Data Protection (Adequacy) (United States of America) Regulations 2023 - Motion to Regret

– in the House of Lords am 6:29 pm ar 22 Tachwedd 2023.

Danfonwch hysbysiad imi am ddadleuon fel hyn

Lord Clement-Jones:

Moved by Lord Clement-Jones

That this House regrets the Data Protection (Adequacy) (United States of America) Regulations 2023 and regrets in particular (1) the absence of an Impact Assessment at the time it was laid; (2) the lack of any public consultation; and (3) that the explanatory material laid in support does not provide sufficient information to gain a necessary understanding of the instrument’s policy objective and intended implementation.

Relevant document: 53rd Report from the Secondary Legislation Scrutiny Committee, Session 2022-23

Photo of Lord Clement-Jones Lord Clement-Jones Liberal Democrat Lords Spokesperson (Science, Innovation and Technology)

My Lords, this is clearly box-office this evening. As soon as I saw the Secondary Legislation Scrutiny Committee’s report and its comments, I thought these regulations were a prime candidate for a regret Motion. This does not mean that the Minister has to be quite as persuasive as he would be if they were subject to the affirmative process, but it does mean that he has to recognise they we are not just going to let this kind of important secondary legislation go through on the nod—especially where his department has not excelled itself in giving the necessary explanatory and impact assessment material.

On purely procedural grounds, the tale of how DSIT has dealt with this SI is not a happy one. These are regulations made under Section 17A of the Data Protection Act 2018 to establish a data bridge with United States of America through the UK extension to the EU-US data privacy framework. The impact assessment for the regulations was first submitted on 4 August for Regulatory Policy Committee scrutiny, and the RPC’s initial review of it, sent to DSIT on 15 September, found that it was not sufficiently robust and identified areas where improvements should be made. As the RPC states:

“We considered that the points raised would generate a red-rated opinion, if not addressed adequately”.

Following discussions, DSIT submitted a revised impact assessment on 20 September. The data protection adequacy regulations were laid before Parliament the day following, 21 September.

In its report of 17 October, the SLSC said:

“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.

The regulations are drawn to the special attention of the House on the ground that the explanatory material laid in support provides insufficient information to gain a clear understanding of the instrument’s policy objective and intended implementation.

The SLSC also said:

“We regret that … important context to the UK Extension to the EU-US Data Privacy Framework was not included in the EM. While the purpose of the Regulations is made clear by the EM, without the additional information provided by the Department and the link to the Government’s analysis, it is not possible for a reader of the EM to understand fully the policy context and framework of the adequacy decision and how this policy was developed. We therefore ask the Department to revise the EM to include the contextual information and the links to relevant external material. We are disappointed that the Department was unable to provide a final, green-rated IA when the Regulations were laid before Parliament … We regret— and this is a broad point which comes up time and again—

“that this is a further example of relevant impact information not being shared with Parliament at the right time … We take the view therefore that it would have been desirable to carry out a public consultation”.

The SLSC concludes:

“We regret the absence of the IA and of a public consultation and recommend that the EM be revised to include the missing contextual information”.

If it had not been for the noble Baroness, Lady Jones, bumping into me today, I would not have realised that the Explanatory Memorandum that I read to prepare my speech today had been switched from 20 September to 21 November. I have the two versions in front of me, thanks to the noble Baroness, and they do differ. It seems extraordinary that two months should elapse before we get the revised memorandum. When I actually looked at it, I realised that it is considerably different. I am not surprised that the SLSC had something to say about this.

All the basic data protection principles that the US is meant to observe are set out in paragraph 7.7 of the new Explanatory Memorandum. They appear nowhere in the original memorandum. There is a whole slew of things: international data transfers, the need to consult expert counsel, and the fact that the Information Commissioner has produced an opinion, which I shall go on to talk about. There is also a third element of considerable importance: the impact on monetary net present value, under paragraph 12.3.

These are considerable changes, and it has taken two months and this regret Motion to elicit that kind of response from the department. That is not a happy start to these regulations: are these teething troubles at the new department, or something more serious? What is the Minister’s response to all these criticisms, in particular the lack of public engagement and the whole process by which these Explanatory Memorandums are produced?

