you are going to have that free flow of data with. For instance, it happens between the EU and the US all the time. We will have to replicate that when we are outside the EU.
Baroness Massey of Darwen: Good morning, Minister. To follow up your comments about the adequacy decision, are there any areas in which the UK will be able to diverge from EU data protection laws without jeopardising the prospect of retaining an adequacy decision? For example, are there plans to make a change in future to the right to be forgotten?
Matt Hancock MP: We have no such plans. After all, I am in the middle of legislating a rather large Bill in order to bring us into alignment, so it would be odd also to be planning to disalign.
Q74 Lord Kirkhope of Harrogate: Post Brexit, we presumably want to maintain our relationship, whatever we have agreed on adequacy, at the point of leaving. Are we going to have a lot of reviews? How are we going to accommodate reviews that the EU might do, whether it is here, there or wherever?
What concerns me a bit, I have to say, is this issue, post Brexit, of changes in the requirements on the level of protection of data, because these are regular things, as you know, in Brussels. There have been loads of changes in relationships with third countries, as well as within the EU. If the Commission decides that the level of protection for personal data in this country, perhaps as a result of court actions here, is unsatisfactory, it might suddenly prohibit transfers. The European Parliament would have a view on that, I am sure, as would the ECJ, which will not be competent over British subjects or Britain but will still be competent not only over European subjects but over European statutes and things such as agreements on data.
I am interested to know not so much how we lead up to Brexit and the adequacy, as it is called, but how we maintain that without accepting, as the Government are indicating, any competence of the ECJ.
Matt Hancock MP: We will not be accepting the direct application of the ECJ. In the nature of the free flow of data arrangements around the world, between the EU and third parties and between other countries, ongoing reassurance is needed that the other country’s data protection regime is strong. We see this with the Privacy Shield with the US; there is a constant debate about whether the EU thinks that the US data protection regime is strong enough to justify the continuation of the Privacy Shield. As it happens, we strongly believe that it is and we are co‑joined in action to support it as a Government, because we think it is in a good place.
That ongoing dialogue will be a feature of our relationships with trading partners around the world after exit, both with the EU and with other trading partners with whom we want to have a free flow of data. I suppose that part of modern international economic relations—not just economic, but especially economic relations—is that you have this constant dialogue. I am confident that we will be in a good place because the standards of data protection in the UK will be significantly higher and more aligned with the EU than many other countries that already have adequacy arrangements with the EU.
As it happens, I think the GDPR is a good law. We are bringing it into UK law not just for areas where it directly applies but for areas under domestic jurisdiction, because we think it is a good set of arrangements. It was heavily influenced by the UK and is based essentially on the UK Data Protection Act that it replaces, although it is stronger for citizens. It is the right thing to do anyway. It is also very important, because it gets us adequacy.
There will be a constant relationship, because that is part of the nature of international relations in the modern world.
Lord Kirkhope of Harrogate: I do not want to trespass on another question, but I would just make this point. You referred briefly to the Privacy Shield, which was Safe Harbor originally. There were considerable problems there, and changes had to be made to provide the assurances that the EU, and indeed the US, needed. These things are liable to be constantly reviewed and changed. Presumably, therefore, this country should always be in a position to adapt what it has in place to fit the requirements, which are then in their own way subject to things like the ECJ, or in the United States’ case its own Supreme Court, Congress and Senate.
Matt Hancock MP: The difference with the situation now is that it will be the sovereign decision of this Parliament, rather than the direct decision of the EU under the direct jurisprudence of the ECJ. We would have the option as a Parliament to remove or change data protection, but that would be the wrong thing to do. Part of the domestic, sovereign debate about whether that should happen would be the response of other international organisations, whether the EU, the US or anybody else we have a free flow of data relationship with. That is the nature of how these things are kept.
Something else is important here. A further reason why it is so clear in my mind that we should stay aligned to the GDPR rules is not just because they are good rules but because they are extraterritorial. This is important. The EU has, I think for the first time, legislated an extraterritorial rule. If you want to deal with EU citizens’ data, wherever you are in the world, you have to comply with the GDPR. If you are in a country that has no data relationship with the EU, you want to trade with the EU and there is data underpinning that trade, as there is with nearly all trade these days, your company must comply with the GDPR.
