Legally and politically important
Not cleared from scrutiny; further information requested; drawn to the attention of the Culture, Media and Sport Committee
Proposed Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC
Article 16(2) TFEU; ordinary legislative procedure; QMV
Culture, Media and Sport
(38446), 5034/17, COM(17) 8
5.1The recently adopted General Data Protection Regulation (GDPR) applies rules on the processing and free movement of personal data to Member States and data controllers/processors within the EU and is intended to be extended to the EEA. It will be directly applicable in Member States from 25 May 2018. It is an important piece of EU legislation, required to facilitate the Digital Single Market, to update the 1995 rules in line with technological developments, to strengthen online privacy rights and to address divergent implementation by Member States. The Government has committed to ensuring that UK law complies with the GDPR by the May deadline.
5.2EU data protection rules are likely to remain relevant and significant for the UK after Brexit. This is because any future trading with the EU will probably involve the cross-border exchange of personal data from the UK as a third country to the EU. We address this issue both in our conclusions and at paragraphs 5.21–5.22 of this chapter.
5.3The purpose of this proposed Regulation is to adapt the new GDPR rules to EU institutions, agencies and other bodies and also anticipates the proposed reform of the current e-Privacy Directive (see chapter 6 of this Report). The proposal is a recast of the current Regulation (EC) 45/2001 applicable to the EC/EU institutions, agencies and other bodies which is based on the rules in the 1995 Data Protection Directive. It is likely to be directly applicable in the UK before Brexit, coming into effect at the same time as the GDPR.
5.4As the obligations in this proposal are imposed on data controllers and processors in EU bodies, the Government broadly assesses the impact on the UK to be minimal (excluding UK-based external processors used by the EU). However, it is seeking to ensure that, where possible, the same obligations and protections are applied to EU institutions as under the GDPR. It does not comment on any possible Brexit implications but we pursue these in our conclusions below.
5.5We thank the Minister of State for Digital and Culture (Matthew Hancock) for his Explanatory Memorandum, which is particularly helpful in highlighting areas where the present proposal diverges from the General Data Protection Regulation (GDPR) adopted last year.
5.6We note that the Commission intends the proposal, once adopted, to apply from 25 May 2018, at the same time as the new GDPR. We agree with the Minister that on the expected timings of the Brexit negotiations, it is likely that this proposal will apply to the UK before Brexit. However, as the Minister observes, the obligations envisaged by this proposal are not for Member States and the “impact will mostly fall on the data controllers in EU institutions”, except for any UK-based “external” data processors used by them. So although at present this proposal seems to have little impact for the UK, we welcome the Minister’s vigilance in seeking to ensure consistency between this proposal and the GDPR. It is important that UK and other EU citizens and businesses should enjoy the same level of protection when their data is being processed by EU bodies as under the GDPR in the case of the Member States and other data controllers/processors.
5.7However, we wonder whether the handling of the personal data of UK citizens by EU institutions could possibly assume more significance after Brexit. Subject to any specific agreement reached as part of the UK’s future relationship with the EU, “third country” UK citizens might have to submit even more data than at present to EU bodies and centralised EU databases to acquire authorisation respectively to travel, work or provide services in the EU. It is therefore disappointing that the Minister has not commented from a Brexit viewpoint on Chapter V of the proposal which addresses the transfer of personal data to “third countries and international organisations”. In this respect, we also await the Minister’s Explanatory Memorandum on a Commission Communication, which we have requested for deposit, on the issue of international transfers of data entitled “Exchanging and Protection Personal Data in a Globalised World”. Even putting Brexit to one side, the Court ruling in Schrems on the EU-US Privacy Shield alone highlights this as an area on which the Minister should comment.
5.8It would be very helpful, when the Minister next writes, if he could explain how obligations under this proposal tie in with discrete obligations in relation to the handling of data relating to EU centralised databases, many of them having a law enforcement purpose. We note that the Government is already considering the relationship between this proposal and the ePrivacy proposal and we look forward to hearing more from the Government on this in due course.
5.9As we expect negotiations to move quickly on this proposal, we ask the Minister to keep us informed of developments on the document but retain it under scrutiny in the meantime. We draw this chapter and document to the attention of the Culture, Media and Sport Committee.
Proposed Regulation on the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC: (38446), , COM(17) 8.
5.10Article 2(3) of the GDPR requires Regulation 45/2001 to be updated so as to create a coherent data protection framework. The Commission’s evaluation of the existing rules also concluded that in particular, a risk management approach, i.e. data protection impact assessments, and a sanctions regime should be adopted.
5.11Accordingly, the key changes proposed include:
5.12In an Explanatory Memorandum of 31 January 2017, the Minister of State for Digital and Culture (Matthew Hancock) first rehearses the Government’s standard statement on the UK’s position in the EU as a Member State following the Referendum outcome. He clarifies that if the Commission succeeds in its aim of having the proposal come into force in May 2018 with the GDPR, and exit negotiations are still ongoing, then the proposed Regulation will be directly applicable in the UK.
5.13However, he does not expect the proposal to have any direct impact on the UK or entail any significant financial implications, given that the obligations it imposes are on data controllers and processors in the EU institutions, agencies and other bodies.
5.14He then explains the Government’s assessment of the policy implications of the proposed Regulation. He says that the Government:
5.15The Minister notes that some differences are due to the smaller range of processing done by the EU institutions, so for example, there is no right to object to processing for direct marketing purposes, as this processing is not done by the EU institutions.
