Legally and politically important
Not cleared from scrutiny; further information requested; drawn to the attention of the Culture, Media and Sport Committee, the Home Affairs Committee and the International Trade Committee
Commission Communication on Exchanging and Protecting Personal Data in a Globalised World
Culture, Media and Sport
(38493), 5191/17, COM(17) 7
5.1As part of a future trading relationship with the EU after Brexit or cooperation on law enforcement, the UK may have to exchange data directly with the EU bodies, Member States or through EU databases. This Communication, published in January, is directly relevant to this aspect of Brexit because it sets out the Commission’s future strategy for engaging with selected third countries to reach adequacy decisions (i.e. decisions on whether a country’s data protection framework is equivalent to that in the EU) or international data-sharing agreements. It also covers how the EU should promote its own data protection standards through participation in international data protection instruments. The Commission hopes to strengthen and influence personal data standards globally.
5.2The Government has already said that it seeks an “uninterrupted” and “unhindered” flow of data with the EU after Brexit. As a third country the UK would have to offer safeguards equivalent to EU privacy and data protection rules in order to receive and handle EU data. It is likely that this will be easier to achieve if UK law continues to align with EU data protection law. The Government has committed to making sure that UK law complies with the new General Data Protection Regulation (GDPR) and Law Enforcement Directive which apply from May 2018 and will be in alignment with EU law on UK exit. The possible application pre-Brexit to the UK of the recently proposed e-Privacy Regulation is not yet clear.
5.3Whilst there are various mechanisms available for third country transfers of data, an “adequacy” decision or international agreement for data-sharing, once adopted, would be likely to provide the most seamless option for UK businesses and UK public authorities, including law enforcement agencies.
5.4We have previously scrutinised high profile examples of each of these mechanisms: the EU-US Privacy Shield (on data exchange for commercial purposes which replaced “Safe Harbour”) or the EU-US Umbrella Agreement (on sharing law enforcement data).
5.5As part of that scrutiny, it has become clear that providing equivalent safeguards for EU citizens and their data could present some challenges. This is because of a series of Court of Justice judgments which underlined the need to protect rights to privacy and protection of personal data to the standards of Articles 7 and 8 of the EU’s Charter of Fundamental Rights. Adequacy decisions and international agreements on EU-third country data-sharing, to a greater or lesser extent, also need the support of the European Parliament, the Article 29 Working Party of Member States’ data protection authorities and the European Data Protection Supervisor.
5.6The Government welcomes the Communication as indicating the Commission’s future approach to exchange of data with third countries. It repeats the view that it wishes UK-EU data flows to continue uninterrupted after Brexit and that it is exploring all options on “the most beneficial way of ensuring that the UK’s data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports business in a global economy”. In so doing, it is mindful of the need to also be able to exchange data with non-EU countries.
5.7Although this Communication is a non-legislative document, we report it to the House because of its obvious significance for future EU-UK data-sharing arrangements. If the UK is to continue to trade with the EU or to cooperate on law enforcement after it leaves, then it would seem preferable to have mechanisms in place beforehand for third country transfer. It also seems clear that either an adequacy decision or an international data-sharing agreement would best provide the “uninterrupted” and “unhindered” flow of data which the Government seeks.
5.8We note that it took over two and five years respectively for the EU-US Privacy Shield and EU-US Umbrella Agreement to be put in place. So we ask the Government to ensure that sufficient time is left before UK withdrawal to agree any EU-UK data-sharing instruments. In so doing, we recognise that:
a)Privacy Shield and Umbrella may not be direct comparators for the UK as the UK will be far better aligned with EU data protection law than the US, given the Government’s commitment to comply with the new General Data Protection Regulation (GDPR) and Law Enforcement Directive;
b)As the Commission recognises, adequacy decisions have been adopted so far under the existing data protection framework for a diversity of privacy and legal systems (see paragraph 0.23 of this chapter); but also that
c)Court of Justice rulings in Schrems, Digital Rights Ireland and Watson v Home Secretary have had a direct bearing on the question of the adequacy of protection for EU citizens’ data by third countries, as has the Court’s interpretation of Articles 7, 8 and 47 of the EU Charter of Fundamental Rights. As the UK will not be subject to either on leaving the EU, the process of putting in place equivalent data-sharing arrangements might present some challenges for the Government.
5.9We note the importance of EU third country data-exchange mechanisms to support any post-Brexit trading relationship and/or law enforcement cooperation between the EU and the UK and we draw this chapter and this document to the attention of:
5.10Pending the Minister’s response, we retain this document under scrutiny.
5.11The present Communication, anticipated in the Commission’s Work Programme, sets out the Commission’s strategic framework for “adequacy decisions” as well as other tools for data transfers and international data protection instruments.
5.13The Commission explains that the 2016 reform of the EU data protection rules on international transfers not only clarifies and simplifies existing transfer tools but also introduces some new ones. It then describes the different transfer tools.
5.14A Commission “adequacy decision” establishes that a non-EU country provides a level of data protection that is “essentially equivalent” to that in the EU. This enables the free flow of personal data to that third country without the need for the data exporter to provide further safeguards or obtain any authorisation.