The GDPR will, I think, become a global benchmark, because countries that want to trade with the EU, which is most countries around the world, will want to comply with the GDPR. It is in our interest, for our global trading relationship, to have the GDPR in place in the UK. Just because, as a sovereign nation, we can choose for ourselves whether we do, that does not mean that it is at all sensible not to. It is a very good idea to.
The Chairman: If we keep close enough, we also benefit from the extraterritoriality regime, which follows from the GDPR.
Matt Hancock MP: That is correct.
The Chairman: We will effectively become part of that.
Matt Hancock MP: We will be a third country and our companies will be subject to the GDPR if they trade with Europe anyway, whether we follow the GDPR in the UK or not. It is another reason to follow the GDPR in the UK.
Q75 Lord O'Neill of Clackmannan: Minister, you mentioned in relation to the EU‑US Privacy Shield that you took what I think would probably be regarded as the Commission position: that things were satisfactory. The Article 29 working group identified a number of significant concerns that need to be addressed, such as the lack of guidance and clear information on onward transfers; the rights, available recourse and remedies for data subjects; and collection.
Has your department or the Whitehall machine, given that there are a number of such departments involved, made any assessment of the appropriateness of the EU‑US Privacy Shield as it affects the UK? Has something been done by Britain, rather than the Commission or the Article 29 group?
Matt Hancock MP: We have seen the conclusions of the Article 29 working group. The overall conclusion is in support of the Privacy Shield. There are always questions on details, and this pertains to the previous discussion with Lord Kirkhope. But we are confident that the Privacy Shield is not only legal but good policy. One thing that is referred to is the need to ensure enforcement on the US side of its commitments, but there is a process for doing that. The Information Commissioner leads at the UK end of that.
We have seen those. It is perfectly reasonable continuously to challenge these arrangements to ensure that they work for both sides, but we think that those conclusions nevertheless provide a support for the legality of the current arrangements.
Lord O'Neill of Clackmannan: I would be right in saying, then, that the UK Government have not done a report on their own in this respect. They have merely signed up to the Commission’s work, satisfied that it is there. One would imagine that, on the date we leave or during the transition period, such a reporting procedure would be set in place.
Matt Hancock MP: Yes, I would imagine that there will be UK requirements to do more work in this area. While we are a member of the EU, we are a full member of the EU. This is an area of Commission competence. It happens to be one where we wholeheartedly agree with the Commission.
Lord O'Neill of Clackmannan: Why have a dog and bark as well?
The other thing that came out of the review was a concern about the rogue companies that falsely identify themselves as having Privacy Shield certification. What are the Government doing to help UK companies identify and confirm that they are transferring personal detail only to bona fide Privacy‑Shielded companies?
Matt Hancock MP: This is an important implementation and enforcement matter. In a way, the fact that there is challenge here shows that the system is working. Once you are on to the detail of how you deal with people who are not abiding by the rules, you are past the point of saying, “Are the rules the right ones?” We have a system in order to do that, which the ICO leads on and will be able to describe in more detail. But I am confident that the rules are right and that we have the right body, the ICO, in place to make sure that they are enforced as well as possible.
Lord Watts: So that I am clear, Minister, you seem to be indicating that, whatever rules are developed by the Commission, the British Government will accept them in order for that data flow to take place. In reality, the only difference between now and then is that the British Government will have no involvement in the development of those rules.
Matt Hancock MP: As I mentioned, we are proposing to have continued engagement with the Article 29 working party, which is this technical group that does not set the rules but asks the questions and is involved in the technical details.
I am not indicating that we will automatically agree to future rule changes, but the GDPR has only just been agreed by the EU and we think that it is a good law. If there are future changes to data protection rules once we have left, should we have an adequacy arrangement, it will be up to future UK Ministers and Parliament to decide whether to put those rules in place and the impact of that on adequacy. I am saying that we have no plans to diverge now because we think GDPR is a good set of rules.
Q76 Lord Soley: You have answered this question to some extent, but let me probe a little further. How do you make sure that, when the US and UK are trading, we do not come into conflict with any of the adequacy agreements with the EU?
