Legal base	(a) Article 16(2) and 114(1)TFEU; co-decision; QMV (b) Article 16(2) TFEU; co-decision; QMV (c) and (d) —
Department	Justice
Basis of consideration	Minister's letter of 7 April 2014
Previous Committee Reports	(a) and (b): HC 83-xiii (2013-14) chapter 24 (4 September 2013), HC 83-viii (2013-14), chapter 11 (3 July 2013), HC 83-iii (2013-14), chapter 15 (21 May 2013), HC 86-xxxi (2012-13), chapter 7 (6 February 2013) ), HC 86-xxvi (2012-13), chapter 11 (9 January 2013), HC 86-viii (2012-13), chapter 5 (11 July 2012), HC 428-liv (2010-12), chapter 7 (14 March 2012); (c) and (d): HC 83-xxxiii (2013-14), chapter 9 (12 February 2014)
Discussion in Council	Not known but see paragraph 14.5
Committee's assessment	Legally and politically important
Committee's decision	Not cleared; further information requested.

Background and scrutiny history

14.1 We have set out details of the two legislative proposals (a) and (b), known collectively as the data protection package, and their overall scrutiny history, in our previous Reports.[65] Both proposals have been kept under scrutiny since we first reported in March 2012 and were last reported by us on 4 September 2013[66] when we asked the Government to keep us regularly informed of the progress of the negotiations.

14.2 More recently, we considered documents (c) and (d) in our Report of 12 February[67] and noted their relevance to the data protection package. We asked the Secretary of State for Justice (Chris Grayling) to tell us more precisely how the documents might be reflected in any amendment to the data protection proposals. We also asked him for a prompt update on new developments on the data protection package. In particular, we said we would like to know:

·  the level of support from other Member States resisting the Commission's accelerated timetable for agreement of the package before the European Parliament elections in May;

·  more detail on the outstanding areas of disagreement on the two proposals; and

·  whether there had been any institutional or Member State support for the UK proposition that the General Data Protection Regulation should take the more flexible legislative form of a Directive instead.

Minister's letter of 7 April 2014

14.3 The Minister of State for Justice (Simon Hughes) now responds. On the question of how the Commission's two Communications on EU-US data exchange and the Safe Harbour agreement might prompt any amendments to the data protection package, he says:

"Negotiations in the Council of European Union continue independently of the documents which were published. The proposed data protection Regulation does allow for the European Commission to make 'adequacy decisions' which would allow transfers of personal data from the EU to third countries to take place without any specific authorisation being necessary. This is similar to the arrangement that already exists under the current 1995 Data Protection Directive.

"The proposed Regulation would not provide specifically for Safe Harbor transfers as these would continue under the 2000 Safe Harbor Decision, subject to any review such as the one the Commission is currently undertaking. The European Parliament, however, did vote to include a new article in the proposed Regulation on international transfers in its first reading of the proposals. The new article would subject any judgment of a third country court or tribunal or any decision of any administrative authority in a third country which required the transfer of personal [data] to that third country to be approved by an EU data protection regulator where there is no mutual assistance treaty or international agreement in force between the requesting third country and the Union or a Member State.

"Referring to the US Foreign Intelligence Surveillance Act, this amendment has become informally known as the "anti-FISA clause". However, neither the Council of the EU, nor the Commission have yet agreed to the inclusion of such an article.

"Some member states including the UK maintain that this clause would put independent data protection authorities in a difficult position. They would have to assess whether the disclosure was necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims. This goes beyond what a data protection authority can reasonably be expected to consider. It would also put companies in a conflict of law situation where they might have to choose between complying with the law of either the EU or the third country. I will continue to monitor developments on this issue but for now this proposal only exists in the Parliament text and we remain committed to opposing its inclusion in any final text

"The communication on rebuilding trust in EU-US data flows resulted from discussions between the Commission and the US government that have now concluded. This document will have no practical effect on the current data protection package negotiations. There was no suggestion that the current data protection framework was somehow flawed or that action needed to be taken during the negotiations to deal with the issues identified by the Commission. Instead, the communication was designed to highlight perceived shortcomings in the existing US system of oversight of data surveillance, particularly with regards to EU residents. It remains up to the US government to respond to the contents of that report as it considers appropriate.

