House of Commons - The Committee's opinion on the European Union Data Protection framework proposals

The Committee's opinion on the European Union Data Protection framework proposals - Justice Committee Contents

1 Introduction

1. In late January this year, the European Commission published new legislative proposals for data protection.[1] The proposed data protection legislative framework consists of two EU documents: a draft Regulation (directly applicable) legislating for general data protection across the EU;[2] and a draft Directive (binding as to the result to be achieved, but leaving to national authorities the choice of form and method) with the specific aim of protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.[3]

2. The right to the protection of personal data is explicitly recognised by Article 8 of the Charter of Fundamental Rights of the European Union. In addition, Article 16 of the Treaty on the Functioning of the European Union (TFEU) provides a legal basis for rules on data protection for all activities within the scope of EU law. The proposals would bring EU data protection up-to-date, and satisfy the obligations set out in the Treaties. The draft Regulation would repeal and replace the 1995 Data Protection Directive, which is implemented into UK law by the Data Protection Act 1998. The draft Directive would repeal and replace the existing Data Protection Framework Decision, which was negotiated in 2008, and implemented in the UK through the issuing of an administrative circular.[4]

3. On 13 February, the Ministry of Justice (MoJ) submitted Explanatory Memoranda to the European Scrutiny Committee, which gave its initial view on both documents. The Memoranda explained that the MoJ had begun a one month consultation on the proposals between February and March. On 14 March the European Scrutiny Committee reported on the proposals. Chapter 7 of the Report, General Data Protection Regulation, states in paragraph 7.55:

[W]e consider that the proposed reforms to EU data protection rules are not only legally and politically significant, but also complex, with broad ramifications for individuals, businesses and national authorities. It is not possible for the European Scrutiny Committee to inquire into these matters in sufficient depth, because of the number of EU documents it has to review on a weekly basis. Pursuant to paragraph 11 of Standing Order (No.) 143, we therefore ask the Justice Committee to give its Opinion on this draft Regulation, together with the draft Directive reported in the following chapter of this week's Report. That Opinion should assess whether the proposed legislation strikes the right balance between the need, on the one hand, for a proportionate, practicable but effective system of data protection in the EU, and on the other for business and public authorities not to be stifled by regulatory, financial and administrative burdens placed upon them.[5]

In addition, Chapter 8 of the Report, Data processing in the framework of police and criminal cooperation, set out in similar terms the request for a opinion on the draft Directive in paragraph 8.38.[6] This Report sets out our opinion on both documents in response to the European Scrutiny Committee's request.

4. Following the publication of the MoJ's Summary of Responses[7] to its consultation on 28 June 2012, we launched an inquiry on 12 July, calling for written evidence by 20 August.[8] We received 54 written submissions from a wide variety of witnesses, and held oral evidence sessions with 6 panels of witnesses. These are listed at the end of this Report. We are extremely grateful to our witnesses for submitting written evidence within the short timeframe, and for making themselves available to give oral evidence, especially those who travelled to Westminster from Brussels.

The basis for reforming the current data protection framework

5. When the proposals were published, the European Commission set out the aims of the reforms, stating:

Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around 2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

Additionally, the European Justice Commissioner Viviane Reding, Commission Vice-President said:

17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.[9]

6. As referred to in paragraph 2 above, the draft Regulation would repeal and replace the Data Protection Directive 1995. The MoJ's Summary of Responses, stated:

The proposals for a new Regulation in the area of data protection came about as the 1995 Data Protection Directive is widely perceived to be out of date. Since 1995, there have been numerous technological developments, notably the increased use of computers, the expansion of the internet and the emergence of social media networks which have seen changes to the ways that personal data are handled and processed.[10]

7. The draft Directive would repeal and replace the existing Data Protection Framework Decision 2008, which entered into force on the 19 January 2009, with Member States having to implement its provisions by 27 November 2010. It applies to public bodies authorised by national law to detect, prevent, investigate or prosecute offences or criminal activities. The Commission has provided an assessment on the current state of the Decision's implementation and functioning across the EU, and concluded that the difficulties encountered by a number of Member States could be solved through a new Directive.[11] The MoJ stated that the argument for the replacement of the Framework Decision was not as clear as for the general Data Protection Directive 1995, as the Framework Decision was only adopted four years ago.[12]

The approach to reforming the current data protection framework

8. The European Commission's decision to introduce both a Regulation and a Directive will significantly alter UK law in the area of data protection. The Regulation will be directly applicable, whilst the Government will have to take separate steps in order to implement the Directive. Data subjects and organisations within the criminal justice system in particular, will have to refer to different pieces of legislation in different circumstances. This will be a departure from the current system, whereby the Data Protection Act has broad application.

9. Christopher Graham, Information Commissioner, told us in oral evidence that "[The] Office is deeply sceptical of this proposal to split the current Directive between a Regulation and a Directive. All sorts of mischief follows from that decision".[13]

Additionally, David Smith, Deputy Commissioner and Director of Data Protection, Information Commissioner's Office stated:

From our point of view, we are proponents of good regulation. Good regulation means consistent law that is clear and easy to understand and easy to apply. Once we start to diverge and we have a Regulation for the commercial sector and a different legal instrument for police and justice, you start to move away from that and you cause particular problems in areas like local authorities, perhaps, which have functions that will come under the Regulation and others that will come under the Directive.[14]

He contended that this was a difficult area because there was a political element to the UK's position in relation to the European Union and, particularly, measures in the police and justice areas.

