| Previous Section | Back to Table of Contents | Lords Hansard Home Page |
Baroness Turner of Camden: I would like to thank the Minister for clarification. He is quite right in his interpretation of my concerns. I was thinking in terms of material which was not necessarily statistics. I am grateful for the explanation he has given. I would like to think about it and perhaps the people who have been sending me briefing material would be appropriately satisfied.
Viscount Astor: My Amendment No. 20 was the original amendment in this group. I am grateful for the answer of the Minister, which I will study carefully, and I beg leave to withdraw the amendment.
Amendment, by leave, withdrawn.
Baroness Nicholson of Winterbourne moved Amendment No. 21:
The noble Baroness said: The purpose of the amendment is to ensure that data will only be transferred to third countries outside the European Union which have an equivalent level of protection in relation to the processing of personal data. I am sure that the Minister will see the irony in this, in that the United Kingdom, until now at least, has been one of the less well protected of the developed nations, particularly in the European Union, prior to this Bill due to the deliberately weak interpretation of the Council of Europe directive of 1981; but we have moved on and we are taking on this directive now, for which the Committee is most grateful. Therefore, it warrants a careful look before we authorise the transfer of personal data outside the European Union.
I look at the USA, where the privacy law was drafted in 1970 and therefore predates the computer explosion; at the Far East, where protection is not a top priority; and at the Gulf and Africa. This should remind the Ministers that there are international customers whose details are held on databases of multinational companies in the United Kingdom.
I also remind the Ministers that while paragraph 14 of Schedule 1 lists the factors which are to be taken into account when considering at an adequate level of protection, it does not set minimum standards. I suggest that by adopting the requirement of an equivalent level of protection we would achieve a standard which could be modified, with regard to subject access and non-disclosure provisions, as time moves on. Effective safeguards for the transfer of data to developed and underdeveloped economies outside the European Union is, surely, very important. I beg to move.
Viscount Astor: Amendment No. 27 is grouped with the amendment of the noble Baroness, Lady Nicholson of Winterbourne. This is an extremely important area, because the free flow of data, including personal data which will be covered by the Bill, is of enormous commercial importance to companies both in this country and, for example, in the United States. British pharmaceutical manufacturers transfer large quantities of patient data to their US affiliates to secure approval of new medicines. Airlines and financial institutions
Under the directive, personal data may be transferred to countries outside the EU, such as the United States, only if those countries ensure an "adequate level of protection".
Many British and American companies believe that data transferred to the United States from an EU country can be protected adequately through a combination of industry codes and contractual guarantees. Many companies have developed codes of conduct and plan to require their US partners to give contractual undertakings to comply with those codes.
As I understand it, however, European Commission officials have questioned whether data transfers to the USA can continue after the directive takes effect in October, unless the United States enacts a national data protection law similar to Directive 95/46 or takes other similar measures. I also understand that there is no prospect that the United States Congress will enact a comprehensive data protection law before this October. In fact, no law is even under discussion in the United States. There is a possibility that the US Federal Trade Commission will enforce privacy codes under provisions of US law that prohibit "unfair" or "deceptive" practices, but that issue has not yet been resolved.
Schedule 1, Part II, of the Bill contains provisions for interpreting the data protection principles. It states that the determination whether there is an adequate level of protection is made case by case, taking account of relevant factors. The existence of a data protection law is one factor, but others include codes of conduct and any security measures taken in the country to which data are transferred.
My amendment would make it absolutely clear that contracts are among the security measures to be considered under Part II of Schedule 1. It is consistent with the policy of the directive. The amendment would eliminate uncertainty about the appropriateness of contractual arrangements as one part of a programme to ensure an adequate level of protection of personal data transferred, for example, to the USA.
Having spoken to this amendment, which is simple but requires a somewhat convoluted explanation, perhaps I may briefly comment on the amendment proposed by the noble Baroness, Lady Nicholson of Winterbourne, to replace the word "adequate" with "equivalent". This amendment would, I feel, be quite wrong. It is almost impossible to say "absolutely equivalent". "Adequate" is sufficiently challenging. The danger of using "equivalent", of course, is that it amounts in effect to exporting EU law to other countries, and other countries, particularly the United States, would be quite paranoid about such behaviour.
Lord Falconer of Thoroton: These two amendments raise the important issue about the exportation of information beyond the EU. The noble Baroness, Lady Nicholson, seeks to remove the word "adequate" and
Having said that, I have to say that in relation to the amendment of the noble Baroness, Lady Nicholson, we could not contemplate matters of the sort she proposes for a number of reasons. First, as she knows, the Bill is to implement the directive. The directive sets the standards for transfers to third countries at the level of adequacy: the question of adequacy is itself to be monitored by the European Commission. To move away from that definition, as the amendment proposes, is to take the Bill out of line with the directive by imposing restrictions on British business which will not apply to our European competitors. We are not prepared to put our businesses at that sort of unnecessary trading disadvantage. Adequacy was the level agreed on by our EU partners as appropriate, and we do not intend to depart from it at this stage.
We believe that the adequacy of protection test provides a balanced approach. On the one hand, it ensure sufficient protection for the particular personal data concerned, consideration having been given to all the circumstances of the case, while on the other hand it has sufficient latitude to allow for variation in the requirements as they relate to particular cases. Equivalence of protection, which is what the amendment contends for, establishes a much stricter test, requiring exactly the same level of protection in the receiving country as is provided here, although the circumstances of a particular transfer may not require them.
I understand the noble Baroness's desire to ensure proper protection of individual's personal data, but we believe that proper protection is already provided by the Bill as it stands in a practical way in accordance with that which all our EU partners regard as appropriate. In the light of those comments, I would urge the noble Baroness, with respect, to withdraw her amendment.
As far as the amendment of the noble Viscount, Lord Astor, is concerned, he wishes to include in the list of matters that are to be considered for the purposes of applying the adequacy test a reference to contractual arrangements, particularly by reference to security of the data. Paragraph 14, as I have indicated, lists those circumstances to which regard should be had, and most of those are linked to the country or territory itself. They are the country-wide or territory-wide circumstances which prevail.
The noble Viscount's amendment seeks to qualify one of those general country-wide or territory-wide sets of circumstances, namely the security arrangements, by requiring consideration to be given to the arrangements made between contracting parties. A requirement to consider specific arrangements of this kind--even if it
This is not to discount the relevance of contractual arrangements to transfers of personal data to countries outside the European Economic Area. Your Lordships will be aware that contractual arrangements feature in Schedule 4, which sets out the circumstances where transfers may take place to countries without adequate levels of protection. Paragraph 2 of that schedule allows transfers where these are necessary for the performance of a contract between the data subject and the data controller; and paragraph 3 of that schedule allows transfers where these are necessary for the conclusion or performance of a contract between a data controller and a person other than the data subject.
Finally, in paragraph 8 of that schedule there is the model contract approach where transfers are made on terms of a kind approved by the commissioner, but that is in the other schedule. We believe that it is not appropriate to include the amendment that the noble Viscount seeks, because it does not seem to us appropriate to have regard to the form of that particular schedule. In light of what I have said, I hope that the noble Viscount will agree to withdraw his amendment.
Page 38, line 25, leave out ("adequate") and insert ("equivalent").
5 p.m.
Next Section
Back to Table of Contents
Lords Hansard Home Page