Summary and Committee's conclusions

5.1 The Commission initially proposed the Data Protection package, comprised of the General Data Protection Regulation (document (a)) and the Police and Criminal Justice Data Protection Directive (document (b)), in January 2012. This was to update the EU's 1995 data protection rules in line with technological developments in the use of personal data and to strengthen online privacy rights, increase consumer confidence, boost growth and address divergent national implementation of the existing rules.

5.2 In the course of our scrutiny, we have endorsed the opinion we received from the Justice Committee that the proposal, in its original prescriptive form, would not produce a proportionate, practicable, affordable or effective system of data protection. We agreed that there needs to be a selective approach to harmonisation, embracing the co-operation and co-ordination elements of the proposal but leaving implementation of compliance issues to the Member States. We have encouraged the Government to press the Commission to review its own costs' estimates in the light of impact assessment evidence from the UK and other Member States and to marshal their support in the negotiations.

5.3 Since then, despite the failure of a partial general approach (PGA) in June 2013 and the Snowden disclosures concerning the surveillance of the communications of EU citizens (to which documents (c) and (d) relate), there have been three PGAs agreed at the consecutive JHA Councils of June, October and December 2014. The Government opposed the first two PGAs (on third country transfers of data, extraterritoriality and on obligations on data controllers when processing data). The Minister of State for Justice and Civil Liberties (Simon Hughes) now writes to confirm that, conversely, the UK supported the third (on Chapter IX provisions—research and freedom of speech) and the reasons why. He also outlines the substance of the PGA and provides some response to our last Report of 26 November 2014.

5.4 We thank the Minister for his update, which is helpful, overall. However, he addresses much of his response to comments and questions contained in a letter of 26 November written not by us,[27] but by the House of Lords' EU Committee. Although we recognise that some of the information the Minister provides for that Committee is also of interest to us, it is confusing for scrutiny purposes for a generic letter to be sent to both Committees, especially when correspondence referred to is wrongly attributed. We would be grateful if separate letters could be written in future which address each respective Committee's concerns in addition to providing an update on negotiations.

5.5 As a result of this, we consider that responses are still outstanding from the Minister to our questions set out in paragraphs 9.6 and 9.8 of our most recent Report which addresses this matter, agreed on 26 November. In particular, our question at 9.8 (ii) of this Report on the "right to be forgotten" is not answered by the Minister simply referring to a letter he wrote to the House of Lords Committee on 6 November.

5.6 Although the Minister does not address the specific question we set out at paragraph 9.7 of our last Report, concerning the disagreement between the Council Legal Service and Commission on the "one-stop-shop", he does provide a full response on the question of overall progress on this general issue with which we are broadly satisfied. However, we:

i)  would welcome further clarification of the Minister's assertion that the proposed European Data Protection Board (EDPB) "should not have the power to take decisions which are legally binding on Member States that are not in agreement with its decision". Does the Minister really consider such an approach is workable?

ii)  look forward, in due course, to hearing more about the "alternative" UK model for a one-stop-shop and whether it achieves any currency with other Member States.

5.7 The Minister does comment directly on our concerns relating to the consistency of the Government's policy on the use of partial general approaches (paragraph 9.5 of our last Report). On this issue, we draw the Minister's attention to the oral evidence given to us by the Justice Secretary on 12 January. In the light of both this and the Minister's letter, we ask him to respond to our further concerns that:

i)  we have yet to receive formal recognition from the Government, that the agreement of the partial general approach at the December JHA Council amounted to a scrutiny override—we are clear that it did; and

ii)  the Government's policy on partial general approaches remains extremely confusing: whilst the Justice Secretary seems to think they are "meaningless" and "they do not do anything, because they do not agree the final document", the Minister now says the Government did not agree the October partial general approach because "the scope for coming back to readdress any outstanding issues in the text we remained unhappy with could be relatively slim". Could the Minister please confirm which of these two conflicting views is preferable? Are partial general approaches open to renegotiation and, if he thinks so, could he please provide us with examples on other dossiers of such renegotiation?

5.8 In the meantime, we are drawing this Report to the attention of the Justice Committee and retaining all documents (a)-(d) under scrutiny.

