Documents considered by the Committee on 8 March 2017 Contents

5Exchanging data with non-EU countries

Committee’s assessment	Legally and politically important
Committee’s decision	Not cleared from scrutiny; further information requested; drawn to the attention of the Culture, Media and Sport Committee, the Home Affairs Committee and the International Trade Committee
Document details	Commission Communication on Exchanging and Protecting Personal Data in a Globalised World
Legal base	—
Department	Culture, Media and Sport
Document Number	(38493), 5191/17, COM(17) 7

Summary and Committee’s conclusions

5.1As part of a future trading relationship with the EU after Brexit or cooperation on law enforcement, the UK may have to exchange data directly with the EU bodies, Member States or through EU databases. This Communication, published in January, is directly relevant to this aspect of Brexit because it sets out the Commission’s future strategy for engaging with selected third countries to reach adequacy decisions (i.e. decisions on whether a country’s data protection framework is equivalent to that in the EU) or international data-sharing agreements. It also covers how the EU should promote its own data protection standards through participation in international data protection instruments. The Commission hopes to strengthen and influence personal data standards globally.

5.2The Government has already said that it seeks an “uninterrupted” and “unhindered” flow of data with the EU after Brexit.14 As a third country the UK would have to offer safeguards equivalent to EU privacy and data protection rules in order to receive and handle EU data. It is likely that this will be easier to achieve if UK law continues to align with EU data protection law. The Government has committed to making sure that UK law complies with the new General Data Protection Regulation (GDPR)15 and Law Enforcement Directive16 which apply from May 2018 and will be in alignment with EU law on UK exit.17 The possible application pre-Brexit to the UK of the recently proposed e-Privacy Regulation is not yet clear.18

5.3Whilst there are various mechanisms available for third country transfers of data,19 an “adequacy” decision or international agreement for data-sharing, once adopted, would be likely to provide the most seamless option for UK businesses and UK public authorities, including law enforcement agencies.

5.4We have previously scrutinised high profile examples of each of these mechanisms: the EU-US Privacy Shield20 (on data exchange for commercial purposes which replaced “Safe Harbour”) or the EU-US Umbrella Agreement (on sharing law enforcement data).21

5.5As part of that scrutiny, it has become clear that providing equivalent safeguards for EU citizens and their data could present some challenges. This is because of a series of Court of Justice judgments22 which underlined the need to protect rights to privacy and protection of personal data to the standards of Articles 7 and 8 of the EU’s Charter of Fundamental Rights.23 Adequacy decisions and international agreements on EU-third country data-sharing, to a greater or lesser extent, also need the support of the European Parliament, the Article 29 Working Party of Member States’ data protection authorities and the European Data Protection Supervisor.

5.6The Government welcomes the Communication as indicating the Commission’s future approach to exchange of data with third countries. It repeats the view that it wishes UK-EU data flows to continue uninterrupted after Brexit and that it is exploring all options on “the most beneficial way of ensuring that the UK’s data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports business in a global economy”. In so doing, it is mindful of the need to also be able to exchange data with non-EU countries.

5.7Although this Communication is a non-legislative document, we report it to the House because of its obvious significance for future EU-UK data-sharing arrangements. If the UK is to continue to trade with the EU or to cooperate on law enforcement after it leaves, then it would seem preferable to have mechanisms in place beforehand for third country transfer. It also seems clear that either an adequacy decision or an international data-sharing agreement would best provide the “uninterrupted” and “unhindered” flow of data which the Government seeks.

5.8We note that it took over two and five years respectively24 for the EU-US Privacy Shield and EU-US Umbrella Agreement to be put in place. So we ask the Government to ensure that sufficient time is left before UK withdrawal to agree any EU-UK data-sharing instruments. In so doing, we recognise that:

a)Privacy Shield and Umbrella may not be direct comparators for the UK as the UK will be far better aligned with EU data protection law than the US, given the Government’s commitment to comply with the new General Data Protection Regulation (GDPR) and Law Enforcement Directive;

b)As the Commission recognises, adequacy decisions have been adopted so far under the existing data protection framework for a diversity of privacy and legal systems (see paragraph 0.23 of this chapter); but also that

c)Court of Justice rulings in Schrems,25 Digital Rights Ireland26 and Watson v Home Secretary27 have had a direct bearing on the question of the adequacy of protection for EU citizens’ data by third countries, as has the Court’s interpretation of Articles 7, 8 and 4728 of the EU Charter of Fundamental Rights. As the UK will not be subject to either on leaving the EU, the process of putting in place equivalent data-sharing arrangements might present some challenges for the Government.