This new arrangement is designed to be compatible with the EU-US data privacy framework and is what we must now call the UK-US data bridge. It came into force on 12 October 2023: from then on UK businesses may transfer personal data to US organisations certified under the UK extension to the EU-US data privacy framework without the need for alternative safeguards such as standard contractual clauses. Those US organisations that have committed to complying—and this is important—with the enforceable principles and requirements under the UK extension to the EU-US data privacy framework can be identified on the data privacy framework list. Organisations not subject to the jurisdiction of the US FTC or the US DoT are not eligible to participate, and that includes major institutions such as banks and insurance and telecommunication companies.

This is what a prominent firm of lawyers has said about the new regulations and the bridge:

“Organisations should take care to review the nature and scope of transfers permitted in practice and to consider the steps that should be taken to effectively make those transfers in accordance with the new arrangements. For example, certain journalistic personal data may not be transferred in reliance on the UK-US data bridge. It will also be necessary to actively indicate to the US recipient organisation that it must treat genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation as sensitive information. Whilst these types of data are special categories of data under Article 9(1) UK GDPR, they are not designated as sensitive information under the UK Extension to the EU-US Data Privacy Framework. Specific identification to the data recipient is therefore required. There are also specific requirements regarding the transfer of certain criminal offence data.”

The deeper you dig, it still remains potentially very complicated, and I wonder what guidance the department is giving in detail on this. For example, how exactly do the UK and the EU data bridge agreements translate to a US state basis? Do they require state ratification of some kind, or verification of the principles they adopt? If we are comfortable with the data adequacy aspects of the UK-US data bridge, there are clear advantages in terms of participating organisations being exempted from the need to conduct a transfer impact assessment, rather than having standard contractual clauses where TIAs needs to be made.

However, what is the response of the Minister and his department to the Information Commissioner’s Office’s opinion on these regulations: that there are areas that could pose risks to UK data subjects if the protections identified are not properly applied? He identifies several potential issues with the UK-US data bridge: it does not contain substantially similar rights to the UK GDPR’s right to be forgotten, right to withdraw consent, and right to obtain a review by a human of an automated decision. He says:

“As a result, UK data subjects might not have the same level of control over their data as they do under UK GDPR.”

Secondly:

“The definition of sensitive information,” much like the legal opinion,

“under the UK-US Data Bridge does not specify all the ‘special categories of personal data’ of the UK GDPR. Instead, the framework has a broad ‘umbrella’ concept providing that sensitive information can be any data regarded as sensitive by the transferring entity. UK businesses will have to clearly label certain types of data as ‘sensitive’ when transferring to a US organisation certified under the UK Extension to ensure adequate protection.”

Thirdly:

“For data on criminal offences, the ICO highlights potential vulnerabilities, even when tagged as sensitive. Since the UK places restrictions on the use of ‘spent’ convictions, there are concerns about a lack of comparable protections in the US for transferred data”.

The opinion of the ICO does not even deal with the potential impact of the Data Protection and Digital Information Bill going through Parliament, which will water down data subject rights, especially in the legitimate interest balancing test and Article 22, and in the provisions around DPOs and data protection impact assessments. Our data protection adequacy is not even secure, and the ICO specifically draws attention to this:

“If the Secretary of State becomes aware of a significant change in the level of data protection that applies to personal data transferred from the UK as a result of either the review or ongoing monitoring obligations, the Secretary of State must amend or revoke the regulations to the extent necessary”.

In addition:

The Secretary of State is also required to monitor, on an ongoing basis, developments in a country, territory or international organisation which is the subject of UK adequacy regulations”.

Where did any of that appear in the Explanatory Memorandum? This is important stuff; it is our personal data.

How do we therefore know that our personal data is safe under these arrangements? How will the data bridge stand up, especially with the new Bill going through Parliament? Perhaps the Minister can also explain how the transfer of legally privileged data will be dealt with.

Even if this were satisfactory, one might ask how long the EU-US DPF will last before Mr Schrems gets to work. What will be the impact on our UK-US data bridge then, given that it is dependent on the EU-US bridge? Given the opinion of the ICO, should we expect litigation along the line of Schrems?

Under the DSIT analysis of last December, it is clear that the department has to take a view on, for instance, the sharing of sensitive data:

“DSIT considers that these exemptions are comparable to exemptions provided for under Article 9(2) of the UK GDPR and do not pose a material risk to UK data subjects”.