10. We asked Franoise Le Bail, Director-General, Directorate-General Justice, European Commission, whether the two instruments would lead to an inconsistent approach. She replied:

[A]s you may imagine, we have discussed this internally a great deal and also with stakeholders before taking the decision to bring forward two different proposals. In fact these proposals have quite a lot in common. [...] The same principles of data protection apply at the core of the Regulation, but I think the new element is that they are at the core also of the Directive, which was not necessarily the case to start with. [...]

[W]e have applied, first of all, the obligation we have under Article 16 of the Lisbon Treaty, but we have also applied declaration 21, which is annexed to the Lisbon Treaty, which says that for this particular field, which is police and judicial co-operation in criminal matters, of course specific provision should be taken.

She argued that the Directive gave Member States the flexibility to take into consideration their particular culture and type of legislation, such as common law in the case of the UK, and added:

[The instruments] are part of the same exercise, which is to reinforce the rights of individuals in terms of data protection. This is also part of the exercise of stopping the fragmentation in the legislation, both in Regulation matters where we have 27 different types of legislation but also in what is the framework decision area now, where, first of all, there is a very different way of implementing these framework decisions and a very different degree of application of the framework decisions. We believe that, by presenting two types of legislation at the same time, we will fight against this fragmentation but we can also give the necessary flexibility.[15]

11. The MoJ's written evidence explained that in the UK, the Data Protection Act 1998 (DPA) implemented the Data Protection Directive 1995, and included in its scope police and law enforcement processing. This meant that the DPA applied to the processing of all personal data, including that covered. by the Data Protection Framework Decision 2008. It concluded that "it is likely that the DPA will need to be amended or repealed and replaced in order to implement the new EU legislation once it comes into force".[16]

12. This is an issue that was raised by some of our witnesses. Privacy International, a campaign group for privacy issues, argued that the data processing principles contained in the draft Directive were less ambitious and more ambiguous than those in the draft Regulation, and that this could be problematic for the UK because the Data Protection Act applied across the board.[17] Intellect, the UK trade association for the IT, telecoms, and electronics industries, told us it "could imagine seven pieces of separate legislation on data protection that organisations would need to consult - as the Government could choose to implement [aspects of the Regulation] separately", and argued that the ideal situation would be for one piece of legislation.[18]

13. We are concerned that the approach taken by the European Commission, introducing two instruments, will lead to a division of the UK law, set out in the Data Protection Act. We believe that this could cause confusion, both for data subjects, and for organisations within the criminal justice system in particular, as they will have to consider which law applies in their given circumstance. We are also concerned that this twin-track approach might also lead to inconsistencies in application, both due to differing provisions in the instruments and over time, due to court decisions under each instrument. If this is still to be the approach, we recommend that there is consistency between the two instruments from the outset, to mitigate the future divergence in their application. Furthermore, the UK Government and the Information Commissioner's Office will be required to work effectively together in order to produce and disseminate effective guidance so that data subjects know their rights and organisations know their responsibilities under each law.

The negotiation process

14. Both documents are subject to the Ordinary Legislative Procedure. This is a process which requires the European Council and the European Parliament to agree on a proposal for legislation before it can come into effect.

15. With regard to the draft Directive, on 24 April the then Parliamentary Under-Secretary of State, Ministry of Justice, Mr Crispin Blunt MP, informed the House that the Government's view was that the draft Directive could be classified as a Schengen building measure. Therefore, under protocol 19 of the TFEU, which governs how the Schengen acquis is integrated into the UK framework, the UK had the option of opting-out of the Directive. The then Minister argued that not exercising the opt-out would enable the UK to improve the draft text during negotiations, and concluded "our national interests are best served by participating in this directive".[19]

16. The Summary of Responses states "[t]he negotiations in the Council of the EU and in the European Parliament are ongoing and are likely to last until 2014".[20] In addition, Lord McNally, Minister of State, Ministry of Justice, told us:

The Commission have a very ambitious time scale. They want to see substantial progress during the Cypriot Presidency, which is on now, and conclusion during the Irish Presidency, which is the first six months of next year. To be fair, the Cypriots have given priority to these negotiations and devoted the time to it, and as far as we understand, the Irish are taking a similar approach, but whether they will be successful or not, I don't know. We are negotiating to get results, not to fit into a timetable. We are certainly not on a go-slow or anything else. We simply want to get the best practical result from the negotiations.[21]

1 "Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses", European Commission press release, 25 January 2012 Back

2 5853/12, Draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) Back

3 5833/12, Proposal for a directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data Back

4 5834/12, Report from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions based on Article 29 (2) of the Council Framework Decision of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, para 2.1.1, and Circular 2011/01, Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters 2008/977/JHA, Ministry of Justice Back

5 European Scrutiny Committee, Fifty-ninth Report of Session 2010-12, Documents considered by the Committee on 14 March 2012, HC 428-liv, para 7.55 Back

6 European Scrutiny Committee, Documents considered by the Committee on 14 March 2012, para 8.38 Back

7 Ministry of Justice, Summary of Responses: Call for Evidence on Proposed EU Data Protection Legislative Framework, 28 June 2012 Back

8 "New Inquiry: European Union Data Protection Framework Proposals", Justice Select Committee, 12 July 2012 Back

9 "Commission proposes a comprehensive reform of data protection rules to increase users' control of their data and to cut costs for businesses", European Commission press release, 25 January 2012 Back

10 Ministry of Justice, Summary of Responses: Call for Evidence on Proposed EU Data Protection Legislative Framework, 28 June 2012, page 3 Back

11 European Scrutiny Committee, Documents considered by the Committee on 14 March 2012, paras 8.1-8.5 Back

12 Ev 53 Back