5.9We note the importance of EU third country data-exchange mechanisms to support any post-Brexit trading relationship and/or law enforcement cooperation between the EU and the UK and we draw this chapter and this document to the attention of:

the Culture, Media and Sport Committee in its role of scrutinising the responsible Department for this document;
the Home Affairs Committee because of the potential importance of the exchange of data between the UK and the EU for law enforcement purposes post Brexit; and
the International Trade Committee because data-exchange with non-EU countries, possibly based on international data protection instruments mentioned in the Communication, is relevant to the UK’s future non-EU trade deals.

5.10Pending the Minister’s response, we retain this document under scrutiny.

Full details of the documents

Communication from the Commission to the European Parliament and the Council Exchanging and Protecting Personal Data in a Globalised World: (38493), 5191/17, COM(17) 7.

The Communication

5.11The present Communication, anticipated in the Commission’s Work Programme, sets out the Commission’s strategic framework for “adequacy decisions” as well as other tools for data transfers and international data protection instruments.

5.12The Commission:

highlights the EU’s ambition to promote its own data protection values in seeking the convergence and compatibility of international systems of data protection law;
notes that the EU data protection framework has been used as a point of reference by third countries when developing their own legislation;
hopes that by engaging in active dialogue with international partners it can foster high and interoperable personal data standards globally; and
considers that this will facilitate increased international data flows for both commercial and law enforcement purposes whilst ensuring more effective protection of individual’s rights.

EU mechanisms for international data transfers

5.13The Commission explains that the 2016 reform of the EU data protection rules on international transfers not only clarifies and simplifies existing transfer tools but also introduces some new ones. It then describes the different transfer tools.

Adequacy decision

5.14A Commission “adequacy decision” establishes that a non-EU country provides a level of data protection that is “essentially equivalent” to that in the EU. This enables the free flow of personal data to that third country without the need for the data exporter to provide further safeguards or obtain any authorisation.

5.15In making an adequacy assessment of a third country, Article 45(2) GDPR requires the Commission to take into account:

the rule of law, respect for human rights and fundamental freedoms and relevant legislation, including in the area of data protection, public security, defence, national security and criminal law and access by public authorities to personal data;
the means to effectively enforce those rights, including administrative and judicial redress for individuals, and an effectively functioning independent supervisory authority to ensure and enforce compliance with data protection rules; and
adherence to legally binding conventions, in particular Council of Europe Convention 108,29 and participation in multilateral or regional systems dealing with data protection.

5.16The Commission can now also adopt adequacy decisions for the law enforcement sector, for transfer of data to third countries or international organisations, according to (very similar) criteria for assessment set out in Article 36(2) of the Law Enforcement Directive.30

5.17Both the GDPR and Law Enforcement Directive explicitly allow for an adequacy determination to be made with respect to a particular territory of a third country or to a specific sector or industry within a third country (so-called “partial” adequacy).

Extension of Standard Contractual Clauses and Binding Corporate Rules

5.18In the absence of an adequacy decision, there are a number of alternative transfer tools providing adequate data protection safeguards. The 2016 data protection reform has built on existing tools such as Standard Contractual Clauses (SCCs)31 and Binding Corporate Rules (BCRs).32 So now, for example:

SCCs can now be included in a contract between EU-based processors and processors in a non-EU country (“processor-to-processor” model clauses);
BCRs, previously limited to arrangements among companies in the same group, can now be used by a group of enterprises engaged in a joint economic activity, but not necessarily in the same group; and
prior notification to, and authorisation by, Data Protection Authorities of transfers to a third country based on SCCs or BCRs is no longer required.

New GDPR tools—approved codes of conduct, certification, clarification of derogations

5.19The new GDPR permits controllers and processors to use, under certain conditions, approved codes of conduct or certification mechanisms (such as privacy seals or marks) to establish “appropriate safeguards”. This will:

allow for “tailor-made” solutions for particular sectors or industries, or of particular data flows; and
enable appropriate safeguards to be established for data transfers between public authorities or bodies on the basis of international agreements or administrative arrangements.