It says similarly about HR, and on personal data:

“Therefore, DSIT does not think that the extra protections afforded to criminal offence data … are likely to be undermined”,

and so on. What is DSIT actually advising businesses to do, given its opinion? Would it not be prudent to take some external advice, rather than rely on internal DSIT views about this? Would it not be safer for a business to agree or keep using standard contractual clauses?

Given the limited scope of the UK-US data bridge, a limited number of businesses can take the benefit of it. The impact assessment says: “The assumption that 23.4%”—that seems very granular—

“of those organisations who currently send personal data to the US will be risk averse due to legal uncertainty and continue to use standard data protection clauses is based on evidence from EU transfers. However, the assumption may be too conservative as many businesses reverted to using standard data protection clauses for EU transfers due to the previous risk of no-deal Brexit”.

That sounds like it is both on the one hand and on the other; it is not a very good basis for making assumptions and the figure may be even higher, given the uncertainty and difficulties surrounding some issues, such as the transfer of sensitive data.

I conclude in saying that I strongly agree with this sentence in the impact assessment:

“There is a clear rationale for creating a UK extension to the EU-US Data Privacy Framework”.

I very much believe that, if this works, it can pave the way for many other forms of co-operation with the EU. I just hope that the data protection Bill does not make that impossible.

Finally, speaking of the Bill now in the Commons—and still just there—I hope that the Minister will carefully explain to us exactly what Clause 23 and Schedules 5 to 7 will do to change the current basis under Section 17A for approval of this kind of data bridge. The Explanatory Notes to the Bill do this nowhere: they simply tell us the new provisions that take over from the current Section 17A and leave us to make the comparison. I feel that the Government really should explain the difference. I fear the worst: that, as ever, the Secretary of State is taking greater powers and the tests for adequacy are being watered down.

I hope that the Minister is fully briefed on everything that I have said this evening and on all the matters I have raised. I very much look forward to his reply.

Photo of Baroness Jones of Whitchurch Baroness Jones of Whitchurch Shadow Spokesperson (Science, Innovation and Technology) 6:45, 22 Tachwedd 2023

My Lords, I am grateful to the noble Lord, Lord Clement-Jones, for raising his concerns about this SI this evening, and for the diligent work of the Secondary Legislation Scrutiny Committee in drawing to our attention the inadequacy of the original Explanatory Memorandum attached to it. In fact, had the details been included in the proper form in the first place, it could have saved me a lot of chasing around to establish what had been tabled when; as the noble Lord pointed out, it was not immediately clear.

For example, the Secondary Legislation Scrutiny Committee criticised the lack of an impact assessment, a variation of which has now finally been attached to the SI. As the noble Lord made clear, the original Explanatory Memorandum recorded that the impact assessment was not ready to be published as it had to be submitted to the Regulatory Policy Committee for its review. We now know, thanks to the work of the Secondary Legislation Scrutiny Committee, that the RPC judged the original impact assessment as not sufficiently robust, identifying areas of improvement which, if not addressed adequately, would generate a red-rated opinion. It reports that a revised IA was submitted to the Regulatory Policy Committee on 20 September. Can the Minister confirm whether this revised IA has now received a green rating from the RPC?

I agree with the Secondary Legislation Scrutiny Committee that, sadly, the failure to produce this proper documentation in a timely manner occurs all too often. It makes it difficult for Parliament to carry out our scrutiny role and reflects a wider decline in drafting accuracy. I understand that the staff work under intense pressure but, in this case, I see no reason why all the checks could not have been carried out before the SI was laid, even if this resulted in a slight delay.

The Secondary Legislation Scrutiny Committee also quite rightly raised concerns about the lack of contextual information in the original Explanatory Memorandum. I absolutely agreed with them on this. It was not until I read the impact assessment that the background and intent of the SI became clear. There is now a revised EM but the original printed version of the SI, which I collected from the Printed Paper Office, as I suspect the noble Lord did as well, contained the original Explanatory Memorandum, which again underlines the inadequacy of the processes adopted by the department.

In this context, I have some questions which arise from the impact assessment rather than the EM. First, is it the case that the only adequacy regulations currently in existence are with the Republic of Korea? As this is the first such agreement, how are the provisions of the regulations being monitored, and have any data breaches been identified? I hope that we would learn from that first experiment, if you like, with the Republic of Korea. Any information on how that is working would be appreciated.

