Summary and Committee's conclusions

11.1 The Commission initially proposed the Data Protection package, comprised of the General Data Protection Regulation (document (a)) and the Police and Criminal Justice Data Protection Directive (document (b)), in January 2012. This was to update the EU's 1995 data protection rules in line with technological developments in the use of personal data and to strengthen online privacy rights, increase consumer confidence, boost growth and address divergent national implementation of the existing rules.

11.2 In the course of our scrutiny, we have endorsed the opinion we received from the Justice Committee that the proposal, in its original prescriptive form, would not produce a proportionate, practicable, affordable or effective system of data protection. We agreed with that Committee that there needs to be a selective approach to harmonisation, embracing the co-operation and co-ordination elements of the proposal but leaving implementation of compliance issues to the Member States. We have encouraged the Government to press the Commission to review its own costs' estimates in the light of impact assessment evidence from the UK and other Member States and to marshal their support in the negotiations.

11.3 Since then, despite the failure of a partial general approach (PGA) in June 2013 and the Snowden disclosures concerning the surveillance of the communications of EU citizens (to which documents (c) and (d) relate), there have been three PGAs agreed at the consecutive JHA Councils of June, October and December 2014. The Government opposed the first two PGAs "in principle" (on third country transfers of data, extraterritoriality and on obligations on data controllers when processing data. However, it departed from this approach, without warning and without requesting a scrutiny waiver, in supporting the third (on Chapter IX provisions—research and freedom of speech).

11.4 In our last Report of 28 January,[20] we said that we were clear that the Government had overridden scrutiny but awaited their formal recognition of this. We also said:

"ii) the Government's policy on partial general approaches remains extremely confusing: whilst the Justice Secretary seems to think they are 'meaningless' and 'they do not do anything, because they do not agree the final document', the Minister now says the Government did not agree the October partial general approach because 'the scope for coming back to readdress any outstanding issues in the text we remained unhappy with could be relatively slim'. Could the Minister please confirm which of these two conflicting views is preferable? Are partial general approaches open to renegotiation and, if he thinks so, could he please provide us with examples on other dossiers of such renegotiation?"

11.5 Additionally, we asked the Government:

i)   to respond to questions still outstanding from our Report of 26 November at paragraphs 9.6 and 9.8, including that on the "right to be forgotten";

ii)  for further clarification, in relation to the "one-stop-shop" mechanism, of the Minister's assertion that the proposed European Data Protection Board (EDPB) "should not have the power to take decisions which are legally binding on Member States that are not in agreement with its decision" and whether this is workable; and

iii)  to explain more about the "alternative" UK model for a one-stop-shop and whether it gains any currency with other Member States.

11.6 We thank the Minister for his letter, which addresses nearly all of the issues outstanding from our last Reports.

11.7 However, we still await a response on the latest UK position concerning the "Right to be Forgotten" provision. We understand from the Home Secretary's Pre-Council Written Statement of 5 March that a General Approach may be sought in June: "The presidency's overarching ambition remains to secure a general approach at the June Justice and Home Affairs Council"[21]. Any such agreement would, we assume, require agreement of this important provision which has not yet been covered by a Partial General Approach (PGA). Overall, by our reckoning, the rest of that important Chapter III (rights of data subjects), much of Chapter I (General Provisions) and Chapters VIII (remedies, sanctions), X (delegated and implementing acts) and XI (final provisions) are yet to be the subject of any agreement in Council. As our successor Committee may not have been appointed by that time, we request that we are given the opportunity to scrutinise the position that the Government intends to take on the "Right to be Forgotten" provision before the dissolution of Parliament. Bearing in mind what else remains to be agreed, we also ask to be sent the latest version of the text, albeit limité and subject to the usual restrictions, so that we can consider it before dissolution and for the Government to highlight to us any particularly contentious points on the issues that remain.

11.8 We welcome the Government's recognition of the previous scrutiny override but firmly reject the reasons it advances to support its previous approach. Our position is based on logic and consistency, not strength of feeling. The Government's argument that a heavily caveated PGA would not necessarily fall within our scrutiny reserve would create a situation of unacceptable uncertainty—it would be a highly subjective exercise to determine on the occasion of each PGA whether it was sufficiently caveated to fall outside our reserve. In any event, we doubt whether the Government is entirely convinced by its own arguments because:

a)  as we have previously pointed out, the Minister himself has doubted whether a previous Partial General Approach might be capable of being renegotiated, which must logically indicate that the Government doubts the effectiveness of PGA caveats; and

b)  the Home Secretary in her Written Ministerial Statement to Parliament on the outcome of the December JHA Council described the PGA achieved as a "deal", suggesting that the Government considered that firm agreement had been achieved.