"In relation to the Commission's review of the EU-US Safe Harbor agreement, I will be providing more detail on the current position during my forthcoming evidence session to the European Union Committee on Wednesday 9 April. To summarise, the Commission continues to engage with the US Government on a bilateral level and we understand that steady progress is being made on the recommendations under discussion.

"However, a plenary session of the European Parliament on 12 March 2014 held a non binding vote which was in favour of an immediate suspension of Safe Harbor. There is clearly still a lot of political pressure on this topic. My officials are conducting meetings with a range of stakeholders and also carrying out research on Safe Harbor so that the Government can have an informed view of how the system operates and, in particular, what the potential impact of suspension would be in terms of economic activity and the protection offered to individuals. In the meantime, I have noted that, notwithstanding the positive progress that has been made in EU-US discussions, the Commission continues to state publically that suspension of Safe Harbor remains an option on the table."

14.4 On our other questions regarding the level of support from other Member States to resist the new timetable for agreeing the package and on outstanding areas of disagreement the Minister says:

"There are two instruments under negotiation; a general data protection Regulation, and a criminal justice data protection Directive. There has been a lot of activity on these dossiers in recent months although most of it has centred on the Regulation.

"The LIBE (Civil Liberties, Justice and Home Affairs) Committee of the European Parliament agreed texts for the proposed Regulation and Directive on 21 October 2013. These texts were put to the full plenary sitting of the Parliament on the 13 March 2014 and the Parliament has adopted its position at first reading on both the Regulation and the Directive. This fixes the Parliament's position in political terms. Subject to the agreement of the Conference of Presidents in Brussels after the elections, these texts are likely to be used in 'trilogue' negotiations with the Commission and the Presidency of the Council of the EU in due course.

"Progress in the Council of the EU on both dossiers has been slower and no agreement on either instrument has yet been reached in the Council. The Lithuanian Presidency had pushed to get agreement on the regulatory 'One-Stop Shop' mechanism at a meeting of the Justice and Home Affairs Council on 6 December 2013.

"In principle, the One-Stop Shop would allow EU businesses established in more than one Member State to engage with just one data protection authority (DPA) instead of DPAs in every EU country in which they operate. However, the details are more complicated which has resulted in member states still discussing how the One-Stop Shop would work in practice. The Lithuanian Presidency initially hoped to achieve a 'partial general approach' on this topic but any form of consensus on a preferred model for the One-Stop Shop proved elusive due to some Member States wanting to preserve 'proximity' between where the individual resides and where the regulatory decision would be made.

"Further complicating this matter, the Council Legal Service argued that the Commission's One-Stop Shop model is problematic. Its view was that the system set out under the Commission's proposals favours the interests of controllers over data subjects to the extent that it is inconsistent with the data protection right guaranteed by Article 16 on the Treaty on the Functioning of the European Union. Nor in its view does the Commission's proposal provide access to an effective judicial remedy. On the other side, the Commission Legal Service has disputed these assertions on the grounds that both are fundamentally misconceived. Many member states, including the UK, have argued that this issue needs to be resolved before the Council can make further progress on the One-Stop Shop. However, almost four months on, there has been no breakthrough in these discussions.

"At the most recent Justice and Home Affairs Council meeting on 4 March 2014, the current Greek Presidency of the Council had hoped to secure 'general agreement' on a number of measures, including territorial scope, pseudonymisation, profiling, data portability, the obligations on controllers and processors and provisions dealing with international transfers. However, there was near uniform opposition from Member States to any form of agreement on the text as it was considered that the parts of the text under consideration were either not ready or had not been substantively discussed at the working group level. Against this background of opposition, the Presidency recast discussions as an orientation debate. In particular, the Presidency asked the Council to confirm "its broad support" on draft measures set out around territorial scope and "its understanding" on key principles of international data transfers. Furthermore, the Presidency also requested that the technical working group should continue its work on pseudonymisation of data, data portability and obligations on controllers and processors."