Full details of the documents: (a) Draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data: (33649), 5853/12 + ADDs 1-2, COM(12) 11; (b) Draft Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data: (33646), 5833/12 + ADDs 1-2, COM(12) 10; (c) Commission Communication: Rebuilding Trust in EU-US Data Flows: (35608), 17067/13, COM(13) 846; (d) Commission Communication on the Functioning of the Safe Harbour from the perspective of EU Citizens and Companies Established in the EU: (35609), 17069/13, COM(13) 847.

Background and previous scrutiny

5.9 The background to documents (a) and (b), a detailed account of their provisions and the Government view of them is provided principally in our Fifty-ninth Report of 2010-12.[28] Our Twenty-sixth Report of 2012-13[29] sets out our summary and conclusions on the opinion we obtained from the Justice Committee. An account of the background and contents of documents (c) and (d) and the Government view of them was set out in our Thirty-sixth Report of 2013-14.[30]

5.10 In our last Report of 26 November, we:

·  continued to be concerned about the use of PGAs, but welcomed the encouraging moves towards a more proportionate, risk-based approach to the draft Regulation reflected in the PGA on the obligations of data controllers;

·  requested that the Government to confirm whether its opposition to the use of partial general approaches was limited to the negotiation of document (a) or would be adopted in all negotiations of EU legislation;

·  expected the Government to oppose the proposed December PGA on research and freedom of speech provisions (though we were reassured that it had UK stakeholder support);

·  linked to this, asked the Government how the type of concerns raised by the Newspaper Society and the BMA would be addressed;

·  asked the Minister about further discussions on the proposed regulatory "one-stop-shop" and to inform us when and how the disagreement between the Council Legal Service and Commission was resolved and how this would impact on negotiations;

·  pursued a response to outstanding questions on the extraterritorial reach of document (a), given the June PGA; and

·  asked for an update on Council discussions on the "right to be forgotten" provision (as there had been a policy debate on it during the October JHA Council) and its relationship with the Google judgment.[31]

Written Ministerial Statement of 10 December 2014

5.11 Progress on document (a) at the 4-5 December JHA Council was first reported to the House as part of the Home Secretary's Written Ministerial Statement of 10 December[32]:

"The justice day began with a discussion on the proposed general data protection regulation. The presidency sought a partial general approach on a number of articles intended to provide member states with flexibility to adapt the application of the rules to their public sectors, and on chapter IX, on rules for data processing for research, scientific and journalistic purposes. The Commission encouraged member states to accept the compromise between common standards and a measure of flexibility now available for particular national approaches. A majority of member states, including the UK, agreed the deal.

"The discussion of the data protection regulation continued with an orientation debate on the presidency's proposed structure for a 'one stop shop' mechanism, which is intended to reduce burdens for business by enabling all of their operations in different member states to be overseen by the data protection regulator in their home state. While there was support for the principle and most member states accepted the compromise proposed by the presidency, the UK and a number of other member states expressed concerns that, with legally binding powers for the European data protection board (EDPB) to resolve disputes, the model proposed would fail to achieve the stated objectives of legal certainty, quick decisions and proximity for the data subject. The presidency concluded that a majority of member states accepted the basic elements of its proposal, including the proposed European data protection board, but noted that questions remained, and tasked the official-level working group to develop the detail in the light of this steer.

"The presidency also provided a separate update on the proposed data protection directive covering the processing of personal data for criminal justice purposes. The file remains under discussion, and the working group has recently focused on the scope of the directive. The UK Government believe that the priority should be on agreeing the text of the general regulation."

Oral evidence of the Justice Secretary taken on 12 January 2015

5.12 The Lord Chancellor and Secretary of State for Justice (Chris Grayling) was asked the following question on PGAs at the oral evidence session of 12 January:

"On 19 November, the Government told the Committee that, in the context of the negotiation of the proposed general data protection regulation, the UK 'objected in principle to the use' of partial general approaches agreed at the June and October Justice and Home Affairs Councils, and therefore they did not support either. But the Home Secretary, by contrast, in a ministerial statement of 10 December, told the House that at the December Justice and Home Affairs Councils, also attended by the Justice Secretary, another partial general approach was agreed, and that 'a majority of member states, including the UK, agreed the deal'. Such agreement, falling within the scrutiny and reserve resolution, has triggered a scrutiny override. It seems, therefore, that the Government objects in some cases in principle — so they say — to partial general approaches, and in other cases, does not, as has recently been illustrated by another case: the negotiation of the proposed general data protection regulation. What is the Government's policy? Is it in principle?"[33]