Matt Hancock MP: There is an open question as to whether in the future a UK‑US Privacy Shield‑type arrangement will be needed, or whether we could do that under the umbrella of being an adequate third country of the EU. The goal is clear: high‑quality data protection standards on both sides and an unhindered free flow of data. You might hear me say that quite a lot, but that is the clear position. As the EU strikes adequacy deals with countries around the world, there will be a growing jurisdiction of adequate third countries that the Commission has deemed to have good enough data protection standards to have the free flow of personal data, and where the GDPR applies to any of their companies that are transacting in a data sense with the EU anyway.
This is why I can see the spread of GDPR‑type standards around the world. You can foresee, over the years and decades ahead, an area around the world of countries that have adequacy agreements with the EU, which are then able to transact in data with each other.
The crucial question for British citizens as well as for the Commission is this: are those data protection standards good enough for us to trust that jurisdiction with that free flow of data? It is the right question. It is a domestic public policy question as well as a matter for the negotiations, where we care very deeply that we have good data protection standards.
Lord Soley: That is helpful. I take the view that Britain is well ahead on data protection, which gives us an advantage. Can you tell us about other third countries? One that springs to mind, as a major trading partner, is China. Are we expecting this to move towards some sort of international agreement of the GDPR? How do you see that functioning? How are we going to trade with such countries without being in breach of European rules, remembering that there is a lot of export and re‑export?
Matt Hancock MP: We currently trade with China on the basis of not having a data relationship intergovernmentally. As I said in answer to the question right at the start, there are other mechanisms for exchanging data based on contracts. We would only want to have the unhindered free flow of data that is not based on that sort of contractual arrangement, or other statutes that are not as strong as adequacy, if we had full confidence in the data privacy of the regime of the other third party. We are not there yet with China.
Lord Soley: I cannot help feeling that this is going to be a very complicated area, particularly with countries such as China as they get more technologically able, and we are re‑exporting. We are importing from them, making additional changes to the product and then re‑exporting to Europe.
Matt Hancock MP: That is absolutely right. Almost all trade has some sort of data attached. Increasingly, trade has a huge amount of data attached. When Rolls‑Royce sells aircraft engines, it in fact no longer sells the aircraft engine; it sells the air miles, not in the sense that you might enjoy them, my Lord, but in that it hires out an engine to power an aircraft for a certain amount of miles. The data from that engine comes back directly to Rolls‑Royce so that it can foresee when there might be a problem and make sure that it is maintained properly. That is a highly sophisticated data relationship, and these increasingly underpin all international trade.
We talk and think a lot in the economic space. The social interactions are also incredibly important, because people transfer their personal data in social relationships. It is an incredibly important area. It is reasonably complicated, but we have tried to simplify the principles of what we are trying to achieve to very high-level ones, which are the free flow of data between countries with good data protection regimes. A good data protection regime, in our case, looks like that which is in the GDPR and the Data Protection Bill.
Q77 Baroness Browning: Good morning, Minister. What assessment has your department made about the prospects for securing a role for the Information Commissioner’s Office on the European data protection board? Is that important and does it need negotiating, or have you looked at that and decided that it is not something that you would press?
Matt Hancock MP: We set out what we are seeking in the paper in August. We cannot really go much further than that until the EU has set its negotiating mandate and we conclude the negotiations on this. As we have discussed, and has been demonstrated by the discussion, continued close engagement is important and would have to be done in any circumstances. We have a huge amount of technical expertise in the Information Commissioner’s Office, so it is important that we have continued engagement on this. You cannot get away from it in the modern world.
Baroness Browning: If it is not possible to specifically get agreement to a role for the Information Commissioner’s Office, how would you see us influencing future standards in the EU, post Brexit?
Matt Hancock MP: It would depend on where the negotiations got up to, but ultimately there are lots of ways to influence. We can do that through discussions through diplomatic channels and with the member states of the EU, as well as with the Commission. There are plenty of ways to have those discussions. Should there be an adequacy‑type arrangement in place, I imagine there will need to be a formal set of discussions anyway, as there are with other adequate third parties. That sort of engagement is a necessary underpinning of trade in the digital age.
Baroness Browning: Is it something that your department is pressing for?