Secondly, what criteria do the Government use for prioritising other potential data partnerships, as listed in the IA? Are any others near completion?

Thirdly, since Brexit and the failure of the EU privacy shield, the EU and the US have developed the data privacy framework, and we have signed up to the UK extension of that framework. In what ways does the extension vary from the EU-US agreement? If the European Commission varies that agreement, can we be assured that the UK extension will seek to reflect those changes? This would make it considerably easier for businesses to navigate the rules in the longer term.

Fourthly, since there is some sensitivity around this currently, today’s announcement that the NHS has handed US spy tech firm Palantir a contract to create a huge new data platform has rightly caused concern. Does this agreement come under the new data adequacy rules covered by this SI? Is it the case that individuals cannot opt out of the scheme, as reported in the press? What would prevent Palantir selling on the data to other US companies, provided they signed up to the US Department of Commerce’s self-certification scheme?

Incidentally, I could not see in the impact assessment any assessment of the robustness of the US rules. For example, how many data breaches are there per annum and what sanctions are taken against those who breach the rules? It is all very well having an adequacy rule, but we want to know how it is working in practice and what the US’s history has been on this. Does the Minister have any information on this?

My last question leads on to the Secondary Legislation Scrutiny Committee’s last recommendation, which has also been highlighted by the noble Lord, Lord Clement-Jones. The UK public are understandably suspicious about how their personal data could be misused or monetised by big corporations, both here and abroad. If they have nothing to worry about in this instance, it would have been helpful to hold a public consultation to provide reassurance and build confidence in the policy. As it stands, there are bound to be concerns about the underlying consequences of this proposed agreement. As the Secondary Legislation Scrutiny Committee points out, an increasing number of experts and specialist lawyers could have contributed to the development of this policy, particularly as it may be a model for other agreements in the future.

I hope the Minister can reflect on these concerns and take them back to the department. I hope that he can also address the specific questions I have raised, and that he can assure us that the lessons about the way documentation is presented to Parliament for approval in the future will be taken on board.

Photo of Lord Fox Lord Fox Liberal Democrat Lords Spokesperson (Business)

My Lords, it is a pleasure to follow the noble Baroness and, indeed, my noble friend Lord Clement-Jones. Their commentary on the process so far is quite damning. I share my noble friend’s fear that this is in danger of selling short what is an important aim of creating a viable data bridge between these two jurisdictions.

I am not going to go over the process; I will pick out a number of points from what I think is the right Explanatory Memorandum but may, of course, be the wrong one. I am acting in good faith; I think I picked it up from the table at the right nanosecond when the correct document was there.

Paragraph 7.2 of the EM says:

DSIT officials have been working closely with counterparts in the US”.

Paragraph 25 of the Secondary Legislation Scrutiny Committee’s report says that DSIT told the committee:

The US does not have a comprehensive data protection framework”.

The report points out, as noble Lords have said, that this framework tends to be based on a sector or state- level requirement. So who are the counterparts that DSIT talked to? There are no counterparts equivalent to DSIT who can have that competent conversation.

In practice, can they know that the treatment of data will be the same in California as it will be in Florida? If they know the answer to that question, how do they know it—who did they talk to in order to gain that information? It seems to me that the complications of data in the United States are not reflected in the Explanatory Memorandum in my hand.

That is the first point. Moving on, if you look at paragraph 7.6 in the Explanatory Memorandum, you see that it is very clear that this is a self-certifying annual process. Self-certifying is another word for ticking boxes. So, once again, how can the department be sure that this process is being properly dealt with and monitored? When we come to the enforcement of this self-certification process, is it the Department of Commerce that will be checking that this self-certification has happened? Will it be the state legislatures? Who will be the bodies in charge of this self-certification? Will there be an annual report, so we know that all these bodies are certified? Indeed, if I am giving my data to a particular organisation that is then sending that information across the United States, how do I know that that process is properly certified? It seems that these are good words but, unless they are backed up with a system and a process, they are to all intents and purposes meaningless.