5.13 The Justice Secretary responded:

"There are quite a lot of European things I, in principle, object to, but I am also a coalition Minister as opposed to simply a Conservative Minister, and so therefore I have to be mindful of overall Government strategy. If we take, first of all, the overall approach to partial general approaches, I do not like them, and I do not generally support them. I have been very clear in saying to the Council that I do not think they are a satisfactory way of proceeding.

"At that particular meeting—the last European Council—we had seen the text of the data protection regulation take a significant step in the right direction after extensive negotiations. This has been the most unbelievably complicated process; it has been going on since before I was Secretary of State, and it is still going on and it is still not in sight of completion. You have to, on the day, apply a bit of diplomacy, and my judgment was that quite a lot of work had been put in place by both the Commission and the Presidency to try to get that piece of text to a point where it was in much better shape. I simply judged, with the arrival of a new Commissioner and with a new Presidency about to start—at the end of the previous Presidency—that there are moments where, if the EU is doing the right thing, we probably help our national interest better when we have to try to combat difficult things if we say if something has been done okay. That is why I took the decision at the Council that on this occasion, whilst I do not like partial general approaches—and if you look at my remarks on that day, I said that I did not normally support partial general approaches—it had made genuine progress, and therefore I let it through on that day."[34]

5.14 The Justice Secretary was then asked whether the "whole of idea of partial general approaches" amounted to "opening a barn door and letting the horse bolt".[35]

5.15 The Justice Secretary did not think so. He said:

"Not really. A partial general approach has no final substance, because nothing is agreed until everything is agreed, in this particular case. It is no more than erecting a signpost saying, 'Okay, we have made some progress'. Normally, it is something that is just an excuse to say, 'We have tried hard and not made much progress, but here is something we have done'. In this particular case, I thought that our negotiating team, the Commission and the Council had made genuine progress, and I thought it was pretty churlish for the UK to say, "Well, we are going to vote against it'."[36]

5.16 It was then put to the Justice Secretary that "Rowing back from a partial general approach once agreed must be virtually impossible. The decision is effectively being made, whatever happens after that".[37]

5.17 The Justice Secretary responded:

"Up to a point. You can do, because it is not all agreed until it is agreed. It is the totality that has to be ultimately agreed. It is no more than saying, when studying a document, 'We like paragraph five; that is fine, and we will tick the box on that'. We still do not agree the whole document until the whole thing is agreed."[38]

5.18 He was then pressed about the consistency of the Government's policy on PGAs:

"Should the Government not change its policy, then? It is objecting to something in principle, except when it does not disagree with it. It really seems to be contradictory. Should the Government say, 'Well, actually, what we said on that occasion no longer applies; we agree to them when they are all right, but not when they are not all right'?"[39]

5.19 The Justice Secretary said:

"I do not like using partial general approaches, because I think they are window­dressing and meaningless. There are just moments when I judge it is not in the interests of the United Kingdom to vote against something for the sake of voting against it. Politics, and government, is about pragmatism. There are just some occasions when for reasons of pursing the interests of the United Kingdom it is worth saying, 'Okay, on this occasion, I will let this go, because I think we have made good progress'."

5.20 He added, when questioned again about the consistency of the Government objecting "in principle" to PGAs, but then sometimes accepting them:

"I do not expect to do it very often. I think, in principle, they are a waste of time, but there are moments when you reflect the circumstances when something is harmless. The problem with partial general approaches is that they do not do anything, because they do not agree the final document. Therefore, to build up some great crescendo and say, 'We have agreed a partial general approach', is not terribly meaningful, and that is why I object to them as a tool. But, as I said, if you are dealing on the day with a new Commission, a new Commissioner, and genuine progress made on a bit of text by all of those involved, just voting against it at that moment in time seemed inappropriate."[40]

The Minister's letter of 21 January 2015

5.21 The Minister of State for Justice and Civil Liberties (Rt Hon Simon Hughes) provides an update on the progress of document (a) at the December JHA Council.