11.9 We would have appreciated more detail on the possible content of the PGA to be sought at the March JHA, with the exception of the One-Stop-Shop which is addressed in some detail. We understand that the Minister will now abstain in the forthcoming PGA and ask that when he next writes, he informs us of the outcome of the JHA Council immediately after it takes place. We would also appreciate any update on the proposed extension of the scope of the Directive (document (b)) which he has told us about.

11.10 In the meantime, we are drawing this Report to the attention of the Justice Committee and retaining all documents (a)-(d) under scrutiny.

Full details of the documents: (a) Draft Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data: (33649), 5853/12 + ADDs 1-2, COM(12) 11; (b) Draft Directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data: (33646), 5833/12 + ADDs 1-2, COM(12) 10; (c) Commission Communication: Rebuilding Trust in EU-US Data Flows: (35608), 17067/13, COM(13) 846; (d) Commission Communication on the Functioning of the Safe Harbour from the perspective of EU Citizens and Companies Established in the EU: (35609), 17069/13, COM(13) 847.

Background and previous scrutiny

11.11 The background to documents (a) and (b), a detailed account of their provisions and the Government view of them is provided principally in our Fifty-ninth Report of 2010-12.[22] Our Twenty-sixth Report of 2012-13[23] sets out our summary and conclusions on the opinion we obtained from the Justice Committee. An account of the background and contents of documents (c) and (d) and the Government view of them was set out in our Thirty-sixth Report of 2013-14.[24]

Minister's letter of 1 March 2015

11.12 The Minister of State for Justice and Civil Liberties (Simon Hughes) writes to provide us with an update on documents (a) and (b) following the informal JHA Council on 30 January and the negotiations which have taken place in the DAPIX working groups during the first two months of the Latvian Presidency. He also writes to respond to the questions we raised in our last Report (see paragraphs 11.4—11.5 above). He also apologises for the confusion caused by his previous correspondence between points that had been raised in previous scrutiny by us and those raised by the House of Lords' Committee. He promises that future letters will be suitably tailored to the concerns of the individual committees.

INFORMAL JUSTICE AND HOME AFFAIRS COUNCIL

11.13 He first addresses the informal JHA Council. He says:

"The delimitation of the scope of the draft General Data Protection Regulation (GDPR) and the draft Data Protection Directive was discussed at the recent Informal JHA Council in Riga. This is an important matter as it will determine the extent to which the stricter rules under the GDPR apply to law enforcement activities. I believe that it is important that we avoid the creation of a complex patchwork data protection regime for law enforcement authorities, clarify that private companies who have a contractual obligation to carry out processing for law enforcement purposes are covered by the Directive and make sure that the protections established in the Treaties are not undermined.

"During the Council, Member States were asked whether they would like the scope of the Directive to remain as proposed by the Commission (i.e. limited to the processing of personal data by competent authorities "for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties") or whether they would rather the wording be extended to included processing by competent authorities for the purposes of "maintaining law and order and the safeguarding of public security." In order to avoid a complex, patchwork regime, the Government agrees with Member States who would prefer to see a broader scope for the Directive (for example to include processing carried out under the Victims Directive), however we are concerned about the broad and imprecise language that is currently being proposed to widen this scope. As such, at the Council the Government called for alternative options to be considered and for sufficient time to be allocated to discuss this issue so that we can be certain that the lines are correctly drawn."

DAPIX WORKING GROUP UPDATE

11.14 The Minister tells us:

"In addition to the Informal JHA Council, three rounds of DAPIX working groups have taken place in Brussels under the Latvian Presidency. The first (15/16 January) was dedicated to Chapter II (principles relating to personal data processing), the second (26/27 January) to the 'One-Stop-Shop' mechanism and the third (5/6 February) to both the 'One-Stop-Shop' and Chapter II. Since then and before JHA Council on 13 March, there will have been three JHA Counsellors' and two COREPER meetings attended by UKRep officials."

QUESTIONS OUTSTANDING FROM OUR PREVIOUS REPORTS

11.15 The Minister responds:

"Turning now to the outstanding questions from your previous correspondence and, firstly, the answer you seek to the questions set out in paragraph 9.6 (sic) of your report of 26 November 2014. These ask how the Government has addressed the "specific concerns raised by the Newspaper Society and the British Medical Association"[25]. These concerns were set out in your 2013 report[26]; however, it is worth noting that the current text being discussed has moved on considerably since.

"a) The Newspaper Society and the 'Right to be Forgotten'

"The Newspaper Society highlighted the potential detrimental effect upon freedom of expression which could be 'wrought' by the application of a so-called 'Right to be Forgotten'. We believe that the CJEU's 2014 ruling on Google Spain does provide some useful points for discussion when examining the issue of the so-called 'Right to be Forgotten'. However, direct implementation of the judgment into the text of the Regulation could be very problematic as the judgment was based on a limited set of facts and made in a very specific context.