5.20The GDPR also:

clarifies the use of so-called “derogations” (e.g. consent, performance of a contract or important reasons of public interest) on which entities in specific situations can base their data transfers in the absence of an adequacy decision and irrespective of the use of one of the other tools. There is a new, but limited derogation for transfers taking place for the legitimate interests of a company; and
allows the Commission to develop international cooperation mechanisms, between national supervisory authorities, on the enforcement of data protection rules, including through mutual assistance arrangements.

Commission’s approach to adequacy decisions so far

5.21The Commission highlights adequacy decisions as being the best option for a third country in order to achieve a “free flow of personal data from the EU without the EU data exporter having to implement any additional safeguards or being subject to further conditions”.

5.22An adequacy decision means that:

the Commission has found that a third country’s legal order provides an adequate level of protection because the country’s system approximates to that of the EU Member States;
transfers to the country in question will be treated similarly to intra-EU transmissions of data, so providing privileged access to the EU Single Market, while opening up trade opportunities for EU businesses on a reciprocal basis;
this privileged recognition is deserved because the third country provides a level of protection comparable or “essentially equivalent”33 to that of the EU; and
there does not necessarily exist a “point-to-point replication of EU rules”34 but rather that through the substance of privacy rights and their effective implementation, enforceability and supervision, the foreign system concerned as a whole delivers the required high level of protection.

5.23In an observation which has some significance for the UK’s post-Brexit position, the Commission observes:

“the adequacy decisions adopted so far show, it is possible for the Commission to recognise a diverse range of privacy systems, representing different legal traditions, as being adequate. These decisions concern countries that are closely integrated with the European Union and its Member States (Switzerland, Andorra, Faeroe Islands, Guernsey, Jersey, Isle of Man), important trading partners (Argentina, Canada, Israel, the United States), and countries that have a pioneering role in developing data protection laws in their region (New Zealand, Uruguay).”

5.24The Commission then comments separately on the “partial” adequacy decisions on Canada and the US:

Canada’s only applies to private entities falling within the scope of the Canadian Personal Information Protection and Electronic Documents Act; and
in the absence of US general data protection legislation, the EU-US Privacy Shield relies on commitments by participating companies to apply the high data protection standards set out by this arrangement that are in turn enforceable under US law. It also builds on the specific representations and assurances made by the U.S. Government as regards access for national security purposes that underpin the adequacy finding. Compliance with these commitments will be closely monitored by the Commission as part of the annual review on the functioning of the framework.

Future adequacy decisions

5.25The Commission highlights the opportunities for more adequacy findings, as many more countries around the world have been developing data protection laws, involving a common approach: a core set of common principles, including the recognition of data protection as a fundamental right, the adoption of overarching legislation in this field, the existence of enforceable individual privacy rights, and the setting up of an independent supervisory authority.

5.26Under its framework on adequacy findings, the Commission considers that the following criteria should be taken into account when assessing with which third countries a dialogue on adequacy should be pursued:

the extent of the EU’s (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations;
the extent of personal data flows from the EU, reflecting geographical and/or cultural ties;
the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region; and
the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.

5.27On this basis, the Commission says that it will;

actively engage with key trading partners in East and South-East Asia, starting from Japan and Korea in 2017;
depending on progress towards the modernisation of its data protection laws, with India, but also with countries in Latin America, in particular Mercosur, and the European neighbourhood which have expressed an interest in obtaining an “adequacy finding”;
in certain situations, consider partial or sector-specific adequacy (e.g. for financial services or IT sectors) which may concern geographic areas or industries that form an important part of a particular third country’s economy. This might depend on the structure of data protection rules (general or sectoral), the constitutional structure of the third country or whether certain sectors of the economy are particularly exposed to data flows from the EU; and
closely monitor adequacy decisions, which are “living” documents, with periodic reviews being held, at least every four years, to address emerging issues and exchange best practices between close partners.

Adequacy decisions separate to a Free Trade Agreement (FTA)

5.28The Commission explains that EU data protection rules cannot be the subject of negotiations in a free trade agreement. This is because an adequacy finding is a unilateral implementing decision by the Commission, in other words a form of EU secondary legislation. Nevertheless, the Commission will “use EU trade agreements to set rules for e-commerce and cross-border data flows…without prejudice to the EU’s data protection rules”. It also comments that although adequacy decisions have to be negotiated on a “separate track”, they are complementary to FTAs and can:

ease trade negotiations, by building mutual trust allowing them to amplify the benefits of a trade deal; and
deter a country from using personal data protection grounds to impose unjustified data protectionism (e.g. data localisation or storage requirements).