5.15In making an adequacy assessment of a third country, Article 45(2) GDPR requires the Commission to take into account:
5.16The Commission can now also adopt adequacy decisions for the law enforcement sector, for transfer of data to third countries or international organisations, according to (very similar) criteria for assessment set out in Article 36(2) of the Law Enforcement Directive.
5.17Both the GDPR and Law Enforcement Directive explicitly allow for an adequacy determination to be made with respect to a particular territory of a third country or to a specific sector or industry within a third country (so-called “partial” adequacy).
5.18In the absence of an adequacy decision, there are a number of alternative transfer tools providing adequate data protection safeguards. The 2016 data protection reform has built on existing tools such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). So now, for example:
5.19The new GDPR permits controllers and processors to use, under certain conditions, approved codes of conduct or certification mechanisms (such as privacy seals or marks) to establish “appropriate safeguards”. This will:
5.20The GDPR also:
5.21The Commission highlights adequacy decisions as being the best option for a third country in order to achieve a “free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions”.
5.22An adequacy decision means that:
5.23In an observation which has some significance for the UK’s post-Brexit position, the Commission observes:
“the adequacy decisions adopted so far show, it is possible for the Commission to recognise a diverse range of privacy systems, representing different legal traditions, as being adequate. These decisions concern countries that are closely integrated with the European Union and its Member States (Switzerland, Andorra, Faeroe Islands, Guernsey, Jersey, Isle of Man), important trading partners (Argentina, Canada, Israel, the United States), and countries that have a pioneering role in developing data protection laws in their region (New Zealand, Uruguay).”
5.24The Commission then comments separately on the “partial” adequacy decisions on Canada and the US:
5.25The Commission highlights the opportunities for more adequacy findings, as many more countries around the world have been developing data protection laws, involving a common approach: a core set of common principles, including the recognition of data protection as a fundamental right, the adoption of overarching legislation in this field, the existence of enforceable individual privacy rights, and the setting up of an independent supervisory authority.
5.26Under its framework on adequacy findings, the Commission considers that the following criteria should be taken into account when assessing with which third countries a dialogue on adequacy should be pursued:
5.27On this basis, the Commission says that it will;
5.28The Commission explains that EU data protection rules cannot be the subject of negotiations in a free trade agreement. This is because an adequacy finding is a unilateral implementing decision by the Commission, in other words a form of EU secondary legislation. Nevertheless, the Commission will “use EU trade agreements to set rules for e-commerce and cross-border data flows…without prejudice to the EU’s data protection rules”. It also comments that although adequacy decisions have to be negotiated on a “separate track”, they are complementary to FTAs and can:
5.29The Commission pledges to work with stakeholders to develop alternative personal data transfer mechanisms adapted to the particular needs or conditions of specific industries, business models and/or operators. For example:
5.30The Commission will also:
5.31The Commission says about its contribution to international cooperation on data protection that:
5.32The Commission explains that the Law Enforcement Directive introduced adequacy decisions for data exchanges for law enforcement purposes and says that:
5.33The Commission then outlines the alternatives to an adequacy decision:
5.34Moreover, the Law Enforcement Directive:
5.35The Commission also says that it will follow up the Council Conclusions on improving criminal justice in cyberspace to facilitate the cross-border exchange of e-evidence in conformity with data protection rules.
5.36Finally, in accordance with the new legal basis for Europol, the Commission will assess the provisions contained in those operational cooperation agreements between Europol and third parties, concluded under Council Decision 2009/371/JHA, including their data protection provisions.
5.37Also, as set out in the 2015 European Agenda on Security, the EU’s future approach to the exchange of PNR data with non-EU countries will take into account the need to apply consistent standards and specific fundamental rights protections. The Commission, taking into account the forthcoming Opinion from the CJEU on the proposed EU-Canada PNR Agreement, will work on legal solutions to exchange PNR data with third countries, including by considering a model agreement on PNR.
5.38The Commission concludes that it will
“…ensure coherence of the internal and external dimension of EU data protection policy and promote strong data protection at international level to improve law enforcement cooperation, contribute to free trade and develop high personal data protection standards globally.”
5.39In his Explanatory Memorandum of 7 February 2017, the Minister of State for Digital and Culture (Matt Hancock) first repeats the standard statement about the Government’s position in the EU until it exits. Given the relevance of this document to Brexit, we reproduce what the Minister says about policy implications in full:
“The Government welcomes the Commission’s Communication. It provides a broad outline of the reformed EU data protection regime in the context of cross-border data transfers. It outlines the mechanisms available for transfer, such as adequacy agreements, standard contractual clauses and binding corporate rules under the existing regime. It also discusses how these have been broadened under the new regime, and sets out a number of new transfer measures, such as certification mechanisms and approved codes of conduct; which are designed to provide tailor-made solutions for companies which could enable them to benefit from the competitive advantages associated, for example, with a privacy seal or mark.