"Article 17, included in Chapter III of the Regulation and covering the 'Right to be Forgotten', is still due for discussion in working groups and the Government is currently lobbying other Member States to make sure that any such direct implementation of the CJEU's judgment into the Regulation does not happen.

"That said, the Newspaper Society's concerns from 2012 are less specific and the Government has negotiated hard in favour of exemptions relating to journalistic work and freedom of expression. These are listed in Article 80 of the Regulation that provides derogations to reconcile the right to the protection of personal data with right to freedom of expression and information; this includes processing for journalistic purposes as well as the purposes of academic, artistic and literary expression.

"b) The British Medical Association

"The separate concerns of the British Medical Association to which you refer in your 2013 report were also, at one time, of concern to the Government. However, the current Latvian version of the text has made considerable progress in the field of the processing of data for medical research purposes. As I wrote in my previous letter dated 21 January, our concerned stakeholders were supportive of the Council version of the proposed text for Chapter IX (inclusive of Article 83 to which the British Medical Association refer in your report) when this was put forward for a Partial General Approach (PGA) at JHA Council in December 2014.

"In addition to this, the Government has continued its close collaboration with other stakeholders in the medical profession with regards to provisions made for data processing for health purposes in Chapter II. This has resulted in further, positive changes being made to the draft text in this chapter also, including reducing burdens for those processing for health purposes and the inclusion of more flexibility for social care. Here, our stakeholders have expressed themselves as being content and much appreciate the UK's conduct of the negotiations to gain these improvements over previous versions of the text and crucially, in the lead up to trilogue negotiations, the European Parliament's agreed wording."

ONE-STOP-SHOP

11.16 The Minister says:

"With regard to the One-Stop Shop, you quote my assertion that the proposed European Data Protection Board (EDPB) should not have the power to take legally binding decisions and ask whether I 'really consider that such an approach is workable?'. I do believe that such an approach is workable; this is, in fact, identical to the original model proposed by the European Commission, seen by many as being the purest version of a 'one-stop-shop'. Whether or not the model is negotiable, however, is a different question and the UK has found it difficult to muster support in working groups for a One-Stop-Shop model that did not give any legally binding powers to a European Data Protection Board.

"The Government also put forward an alternative model for the One-Stop-Shop. This was a model of voluntary arbitration requiring concerned Data Protection Authorities (DPAs) to come to a collective agreement to voluntarily refer cases to the EDPB for resolution should they not be able to agree between themselves. The intention behind this proposal was to ensure that only the most serious cases would be handed over to the EDPB for its judgment and would encourage DPAs to resolve cases on a more localised level.

"Unfortunately, this model did not gain sufficient support among other member states, who thought the threshold for referral to the EDPB was too high. We have, however, been able to gain support for some form of 'quantitative filter' whereby a percentage of concerned DPAs would have to agree to a referral to the EDPB; and a 'qualitative filter' so that only reasoned concerns act as a trigger for referral. We have also negotiated to limit the scope of the definition of a concerned DPA to those with a real interest in the case. We also intend to make sure that the EDPB's role is limited to one of deciding whether or not a breach has taken place; any determination of sanctions would continue to be done by local DPAs, allowing data subjects to challenge these decisions through local courts."

11.17 The issue of the Government's approach to Partial General Approaches, particularly in the context of the negotiations of document (a), are addressed next by the Minister. He says:

"You have asked me to clarify the Government's approach as regards the use of Partial General Approaches (PGAs) in the context of the GDPR. In the oral evidence session the Justice Secretary made his reservations over the use of PGAs clear; however he also highlighted the pragmatic utility of agreeing to one at December JHA Council.

As I stated in my previous letter, at the December JHA Council we had received positive feedback from our stakeholders on the text being voted upon and we considered the proposed Council text to be considerably better than the Parliament's version. Therefore, despite our misgivings over the principle of PGAs, we supported the proposed text since it helped to advance the UK's negotiating position overall. As the Justice Secretary has said, his approach was pragmatic: he stated that although he "[does] not like using Partial General Approaches … there are just moments when I judge that it is not in the interests of the United Kingdom to vote against something for the sake of voting against it.