The next point is picked up in paragraph 7.12 of the Explanatory Memorandum, where we talk about processors and transfers, and people in the United States who are

“indicated on the Data Privacy Framework List as participating in” this bridge. If there is a violation from an organisation in the United States that is picked up by the Information Commissioner in the United Kingdom, what happens next? Who does what, in terms of prosecuting the organisation in the United States for wrongfully dealing with that data? Who is liable? At a corporate level, where is this dealt with? Is there some sort of corporate veil to the US company which means that the UK company is not liable? How in companies law will this operate? It seems to me that there is not the information here to answer those questions and I wonder, frankly, whether they have actually been considered.

It is quite clear that this could not have happened without the hard work and endless negotiation of the EU-US group. This rides on the back in a rule-taking process that I suppose we are going to have to get used to as things go forward. My noble friend’s point about Schrems is very true; Schrems III is coming soon, so what will the Government’s position be if it finds against the EU part of this bridge? Will we also automatically cancel the bridge? How does that then affect companies that have already transferred their data and made that decision?

There are couple of ancillary questions which are, I guess, slightly off the wall. There is an industry in this country that involves having servers and creating a UK-based server place as a safe harbour for British data. I assume the department has done an analysis of the industrial effect on those servers, because clearly many of them will be no longer needed, and data can be sent back to the United States rather than living in what are euphemistically called “clouds” but are actually server farms in the United Kingdom.

I have a final question. As the Minister knows, political parties tend to knock on doors, collect data and put that data into databases. Can he tell us what the position is on electoral databases in terms of using US-based servers to retain that data? At the moment, that is not done. Will political parties be able to move that data from servers in this country to perhaps their counterparts, assistants or supporters in the United States, in order to do analysis, targeting and whatever, or do the current rules of safe harbour still exist for electoral data?

Photo of Viscount Camrose Viscount Camrose Parliamentary Under Secretary of State (Department for Science, Innovation and Technology) 7:00, 22 Tachwedd 2023

I thank the three noble Lords who spoke for their valuable and robust contributions to this debate. Let me start with some general remarks about the SI.

In 2022, the UK exported more than £99 billion in data-enabled services, such as finance and IT, to the US. That amounts to about 30% of the UK’s total data-enabled services exports globally. UK data bridges such as the one established with these regulations ensure that high data standards are upheld when UK individuals’ personal data is transferred internationally while reducing the compliance burdens for businesses, realising responsible innovation and growth. The UK-US data bridge restores a robust and reliable mechanism for transatlantic personal data flows and is expected to benefit around 16,000 UK businesses, 92% of which are small or micro businesses, and provide a combined benefit of an estimated £115 million per year.

The UK-US data bridge has been established following several years of collaboration between both countries and follows a robust assessment by the Secretary of State of the high standards and protections available to UK personal data when it is shared with organisations in the US under the bridge. DSIT published a series of supporting documents alongside the regulations for the US data bridge, including a policy explainer, a fact sheet for UK organisations, a series of letters detailing the operational delivery and enforcement of the frame- work, an analysis of the assessment which underpinned the Secretary of State’s decision and the Information Commissioner’s opinion.

I acknowledge absolutely the disappointment of the Secondary Legislation Scrutiny Committee that an impact assessment was not made available when the regulations were laid. As was remarked on, an initial impact assessment was submitted to the Regulatory Policy Committee in 2022 which was returned to my department with a green rating, meaning it was considered fit for purpose. Deeply regrettably, the updated version containing much of the same content was not reviewed and approved in a timely manner to coincide with the laying of the regulations. My officials worked at pace to address the additional comments from the Regulatory Policy Committee. I am pleased to say that the impact assessment for these regulations, which has been rated as fit for purpose, was published in mid-October. Furthermore, I can assure noble Lords that DSIT takes the concerns raised by the committee seriously.

In relation to the additional material included within the Explanatory Memorandum published alongside these regulations, as the noble Lord, Lord Clement-Jones, mentioned, an updated version of the Explanatory Memorandum addressing the areas raised by the committee in the report was laid, I am afraid as late as Monday 20 November, and is now available online. I am confident that these changes address the issues raised by the committee in its report.

