Documents considered by the Committee on 2 November 2016 Contents

10EU-US Data Transfers

Summary and Committee’s conclusions

Committee’s assessment

Legally and politically important

Committee’s decision

Cleared from scrutiny

Document details

Commission Implementing Decision pursuant to Directive 95/46/EC on the adequacy of the protection provided by the EU-US Privacy Shield

Legal base

Article 25(6) of Directive 95/46/EC;—

Department

Culture, Media and Sport

Document Numbers

(37695), —, + ADDs 1–7

10.1The EU-US Privacy Shield agreement was politically agreed by the US and the Commission in February but it needed to be implemented on the EU side by EU secondary legislation, this Commission Implementing Decision. This Decision is known as an adequacy decision because under the 1995 Data Protection Directive51 the personal data of an EU citizens can only be transferred to a third country with adequate, equivalent protections to those available under EU law. It was adopted by the Commission, following approval by a committee of national data protection experts (the Article 31 Committee) on 12 July.

10.2The Privacy Shield adequacy decision sets out the basis on which the data of EU citizens can be transferred to US companies for commercial purposes and only where US companies comply with certain privacy principles. It will replace the “Safe Harbor” Decision which was invalidated by the Court of Justice (CJEU) in the case of Schrems52 for failing to comply with EU fundamental rights to privacy and data protection.

10.3Initially, the Government was reluctant to deposit the document, despite it falling within our Standing Orders for deposit, though as secondary legislation, not falling within our Scrutiny Reserve Resolution. It has also been sparing in its comments on compliance of the document with fundamental rights protecting EU citizens and their data or on the relevant views of EU data protection bodies. In our previous reports we have pressed the Government for this information and also further developments in the process for approving the document, including the opinion of the Article 31 committee of national experts and the reaction of the Commission to the criticism of the European Data Protection Supervisor.

10.4The Minister of State for Digital and Culture (Matt Hancock) now responds in a letter of 26 October to our last Report of 13 July. He simply informs us when the document was adopted, what the voting outcomes were in the Article 31 Committee and gives a very vague indication of what the Government’s policy is on data sharing with the EU post Brexit.

10.5We thank the Minister for his letter of 26 October, a long overdue response to our Report in July. We look forward to receiving a more precise indication of the Government’s policy on data-sharing with the EU post-Brexit on other ongoing and forthcoming dossiers where data protection and sharing issues arise.

10.6We now clear this document from scrutiny.

Full details of the documents

Commission Implementing Decision pursuant to Directive 95/46/EC on the adequacy of the protection provided by the EU-US Privacy Shield: (37695), —, + ADDs 1–7.

The Minister’s letter of 26 October 2016

10.7The Minister responds to the questions we asked in our report of 13 July as follows:

10.8The Minister then addresses our question about whether the Government will seek to enter into a similar bilateral agreement with the EU after Brexit. He says:

“I am aware of the importance of continued data flows with the EU and beyond after the UK’s withdrawal. In that respect I can confirm that the Government will be considering carefully how best to maintain our continued ability to share, receive and protect data, not only with the EU, but globally.

“It will be the Government’s priority to provide a data protection framework that will work for citizens, Government, and businesses alike, whilst providing an appropriate level of protection of personal data.”

Previous Committee Reports

Eighth Report HC 71-vi (2016–17), chapter 7 (13 July 2016); Third Report HC 71-ii (2016–17), chapter 3 (25 May 2016).


51 Directive 95/46/EC. This applies until the new Data Protection Regulation comes into force on 25 May 2018.

52 Case C-362/14: Maximillian Schrems v Data Protection Commissioner, 6 October 2015.




4 November 2016