Matt Hancock MP: Yes, it is something that we are seeking.
The Chairman: Is there going to be some sort of formal negotiating mandate after we have left?
Matt Hancock MP: God, I hope the negotiations are over by then.
Q78 The Chairman: Do you envisage there being some sort of formal arrangement between the UK and the EU after we have left, or just constant discussions about how things are going to change?
Matt Hancock MP: Part of an adequacy decision by the Commission is an annual check that the data protection rules remain consistent with the Commission’s requirements for any third country that gets an adequacy decision. The difference between now and then, as I said earlier, is that that will be an EU decision, for us to respond to domestically as we see fit. It will not be a directly applying decision, as it is now.
Q79 Lord Kirkhope of Harrogate: It may be of assistance, it may not, as a precedent for a solution. A model was introduced between the United States and Switzerland to sit alongside the Safe Harbour Agreement, which fell, as we know. Nevertheless, there was a joint supervisory arrangement there, which seemed to be very satisfactory. Is there a special role for some new body or way of monitoring outside the specific EU institution?
Matt Hancock MP: I do not want to speculate on exactly how it would happen, but we will need to make sure that these agreements are policed both with the EU and with other countries in whose data relationship we have confidence. In the first instance, our judgment on whether another third country is adequate for the UK will be heavily influenced by Commission decisions. We would not want the UK to become a passport to inadequate third countries. Since the nature of data is that you can ping it on at the drop of a hat, that would not work; hence the expanding global area that has adequacy arrangements with the EU is an important basis of a global free flow of data area. The heart of that sort of solution is the GDPR.
Q80 Lord Watts: Minister, what legal framework will underpin data protection rights for UK citizens once we are out of the Charter of Fundamental Rights? How will references in the GDPR to the Charter of Fundamental Rights be dealt with after the UK leaves?
Matt Hancock MP: The legal basis will be the Data Protection Bill plus the GDPR, which will be brought into domestic law through the withdrawal Bill. The way I like to think of it is that the Data Protection Bill is the full spectrum of data protection: intelligence, law enforcement, personal data that is currently in the jurisdiction of the EU, and personal data that is not in the jurisdiction of the EU. For those four sections, the GDPR will directly apply from 25 May next year and then on 29 March 2019 will slot in so that we have a full-spectrum British data protection regime.
Lord Watts: Are the mechanics for that to happen being developed now?
Matt Hancock MP: They are being legislated on in my House. I am having to miss the gala opening of “Hamilton” this evening so that I can vote for the EU (Withdrawal) Bill. Yes, it is coming to your House in January.
Lord Watts: I actually meant the practical steps that would be required to do that transfer. Are you planning for that now?
Matt Hancock MP: Yes, absolutely we are.
Lord Watts: It is not just the legal side, but the practical steps that you take.
Matt Hancock MP: There is a body of work and we have hired very good people into DCMS to make sure that it can happen.
Lord Ricketts: I am not yet a member of the Committee, but perhaps I am allowed to probe the Minister. I will be shortly.
The Chairman: Yes, you are allowed.
Lord Ricketts: When looking at the architecture, since the Data Protection Bill will have an intelligence pillar and a law enforcement pillar, I was just asking myself whether there was any interaction or overlap with the proposed UK‑EU security treaty that we are going to pursue as part of phase two of the negotiations. That will also be regulating large areas of the UK’s relationships on the security front with the EU. Is there a data protection component to that or are they completely separate?
Matt Hancock MP: If I may say so, it is a typically incisive question. My answer is that, until the EU negotiating mandate is set, we do not know.
Q81 Lord Condon: I wonder if you could help us think about how our current Investigatory Powers Act fits into all this. The Court of Justice of the European Union has made some pronouncements about the existing Bill. We know that it is the Government’s intention to amend it and we acknowledge that the Home Office is leading on the public consultation. At the moment, we are able to play the national security card around the Investigatory Powers Act when we are challenged. As a third country, we will not be able to play that card so forcefully, if at all.
Are you and your colleagues in your department worried about how the Investigatory Powers Act, now and then, might hinder the progress towards rollover of existing arrangements and then journey towards adequacy?