Working with stakeholders to develop bespoke transfer mechanisms

5.29The Commission pledges to work with stakeholders to develop alternative personal data transfer mechanisms adapted to the particular needs or conditions of specific industries, business models and/or operators. For example:

SCCs targeted at the requirements of a particular sector, e.g. specific safeguards when processing sensitive data in the health sector;
BCRs applying to groups of companies involved in a joint economic activity, for instance in the travel industry; and
approved codes of conduct and accredited third-party certifications introduce tailor-made solutions while benefiting from the competitive advantages associated, for example, with a privacy seal or mark.

5.30The Commission will also:

draw on work already started, for example, by the Article 29 Working Party of Member States35 data protection authorities; and
promote convergence between BCRs under EU law and the Cross Border Privacy Rules developed by the Asia Pacific Economic Cooperation (APEC).

EU efforts on international cooperation and convergence

5.31The Commission says about its contribution to international cooperation on data protection that:

it already encourages accession by third countries to Council of Europe Convention 108 and its additional Protocol which:
- is open to non-members of the Council of Europe;
- has already been ratified by 50 countries, including African and South American States, is the only binding multilateral instrument in the area of data protection; and
- is currently being revised and the Commission will actively promote the swift adoption of a modernised text with a view to the EU becoming a Party.
the GDPR already enables the Commission to develop international cooperation mechanisms to facilitate the effective enforcement of data protection legislation, including through mutual assistance arrangements; and
it will explore the development of an agreement for cooperation between EU data protection authorities and enforcement authorities in certain third countries drawing from prior experiences in other enforcement areas such as competition and consumer protection.

Law enforcement

New adequacy decisions

5.32The Commission explains that the Law Enforcement Directive introduced adequacy decisions for data exchanges for law enforcement purposes and says that:

rules on international transfers in the Law Enforcement Directive govern data exchanges between EU and non-EU law enforcement agencies (LEAs) as well as, in specific situations, transfers from LEAs to other entities; and
it will promote the possibility of law enforcement adequacy findings with qualifying third countries, in particular with those countries with which close and swift cooperation is required in the fight against crime and terrorism, and where there are already significant personal data exchanges.

International agreement for data sharing

5.33The Commission then outlines the alternatives to an adequacy decision:

the EU-US Data Protection Umbrella Agreement concluded in December 2016 is a successful example of how law enforcement cooperation with an important international partner can be enhanced by negotiating a strong set of data protection safeguards;
by automatically supplementing existing legal instruments on which data exchanges are based (in particular bilateral agreements at both EU and Member State level), the Umbrella Agreement brings immediate and direct benefits to individuals and strengthens law enforcement cooperation by facilitating the exchange of information;
by establishing a baseline for future data transfer arrangements with the US, the Umbrella Agreement does away with the need to repeatedly renegotiate those same safeguards;
Umbrella constitutes the first bilateral international agreement with a comprehensive catalogue of data protection rights and obligations in line with the EU acquis (body of law);
Umbrella could form the basis for negotiating similar agreements with third countries not only in the field of judicial and police cooperation, but also in other areas of public enforcement (e.g. competition policy, consumer protection);
similar future agreements could cover both government-to-government exchanges and data transfers between private companies and LEAs;
they could also facilitate the conclusion of specific agreements concerning the exchange of data between relevant EU agencies (notably Europol and Eurojust) and third countries; and
the Commission will therefore explore the possibility to conclude similar framework agreements with its important law enforcement partners.

5.34Moreover, the Law Enforcement Directive:

envisages the possibility, under strict safeguards and in specific circumstances, for LEAs in the EU to request information directly from a private company in a third country and to pass on personal information (typically a name or an IP address) in that request; and
contrasts with the GDPR which specifically only allows private entities to transfer data to LEAs outside the EU under certain conditions, e.g. based on an international agreement or where disclosure is necessary for an important ground of public interest recognised in EU or Member State law.

5.35The Commission also says that it will follow up the Council Conclusions on improving criminal justice in cyberspace to facilitate the cross-border exchange of e-evidence in conformity with data protection rules.

Europol and Passenger Names Records (PNR)

5.36Finally, in accordance with the new legal basis for Europol, the Commission will assess the provisions contained in those operational cooperation agreements between Europol and third parties, concluded under Council Decision 2009/371/JHA, including their data protection provisions.