On the concerns raised by the committee about the absence of a public consultation, I agree that these regulations may be an issue of public interest. These regulations have not been developed in isolation. As part of this assessment, the department worked closely with the UK’s independent data protection regulator, the Information Commissioner’s Office, throughout the assessment and the Information Commissioner was consulted by the Secretary of State prior to taking the decision to establish these regulations in accordance with the Data Protection Act 2018. Additionally, on five occasions since 2021, the department has publicly issued statements in relation to the progress made towards establishing these regulations. These include the UK-US comprehensive dialogue on technology and data launched in October 2022 and the Atlantic declaration announced by the Prime Minister and President Biden in June 2023.

Furthermore, the UK’s approach to facilitating international data transfers was the subject of a public consultation under mission five of the UK’s National Data Strategy, published in December 2020. This was focused on plans

“to remove unnecessary barriers to international data flows”,

drive high standards and build trust in the international use of data. These plans and the department’s approach in this area have been strongly and consistently welcomed by businesses of all sizes looking to operate and trade internationally between the US and UK.

I turn to questions specifically raised in this debate. The noble Lord, Lord Clement-Jones, asked what is being done by the department to address these issues in the future. The delays to the impact assessment and issues raised with the Explanatory Memorandum are unfortunate. It was always the department’s intention to publish the impact assessment once reviewed by the Regulatory Policy Committee and update the Explanatory Memorandum following the Secondary Legislation Scrutiny Committee’s report. As I have said, the department takes the concerns of the Secondary Legislation Scrutiny Committee seriously. There are steps being taken to ensure the delivery of high-quality, comprehensive documentation alongside future secondary legislation. This includes setting up a departmental better regulation team in the new year to support policy teams in the development of impact assessments, and providing a comprehensive library of best practice resources to officials and policy teams. I know that these steps do not help with the issues that arose in this statutory instrument, but I hope that it provides some reassurance towards the steps we are taking to prevent any repeat of these issues in future.

The noble Lord also raised how the data bridge agreements translate on to the US and whether they need to be approved on a state-by-state basis. The answer is that they do not need to be approved by individual states; they are arrangements which operate across the US in relation to any organisations which have signed up to the framework.

Regarding what guidance the department has provided to businesses, it has published a fact sheet on GOV.UK which provides additional clarity and information for businesses regarding using the data bridge, including explaining the need to specify certain types of data as sensitive. Additionally, the ICO has published a complaints tool to help businesses and individuals navigate the new redress mechanism which strengthens and protects UK data subjects’ rights when their personal data is transferred to the US.

Regarding the DPDI Bill, the changes to that Bill will not affect the validity of existing data bridges such as this one. They will continue to have effect under the new regime. The Secretary of State will continue to monitor the data bridge on an ongoing basis for any developments in the US which could affect the decision taken to make these regulations and will take such action to amend or revoke them if necessary.

The noble Lords, Lord Clement-Jones and Lord Fox, both raised what the longevity is of the data bridge, given the Max Schrems case, and the robustness of this legislation. We are aware of the stated intentions made by certain individuals such as Max Schrems to challenge the EU’s adequacy decision for the EU-US data privacy framework, as they have done twice previously. Our data bridge for the UK extension to that privacy framework is a separate decision from the EU’s adequacy decision, following the UK’s independent assessment of relevant laws and practices. We are continuing to work with the US now that the data bridge is online to ensure that it functions as intended and will continue to engage should any challenge to the EU’s adequacy decision be successful. Should the EU’s decision be invalidated, that would not directly impact the UK’s data bridge for the US.

In response to the noble Baroness, Lady Jones, I can confirm as above that the published impact assessment has a green rating. With regard to her question on how the data bridge differs from the EU framework, the UK is relying on our own extension to the EU-US data privacy framework, which mirrors the EU framework.

The noble Baroness asked whether individuals can opt out from the data bridge and about its robustness, including the important point about Palantir. UK individuals’ data is protected to the high standards expected within the UK under the UK GDPR and Data Protection Act 2018. We have conducted a robust and detailed assessment of the new US framework, which is published online on GOV.UK, and which the Secretary of State has decided meets the high standards necessary to establish a data bridge. This includes strict requirements and rules surrounding how US organisations should use, process and disclose personal data that they hold. When deciding whether to share personal data with a US organisation under the data bridge, the transferring organisation in the UK still needs to comply with all the requirements of the UK GDPR, including the need to have a lawful basis for sharing the personal data.