"I remain of the view that it is clear from the manner in which these negotiations have been conducted by successive Presidencies that PGAs are being used as a tool to move negotiations forward in what is a complex file with many interdependencies. We understand it is unusual for PGAs to be as heavily qualified as they have been by the Greek and Italian Presidencies, to the extent that 'nothing is agreed until everything is agreed'. That language must have some meaning, and we consider it must follow that any Member State would be within its rights to seek to reopen any of the points covered by the PGAs. In these circumstances, we previously took the view that agreeing to such a qualified PGA in December should not be considered a scrutiny override. The Lords Committee appears to share the view that, because of the caveats involved, this did not amount to an override. However, appreciating the strength of feeling in your Committee, I am willing to acknowledge this as an override and I will work with colleagues in the Cabinet Office and Foreign Office to ensure there is a clear and consistent approach taken to PGAs in the future.

"I hope the reasons the Justice Secretary and I have already given have explained the reasons why we supported the PGA in December. I will of course aim to give you the maximum notice when any future PGAs are proposed and take the Committee's views into account when deciding whether or not to support them."

FORTHCOMING JHA COUNCIL 13 MARCH 2015

11.18 The Minister informs us as to what might happen at this imminent JHA Council and requests a scrutiny waiver:

"Indeed, I can now confirm that a PGA has been proposed for voting on at March JHA Council on Chapters II, VI and VII. Because we do not have a final text yet, we cannot be absolutely certain whether we would want to support this PGA. However, the timeframe between receiving the final version of the text and the opening of JHA Council is likely to be incredibly tight and I therefore wish to ask you now for a scrutiny waiver should the text proposed in March resemble that which we currently have before us.

"The current texts on the table that will form the foundations for discussion at March JHA Council are in positive place for the UK. Chapter II, concerning consent and the principles for processing, makes reference to 'unambiguous consent' as opposed to the much more burdensome "explicit consent" referenced in the European Parliament text. The UK has also secured positive advances in the carve outs for processing data for health purposes, including making sure that special categories of data will continue to be able to be processed for work pertaining to the carrying out of social care.

"With regard to the 'One-Stop-Shop', the current working text does currently include both quantitative and qualitative filters to limit the number of possible data protection breaches being sent to the EDPB. Although the quantitative threshold currently being discussed is lower than that the UK had originally negotiated for, it is likely that this is the best deal that the UK will be able to secure. With this in mind, it is therefore important for us to be able to show our support for such a model with a view to limiting movement away from filters altogether (as some Member States argue for) and end up in a position that could, in fact, be damaging to UK interests."

FURTHER UPDATES

11.19 The Minister ends his letter by promising to update us as to the outcome of the JHA Council of 13 March. He also commits to informing us of "any plans that the Presidency may make regarding the content of future DAPIX meetings or to further progress on the Data Protection Directive, including any developments that may arise during dissolution or shortly thereafter".

Previous Committee Reports

(a) and (b): Thirty-first Report HC 219-xxx (2014-15), chapter 5 (28 January 2015); Twenty-second Report HC 219-xxi (2014-15), chapter 9 (26 November 2014); Twelfth Report HC 219-xii (2014-15), chapter 8 (10 September 2014); Forty-seventh Report HC 83-xlii (2013-14), chapter 14 (30 April 2014); Thirteenth Report HC 83-xiii (2013-14), chapter 24 (4 September 2013); Eighth Report HC 83-viii (2013-14), chapter 11 (3 July 2013); Third Report HC 83-iii (2013-14), chapter 15 (21 May 2013); Thirty-first Report HC 86-xxxi (2012-13), chapter 7 (6 February 2013); Twenty-sixth Report HC 86-xxvi (2012-13), chapter 11 (9 January 2013); Eighth Report HC 86-viii (2012-13), chapter 5 (11 July 2012); Fifty-ninth Report HC 428-liv (2010-12), chapters 7 and 8 (14 March 2012); (c) and (d): Thirty-first Report HC 219-xxx (2014-15), chapter 5 (28 January 2015); Twenty-second Report HC 219-xxi (2014-15), chapter 9 (26 November 2014); Twelfth Report HC 219-xii (2014-15), chapter 8 (10 September 2014) Forty-seventh Report HC 83-xlii (2013-14), chapter 14 (30 April 2014); Thirty-sixth Report HC 83-xxxiii (2013-14), chapter 9 (12 February 2014).

21   HC Deb, 5 March 2015, cols.81-82WS [Commons Written Ministerial Statement]. Back

22   Fifty-ninth Report HC 428-liv (2010-12), chapters 7 and 8 (14 March 2012). Back

23   Twenty-sixth Report HC 86-xxvi (2012-13), chapter 11 (9 January 2013). Back

24   Thirty-sixth Report HC 83-xxxiii (2013-14), chapter 9 (12 February 2014). Back

25   Twenty-second Report HC 219-xxi (2014-15), chapter 9 (26 November 2014) Back

26   The Committee's opinion on the European Union Data Protection framework proposals: Third Report of Session 2012-2013, HC 572. Back