PARTIAL GENERAL APPROACHES (PGAS)

5.22 He first informs us of the agreement of the PGA at the December JHA Council.

"At this meeting the then Italian Presidency of the Council secured a 'partial general approach' (PGA) on Chapter IX of the GDPR, dealing with provisions relating to specific data processing situations, as well as on Articles 1, 6 and 21. As with the previous PGA on Chapter IV (controllers and processors), a number of caveats were included as part of this agreement. The inclusion of such caveats, which I outlined in my previous letter, was an attempt to reassure Member States that any partial agreement would be subject to further consideration to make sure of overall coherence with the Regulation."

5.23 He then sets out to explain why the Government objected to the two previous PGAs on Chapter V (international transfers) and Chapter IV (obligations on data controllers):

"The reason for objecting to PGAs in these cases was that the caveat 'nothing is agreed to everything is agreed' (allowing for certain issues in the text to be revisited) means that any agreement could be potentially misleading. Despite the UK being broadly supportive of the substance of the text of Chapter IV, when the text was put forward for a PGA at October's JHA Council there were certain areas where we thought there could be further improvements. We therefore felt unable to support any sort of PGA because, as I explained to you in my letter of 19 November, the scope for coming back to readdress any outstanding issues in the text that we remained unhappy with could be relatively slim."

5.24 He further explains that the Government felt able to agree the PGA at the December Council on Chapter IX (provisions dealing with statistical, scientific and medical research, freedom of expression and other specific data processing situations) and Articles 1 (objectives), 6 (lawful grounds for processing) and 21 (restrictions) because it was in a "different position". He adds:

"The reason for this was the proposed text was broadly a continuation of existing arrangements and continues to preserve the ability of organisations in such sectors to process personal data in ways in which they are legitimately able to do so at present. Furthermore, the Council text is in a much better place than the version that was agreed by the European Parliament in March 2014 which could be interpreted as narrowing the ability to carry out vital research processing. Relevant stakeholders in these sectors are supportive of the Council version of the text. We therefore felt in a position to be able to agree to PGAs in these areas with a view to progressing negotiations and preserving UK influence in other important areas of the text."

5.25 Responding to our question in our last Report as to whether the Government's opposition to the use of PGAs is limited to the negotiation of document (a) or will be adopted in all negotiations of EU legislation, he says:

"While the Justice Secretary has been clear that he does not consider the use of PGAs, as a general rule, to be helpful, he also considers there must be a case-by case assessment as to whether any agreement is in the UK interest. In the circumstances of this particular case, and after careful consideration of the benefits of doing so which I set out above, the Justice Secretary consider (sic) that this case warranted agreement."

RESPONSE TO THE LETTER OF THE HOUSE OF LORDS' EU COMMITTEE OF 26 NOVEMBER

5.26 The Minister then seeks to respond to comments and questions set out by the House of Lords' EU Committee in its letter of 26 November:

"I am glad that you found our update on Chapter IV to be useful and I can confirm that we are indeed still continuing to seek to reduce the burden on business and SMEs. Regarding the so-called 'right to be forgotten', my letter of the 6 November outlined in detail how the government is seeking to distinguish the suggested provision in the GDPR from the 'Google Spain' judgment. We appreciate your suggestion of pursuing a change of name for the expression 'right to be forgotten' in the Council's text. However, as you rightly say, this may be unrealistic at this stage given the majority view in Council.

"In your previous letter of 26 November, you also refer to a number of questions that have previously been put to us but to which you still seek answers. I would like to take this opportunity to respond to you on these points and offer some insight into the present state of negotiations.

"You asked how other Member States reacted to the impact assessment produced by the government in November 2012. We were one of only two Member States to carry out an impact assessment of the EU Commission's original proposals — the Netherlands being the other — and this analysis was well received by other Member States. In this regard, we were well placed to argue against the prescriptive nature of the original commission proposals, in particularly the disproportionate cost on business, and specifically SMEs. This was one of the main concerns of the majority of Council members. It was also a key driver behind the risk-based approach as introduced by the Irish Presidency and further strengthened under the current Italian Presidency. Chapter IV, agreed under a PGA in October, now includes risk triggers for engaging obligations on data controllers. For example, the requirement to maintain records of categories of processing or to notify DPAs of breaches is only necessary in cases of high risk. This risk-based approach is also consistent with the approach of exempting SMEs unless the processing is of particular high risk.