5.16However, he adds that the Government believes that the justification for other differences is less clear and will therefore consider whether there should be greater alignment with the GDPR, in particular in the following cases:
5.17In terms of aligning the existing Regulation with the proposed ePrivacy Regulation, the Minister highlights that the proposals import the obligation to protect the confidentiality of electronic communications, and to protect information related to users’ terminal equipment when users access the EU’s public websites and applications. He says that Government will be considering in detail the relationship between the two proposals.
5.18Despite the fact that the proposal applies to data controllers in the institutions, the Minister says that the Government will be assessing the potential impact of the proposal on UK “external processors” employed by them and identifying overlap between their obligations in this proposal and the GDPR and any uncertainty in the scope of the proposals which make it unclear which law applies to them.
5.19Article 50 deals with recognition and enforcement of judgments or administrative decisions by third countries in circumstances where there is a mutual legal assistance treaty in force between the third country and the EU. The Minister explains that this replicates Article 48 of the GDPR in which Government says it does not participate.
5.20Negotiations are expected to start early during the term of the Maltese Presidency given that the Commission intends for the Regulation to apply from 25 May 2018 in order to ensure consistency with the GDPR.
5.21The Minister does not comment on data exchange between the EU institutions and third countries from a Brexit point of view. Chapter V of this proposed Regulation “Transfer of data to third countries or international organisations” appears to be modelled on provisions for data exchange with third countries under the GDPR. So, for example, Article 48 of the proposed Regulation on “adequacy decisions” references Article 45 of the GDPR. Transfers of data by EU institutions to a third country, a territory or one or more specific sectors in the third country, or an international organisation can only take place if the EU has decided that they ensure an adequate level of data protection for EU citizens.
5.22We therefore suggest that, as such, adequacy decisions under the proposed Regulation would be subject to the same CJEU rulings as those under the GDPR. The CJEU’s decision in Schrems has set the bar for how those decisions need to comply with Charter of Fundamental Rights provisions, namely Article 7 (right to respect for private and family life) and Article 8 (protection of personal data).
None, but see (33649), 5853/12: Twenty-fifth Report HC 342-xxiv (2015–16), (9 March 2016); Twenty-second Report HC 342-xxi, (3 February 2016); Sixteenth Report HC 342-xv (2015–16), (6 January 2016); Fifteenth Report HC 342-xiv (2015–16), (16 December 2015); Eleventh Report HC 342-xi (2015–16), (2 December 2015); Seventh Report HC 342-vii (2015–16), (28 October 2015); Fifth Report HC 342-v (2015–16), (14 October 2015); First Report HC 342-i (2015–16), (21 July 2015); Thirty-six Report HC 219-xxxv (2014–15), (11 March 2015); Thirty-first Report HC 219-xxx (2014–15), (28 January 2015); Twenty-second Report HC 219-xxi (2014–15), (26 November 2014); Twelfth Report HC 219-ii (2014–15), (10 September 2014); Forty-seventh Report HC 83-xlii (2013–14), (30 April 2014); Thirteenth Report HC 83-xiii (2013–14), (4 September 2013); Eighth Report HC 83-viii (2013–14), (3 July 2013); Third Report HC 83-iii (2013–14), (21 May 2013); Thirty-first Report HC 86-xxxi (2012–13), (6 February 2013); Twenty-sixth Report HC 86-xxvi (2012–13), (9 January 2013); Eighth Report HC 86-viii (2012–13), (11 July 2012); Fifty-ninth Report HC 428-liv (2010–12), (14 March 2012).
25 Regulation 2016/679 of the EP and Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). On 4 May 2016, the official text of the Regulation was published in the EU Official. While the Regulation entered into force in 4 May 2016, it shall apply from 25 May 2018.
26 Note though that the GDPR also catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of EU data subjects. This means in practice that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR.
27 For example, when the Minister gave evidence to the Internal Market Sub-Committee of the Lords’ European Union Committee on 19 January 2017, see
28 Proposed Regulation of the European Parliament and the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on privacy and electronic communications): (38455), + ADDs 1–6, COM(17) 10.
30 We understand that the Government is aiming for the European Union (Notification of Withdrawal Bill) to be approved, following the Lords’ Third Reading on 7 March. See HL Deb, 30 January,
31 Whether as part of “bold and comprehensive Free Trade Agreement” aspired to by the PM in her Lancaster House Speech or otherwise.
32 Council document 5191/17: Communication from the Commission to the European Parliament and Council: “Exchanging Exchanging and Protecting Personal Data in a Globalised World”.
33 Case C- Schrems v Data Protection Commissioner.
34 Applying an exchange rate of €1= £0.84935.
35 Applying the same exchange rate.
36 On 23 June, the EU referendum took place, and the people of the United Kingdom voted to leave the European Union. Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period, the Government will continue to negotiate, implement, and apply EU legislation. The outcome of the exit negotiations will determine what arrangements apply in relation to EU legislation in future once the UK has left the EU.
37 The GDPR establishes a tiered approach to penalties for breach which enables the DPAs to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR20 million (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR10m.
38 Applying an exchange rate of €1= £0.84935.
39 Applying the same exchange rate.
40 See footnote 4.
41 For the Written Ministerial Statement on this purported opt-in decision, made in the absence of a Title V AFSJ legal base: HC Deb, 4 February 2016
42 Note that the EM does highlight disparities between derogations not available to public authorities in relation to international transfers under the GDRP that the EU institutions are able to rely on under the proposal.
43 Or failing that, by way of a number of other specified mechanisms such as binding corporate rules or contractual clauses (see Article 46 of the GDPR).
44 Case C- Schrems v Data Protection Commissioner.
10 February 2017