Matt Hancock MP: I am very comfortable with the Investigatory Powers Act in this area. The reason is that, in bringing in the Act, we put forward judicial oversight, so there are very high levels of scrutiny. The system that we have is consistent with many other systems around the world. I am comfortable that the Investigatory Powers Act is a good basis on which to proceed.
Lord Condon: Even though the Home Office is leading on the public consultation about what happens next with the Investigatory Powers Act, how do your department and the Home Office synchronise activity on this?
Matt Hancock MP: We are synchronised like swimmers.
Lord Condon: You are kicking your legs in the air.
Baroness Browning: You are waving, not drowning.
Matt Hancock MP: There are very high levels of co‑ordination between the two departments. There is exchange of staff; there is constant ministerial engagement to get this right. Ultimately, the robust oversight and safeguards in the Investigatory Powers Act give us a good basis on which to proceed.
Lord Condon: Do you think that will be good enough for the adequacy evaluation? Will our judicial oversight reassure them?
Matt Hancock MP: Yes, I do.
The Chairman: You mentioned earlier that it was not just you and the Home Office but the Department of Health and virtually every department presumably has some kind of data protection issue. Is there a Whitehall working group or committee looking at all of this, covering all departments? Are you leading that?
Matt Hancock MP: Yes, we lead on this policy area, but data protection regulation affects every Whitehall department directly, because Whitehall departments hold data. Whitehall departments are also responsible for agencies that hold significant amounts of data. We have a co‑ordination group to ensure that the Government are ready for the Data Protection Bill to become law on or before 25 May. There are then the policy questions, as I mentioned. There is cross‑Whitehall co‑ordination on this, which is very important.
Lord Ribeiro: Sorry for being late. I have a supplementary question. Minister, you have clearly decided that the GDPR is something that we will absorb and accept, and it is a bedrock for what we are going to do, but we are going to become a third country. With the speculation that you read in the media as to whether we are going to be a Norway or a Canada‑plus‑plus‑plus, how would accepting the GDPR and all its constraints determine what type of third country we are?
Matt Hancock MP: I hope it will mean that we are an adequate third country for data protection purposes. The closeness of the future relationship, whatever the forms of the overall agreement, will require us to have a strong data relationship. I do not characterise the future arrangements in terms of any other individual country. It is so obviously in the interests of the UK and the rest of the EU, given that we have precisely aligned regulations in this space. I would argue that we would choose to do this anyway, even if the adequacy arrangement was not a consideration, because it is a good law. We could not be closer. We will continue to be that close, largely because the GDPR has a huge amount of British influence in it. It is a good regime.
Q82 Lord Kirkhope of Harrogate: On this point generally, we have, as you rightly suggest, been very much involved in preparing data protection in Europe and elsewhere. Britain has been in the lead.
Matt Hancock MP: That includes you.
Lord Kirkhope of Harrogate: I am not claiming anything personally. I have been involved, yes, but there are many, many people. The British officials and other people have been integral in this. I am concerned that we will move to a role that, as has just been said, inevitably means that we no longer have the sort of enormously strong control or influence over the development of data protection, and we will tend to be the servants, as it were. I was going to say that we could end up being masters of nothing, to use a literary reference. It worries me, it really does.
Matt Hancock MP: Flattery is the nicest form of compliment. It is an inevitable consequence of the decision to leave the European Union that we will become a third country. That is a consequence of the vote last year. The question is how we make sure we get the best of that. In terms of both our future relationship with the EU and our future global trading relationship, the best way to do that is the course that we have set out, including the proposal for continued working‑level, technical, formal relationships with the EU, because of the nature of these rules and their importance not only to us and the EU, but increasingly to the rest of the world, given their extraterritorial nature.
The Chairman: Thank you very much, Minister. We are very grateful to you and very sorry indeed that you are missing “Hamilton” tonight, but it is for a good cause, I am sure.
Lord Kirkhope of Harrogate: As we are unrestrained by similar Whips as the Commons, as a thespian I would like to volunteer to represent the Minister at this very important production.
The Chairman: I am sure we would elect you. Anyway, thank you very much indeed. That has been extremely helpful to us. Perhaps on behalf of the Committee I can wish you and your staff a happy Christmas.
Matt Hancock MP: Likewise. Thank you.