"With regards to the issue of the 'one-stop-shop', this is something that the Italian Presidency focussed on after October's JHA Council and set aside a series of meetings to try to resolve the issue throughout the month of November. The objective of the Presidency was to get the 'one-stop-shop' to a point that it could be put forward for agreement at December's JHA Council. However, there continues to be disagreement amongst Member States over how to balance the issues of proximity of decision-making for data subjects, legal certainty for business, and effective and streamlined decision-making. As such, an orientation debate on this issue was held instead. The UK has maintained that any incarnation of a European Data Protection Board (EDPB) in the text should not have the power to take decisions which are legally binding on Member States that are not in agreement with its decision. To date, despite concerns being expressed widely about the complexity of the proposed model and the scope for delay/confusion, the UK's position has mustered little support in working groups with only Ireland, Poland and, tentatively, Luxembourg sharing our concerns on this matter.

"To gain wider buy-in to our concerns, the Ministry of Justice is in the process of working up its own model for the 'one-stop-shop', introducing quantitative filters to restrict the circumstances which would lead to a referral to the EDPB. At the most recent discussion on the 'one-stop shop' on the 17 December the UK reserved its position with a view to promoting our alternative model with other Member States in preparation for when this issue is revisited under the Latvian Presidency. We will continue to work with other Member States to persuade them of our alternative approach, while looking to reduce the volume of cases that are referred to the EDPB to avoid unnecessary institutional delay and bureaucracy in decision-making."

5.27 The Minister ends his letter by summarising the Government's overarching position on document (a):

"we want to strike the right balance between the protection of personal data and creating the right conditions for innovation and economic growth. We will continue to work with other Member States to make sure that the text best reflects these concerns and that any obligations are both proportionate and achievable."

Previous Committee Reports

(a) and (b): Twenty-second Report HC 219-xxi (2014-15), chapter 9 (26 November 2014); Twelfth Report HC 219-xii (2014-15), chapter 8 (10 September 2014); Forty-seventh Report HC 83-xlii (2013-14), chapter 14 (30 April 2014); Thirteenth Report HC 83-xiii (2013-14), chapter 24 (4 September 2013); Eighth Report HC 83-viii (2013-14), chapter 11 (3 July 2013); Third Report HC 83-iii (2013-14), chapter 15 (21 May 2013); Thirty-first Report HC 86-xxxi (2012-13), chapter 7 (6 February 2013); Twenty-sixth Report HC 86-xxvi (2012-13), chapter 11 (9 January 2013); Eighth Report HC 86-viii (2012-13), chapter 5 (11 July 2012); Fifty-ninth Report HC 428-liv (2010-12), chapters 7 and 8 (14 March 2012); (c) and (d): Twenty-second Report HC 219-xxi (2014-15), chapter 9 (26 November 2014); Twelfth Report HC 219-xii (2014-15), chapter 8 (10 September 2014) Forty-seventh Report HC 83-xlii (2013-14), chapter 14 (30 April 2014); Thirty-sixth Report HC 83-xxxiii (2013-14), chapter 9 (12 February 2014).

28   Fifty-ninth Report HC 428-liv (2010-12), chapters 7 and 8 (14 March 2012). Back

29   Twenty-sixth Report HC 86-xxvi (2012-13), chapter 11 (9 January 2013). Back

30   Thirty-sixth Report HC 83-xxxiii (2013-14), chapter 9 (12 February 2014). Back

31   Case C-131/12. Back

32   Written Ministerial Statement Col 43WS of the Secretary of State for the Home Department on 10 December 2014. Back

33   Q 46 [Kelvin Hopkins] Oral evidence taken on 12 January 2015, HC 919 (2014-15). Back

34   Q 46 [Chris Grayling] Back

35   Q 47 [Kelvin Hopkins] Back

36   Q 47 [Chris Grayling] Back

37   Q 48 [Kelvin Hopkins] Back

38   Q 48 [Chris Grayling] Back

39   Q 49 [Kelvin Hopkins] Back

40   Q 51 [Chris Grayling] Back