In response to the noble Lord, Lord Fox, who asked who the department engaged with in the US and which regulatory bodies are responsible for the US framework, this is a federal rather than a state government-level framework. The US Department of Commerce administers the framework and is our main counterpart, and the US Federal Trade Commission and US Department of Transportation enforce the framework. We also engaged with the US Department of Justice where there were questions in relation to US national security laws and practices. We have received reassurances from each of these bodies with regard to their commitments to upholding the principles and protecting the rights and protections of UK personal data shared with the US. These have been published online along with our full analysis detailing our assessment of the US data bridge and explaining the role of the different US bodies mentioned, which is on GOV.UK for anyone to view.

On the collection of data by UK political parties and the possibility of transfer to a server outside the UK, the policy governing this aspect falls outside the scope of data bridge policy, and so my department will follow up on that question.

Finally, on the question from the noble Lord, Lord Fox, about the self-certifying annual process for US companies and how the department can be sure that the process is being monitored, the US Department of Commerce has committed in the aforementioned reassurances to conduct verification checks on organisations certified to the framework, as well as to participate in periodic discussions with the UK Government about the operation of the framework, to ensure that the expectations and new practices of the data privacy framework are being met. This includes, where necessary, input from US enforcement bodies, the Federal Trade Commission and the US Department of Transportation, as well as from the UK’s independent data protection regulator, the Information Commissioner’s Office. Additionally, the Secretary of State is obliged to monitor on an ongoing basis any developments in the US or with the US framework that could affect the decision taken to make these regulations and to take such action to amend or revoke them as necessary.

I thank the noble Lord, Lord Clement-Jones, for bringing forward the debate today. The importance of proper scrutiny by parliamentarians for new legislation is paramount, and the department will continue to move forward with renewed determination to ensure that all necessary documentation is provided, not just to a high standard but at the point when regulations are laid. I believe and hope that I have answered all the questions. If not, I am of course more than happy to write with further detail. For now, I am once again grateful to the noble Lord.

Photo of Lord Clement-Jones Lord Clement-Jones Liberal Democrat Lords Spokesperson (Science, Innovation and Technology)

My Lords, I thank the Minister for that response. I congratulate him on managing to pick up nearly all the questions and provide them with answers. He probably never thought that quite so many questions could be asked about a single SI, and there are a couple of areas where I think there is further inquiry to be made. This is a salutary lesson in how the SLSC really needs to get the information that it needs to scrutinise regulations, otherwise we all jump up and down and spend our evenings on regret Motions.

This has been a very useful debate. The record, and how the Minister unpacked and answered some of the questions, might be helpful for those who want to take advantage of the UK-US data bridge. It is a great illustration also as to why affirmative SIs, rather than negative ones, are actually rather useful. Why rely on me producing a regret Motion? Would not it have been better to have a proper affirmative procedure in this case, as this is a very important instrument? The Minister talked about its value, and, if it works, we will all agree.

I also very much appreciate the fact that there is a level of humility about this, in that the department is looking at its procedures and setting its house in order with a new regulatory policy process. We look forward, I am sure, to seeing how effective that will be in the future. When the Minister talks about fact sheets and the sensitive data aspects, the fact that the ICO is gearing itself on the complaints and redress side is appreciated as well.

All this means that we need to continue to be vigilant about these kinds of data issues. When we look through Hansard, no doubt we will work out exactly which questions have been answered and which have not, but I am still not totally convinced that we are not dependent on the Schrems outcome. If the EU-US bridge falls away, I would have thought that the UK-US bridge also falls away. Legally, I cannot see any reason why our bridge should be maintained if Schrems manages to knock down the EU-US data bridge. I take huge reassurance from the fact that the Secretary of State will continue to monitor the data bridge in future.

Finally, the Minister definitely has not answered the question of what difference the new provisions in the Data Protection and Digital Information Bill will make, and why Section 17A of the Data Protection Act 2018 is being changed. What are the advantages? Does the Secretary of State get more powers? Is our personal data more vulnerable? Will we find our sensitive data winging its way across the Atlantic? Will it be not just the FTC, the Department of Transportation or the DoJ that get our data but other bodies? We need to know. We have many happy hours ahead debating the data protection Bill when it comes to this House, and I look forward to it. In the meantime, I beg leave to withdraw my Motion.

Motion withdrawn.