14.5 The Minister then comments on the likely timetable for agreement of the package:

"The prospects for agreement before European Parliament Elections in May were already slim, but the absence of agreement on the measures put forward at the March JHA Council, the disagreements between Member States on the proper role of the One-Stop Shop and the related dispute between the Legal Services means that there is no realistic prospect of agreement under the current Commission/European Parliament term. Given the demonstrative lack of progress in the Council, even the Commission has now reluctantly conceded that agreement on the file will not happen until the end of 2014. This would be in line with the conclusions of the October 2013 European Council which stated: "It is important to foster the trust of citizens and businesses in the digital economy. The timely adoption of a strong EU General Data Protection framework and the Cyber-security Directive is essential for the completion of the Digital Single Market by 2015."

"In addition, there are divergent views on the territorial scope, consent, the ability to charge a fee for subject access requests, the system for international transfers, the role of the European Data Protection Board and the fines regime."

14.6 On the question of the level of support for the UK position that the General Regulation should take the more flexible form of a Directive, the Minister says:

"there is a split in Council on the preferred form of instrument, with the Commission and a majority of Member States favouring a Regulation and the UK and a smaller number of other Member States supportive of a Directive.

"On this point, we consider that changing the form of instrument to a Directive would provide for greater Member State flexibility in the transposition of the new framework and take better account of national tradition and legal practice. When we last wrote to the Committee, we had indicated that the following Member States had a preference for a Directive as the form of instrument: the UK, Denmark, Sweden, Belgium, Czech Republic, Hungary, Estonia and Slovenia. As it currently stands, the balance of Member States in favour and opposed to the form of instrument remains the same. This would leave the UK short of a blocking minority.

"However, the pivotal Member State in these discussions is Germany. Germany had initially hoped to have a Regulation for the private sector and a Directive for the public sector but this position failed to gain sufficient traction among other Member States in the Council.

"The UK has previously suggested to Germany that changing the form of instrument to a Directive could deliver their policy objective of a carve-out for the public sector. A German change in tack would shift the balance in Council and provide a blocking minority on the form of instrument. However, at this point, Germany remains to be convinced of this approach, whilst changing the form of instrument from a Regulation to a Directive remains a red line for the Commission. The approach of successive presidencies has been to defer consideration of the form of instrument until after the text of the instrument has been agreed in Council, so for now, the question remains unresolved."

14.7 Focusing on the question of progress in the negotiation of the Directive, the Minister comments:

"With regards to the proposed criminal justice Directive, there has been much less activity on this dossier. The JHA Council has not considered the proposed Directive with successive presidencies preferring to focus ministers' attention on the Regulation. To some extent, many Member State delegations are waiting for more substantive agreement on the Regulation and then seeing what can be applied to the Directive so consideration of the two dossiers in tandem has not necessarily resulted in progress being made.

"A number of Member States have questioned the timing of introducing a new law enforcement instrument when the existing 2008 Data Protection Framework Decision has not been fully implemented in all Member States. In addition, the Government retains a number of specific concerns on the Directive, for example on subject access request and reviewing agreements for international transfers of data. The UK delegation to the technical working group continues to raise issues around points such as these with Ministry of Justice and Home Office officials working closely in order to maintain an aligned position."

Conclusion

14.8 We thank the Minister for providing this update. Given that it is more than eight months since the Government last updated us, we look forward to being kept more regularly informed in future on the progress of the negotiations on both legislative proposals.

14.9 We note the pivotal position of Germany on the question of the form of the general data protection proposal, document (a). We recall the strong preference for the option of a Directive expressed in the Opinion we received from the Justice Committee on the proposed package. When the Minister next writes to us, we would be interested to learn the reasons for the German preference for a Regulation and whether the Snowden revelations have hardened that position.

14.10 In the meantime, all the current documents, (a)-(d) inclusive, remain under scrutiny.

66   See headnote: HC 83-xiii (2013-14) chapter 24 (4 September 2013). Back

67   See headnote in relation to documents (c) and (d): HC 83-xxxiii (2013-14), chapter 9 (12 February 2014). Back