“The Communication presents the Commission’s approach to adequacy decisions, which allow for the free flow of personal data between the EU or EEA and third countries that are recognised as providing “adequate protection” for personal data comparable to that in the EU. It notes what the process of an adequacy finding involves and outlines the criteria to be taken into account when assessing with which third countries a dialogue on adequacy is to be pursued.
“As part of the discussion the Commission indicates its intention to engage with Latin American countries (in particular Mercosur) and non-EU European neighbours that have expressed an interest in receiving an adequacy decision from the EU. The promotion of data protection standards internationally and international law enforcement co-operation are also addressed. Furthermore, it discusses the Commission’s plans to work with and support countries interested in adopting strong data protection laws to converge with EU data protection principles and interoperable global standards; and notes steps the Commission will take to enhance enforcement cooperation, including through mutual assistance arrangements.
“As part of plans for the UK’s exit from the EU, the Government will consider carefully how best to maintain its continued ability to share, receive and protect EU data with other EU member states (and, indeed, with nations outside the EU). The Government is keen to ensure that data flows with the EU are not interrupted after the UK leaves the EU and therefore is considering all the options on the most beneficial way of ensuring that the UK’s data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports business in a global economy. The Government views the Communication as important in highlighting the Commission’s approach to these matters.”
14 Lords’ Select Committee on the EU, EU Home Affairs Sub-Committee, 1 February 2017 [Minister for Digital and Culture]: Q2, Uncorrected evidence: “Not only do we seek unhindered data flows but we want that to happen in an uninterrupted way—that is to say, on the morning on which we have left the European Union, it is very important that our data rules work, so that there is an uninterrupted system in place”.
15 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
16 Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
17 The Minister of State for Exiting the European Union (Mr David Jones) has said: “I would point out that on the day of departure, the UK’s data protection arrangements will be in perfect alignment with those of the continuing EU.” (Hansard, HC Deb. 18 January 2017, col. 1020).
18 We reported on 8 February on this proposed Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications): (38455), 5358/17 + ADDs 1–6 , COM(17) 10. See Thirty-first Report HC 71-xxix (2016–17), (8 February 2017).
19 The GDPR provides a suite of mechanisms to transfer personal data from the EU to third countries and third country companies, including Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCC), approved codes of practice, certification mechanisms and adequacy decisions. The Law Enforcement Directive also provides for adequacy decisions and international agreements for data-sharing. There is also some limited scope for case-by-case transfers.
20 (37695),—: Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
21 (37724–37726), 8245/16 and 8491/16:Proposed Council Decisions on the signing and conclusion, on behalf of the European Union, of an Agreement between the USA and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences.
22 In the Schrems case the CJEU invalidated the EU-US “Safe Harbor” decision, the predecessor to Privacy Shield. There are also two current legal challenges to Privacy Shield itself. In 2014, the CJEU invalidated the Data Retention Directive in the Digital Rights Ireland case, In December the CJEU expanded on its Digital Rights Ireland ruling holding that any national legislation providing for “general and indiscriminate” retention of data is incompatible with the EU law, including the Charter (Watson v Home Secretary). This ruling, when it is applied by the UK Court of Appeal, may mean that the UK’s Investigatory Powers Act 2016 will have to be amended.
23 Also, Article 47 (right to an effective judicial remedy) to enable EU citizens to enforce their data protection rights.
24 For Privacy Shield see Commission Communication of first setting out 13 recommendations for changing Safe Harbor. Privacy Shield was adopted by the Commission on . For the Umbrella Agreement, the Commission proposed on a draft mandate for negotiating the agreement between the EU and the US. The Agreement was concluded (ratified) by the EU on .
25 Case , Maximillian v Data Protection Commissioner.
26 Joined Cases Digital Rights ireland v Minister for Communications, Marine and Natural Resources and others.
27 Joined Cases Tele2 Sverige AB and Home Secretary v Watson.
28 Respectively, the rights to private and family life, to protection for personal data and to an effective judicial remedy.
29 The Convention opened for signature on 28 January 1981 and was the first legally binding international instrument in the data protection field. Under this Convention, the parties are required to take the necessary steps in their domestic legislation to apply the principles it lays down in order to ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data.
30 The Commission has to take into account “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are transferred”. It also has to take into account the existence and independence of any supervisory authorities and legally binding commitments on data protection.
31 SCCs lay down the respective data protection obligations between the EU exporter and the third country importer.
32 BCRs are internal rules adopted by a multinational group of companies to carry out data transfers within the same corporate group to entities located in countries which do not provide an adequate level of protection.
33 Case , Maximillian v Data Protection Commissioner, points 73, 74 and 96. See also recital 104 of the GDPR and recital 67 of the Police Directive which refer to the standard of essential equivalence.
34 The Commission’s wording which it derives from para 74 of Schrems.
35 To be replaced in 2018 by the European Data Protection Supervisory Board.
36 The Advocate General has already given his opinion in “Opinion 1/15” on .
37 On 23 June, the EU referendum took place and the people of the United Kingdom voted to leave the European Union. Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period the Government will continue to negotiate, implement and apply EU legislation. The outcome of these negotiations will determine what arrangements apply in relation to EU legislation in future once the UK has left the EU.
10 March 2017