5.37Also, as set out in the 2015 European Agenda on Security, the EU’s future approach to the exchange of PNR data with non-EU countries will take into account the need to apply consistent standards and specific fundamental rights protections. The Commission, taking into account the forthcoming Opinion from the CJEU on the proposed EU-Canada PNR Agreement,36 will work on legal solutions to exchange PNR data with third countries, including by considering a model agreement on PNR.

Commission’s overall conclusions

5.38The Commission concludes that it will

“…ensure coherence of the internal and external dimension of EU data protection policy and promote strong data protection at international level to improve law enforcement cooperation, contribute to free trade and develop high personal data protection standards globally.”

The Government’s view

5.39In his Explanatory Memorandum of 7 February 2017, the Minister of State for Digital and Culture (Matt Hancock) first repeats the standard statement about the Government’s position in the EU until it exits.37 Given the relevance of this document to Brexit, we reproduce what the Minister says about policy implications in full:

“The Government welcomes the Commission’s Communication. It provides a broad outline of the reformed EU data protection regime in the context of cross-border data transfers. It outlines the mechanisms available for transfer, such as adequacy agreements, standard contractual clauses and binding corporate rules under the existing regime. It also discusses how these have been broadened under the new regime, and sets out a number of new transfer measures, such as certification mechanisms and approved codes of conduct; which are designed to provide tailor-made solutions for companies which could enable them to benefit from the competitive advantages associated, for example, with a privacy seal or mark.

“The Communication presents the Commission’s approach to adequacy decisions, which allow for the free flow of personal data between the EU or EEA and third countries that are recognised as providing “adequate protection” for personal data comparable to that in the EU. It notes what the process of an adequacy finding involves and outlines the criteria to be taken into account when assessing with which third countries a dialogue on adequacy is to be pursued.

“As part of the discussion the Commission indicates its intention to engage with Latin American countries (in particular Mercosur) and non-EU European neighbours that have expressed an interest in receiving an adequacy decision from the EU. The promotion of data protection standards internationally and international law enforcement co-operation are also addressed. Furthermore, it discusses the Commission’s plans to work with and support countries interested in adopting strong data protection laws to converge with EU data protection principles and interoperable global standards; and notes steps the Commission will take to enhance enforcement cooperation, including through mutual assistance arrangements.

“As part of plans for the UK’s exit from the EU, the Government will consider carefully how best to maintain its continued ability to share, receive and protect EU data with other EU member states (and, indeed, with nations outside the EU). The Government is keen to ensure that data flows with the EU are not interrupted after the UK leaves the EU and therefore is considering all the options on the most beneficial way of ensuring that the UK’s data protection regime continues to build a culture of data confidence and trust that safeguards citizens and supports business in a global economy. The Government views the Communication as important in highlighting the Commission’s approach to these matters.”

Previous Committee Reports

None.

14 Lords’ Select Committee on the EU, EU Home Affairs Sub-Committee, 1 February 2017 [Minister for Digital and Culture]: Q2, Uncorrected evidence: “Not only do we seek unhindered data flows but we want that to happen in an uninterrupted way—that is to say, on the morning on which we have left the European Union, it is very important that our data rules work, so that there is an uninterrupted system in place”.

15 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

16 Directive (EU) 2016/680 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

17 The Minister of State for Exiting the European Union (Mr David Jones) has said: “I would point out that on the day of departure, the UK’s data protection arrangements will be in perfect alignment with those of the continuing EU.” (Hansard, HC Deb. 18 January 2017, col. 1020).

18 We reported on 8 February on this proposed Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications): (38455), 5358/17 + ADDs 1–6 , COM(17) 10. See Thirty-first Report HC 71-xxix (2016–17), chapter 6 (8 February 2017).

19 The GDPR provides a suite of mechanisms to transfer personal data from the EU to third countries and third country companies, including Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCC), approved codes of practice, certification mechanisms and adequacy decisions. The Law Enforcement Directive also provides for adequacy decisions and international agreements for data-sharing. There is also some limited scope for case-by-case transfers.

20 (37695),—: Commission Implementing Decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

21 (37724–37726), 8245/16 and 8491/16:Proposed Council Decisions on the signing and conclusion, on behalf of the European Union, of an Agreement between the USA and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences.

22 In the Schrems case the CJEU invalidated the EU-US “Safe Harbor” decision, the predecessor to Privacy Shield. There are also two current legal challenges to Privacy Shield itself. In 2014, the CJEU invalidated the Data Retention Directive in the Digital Rights Ireland case, In December the CJEU expanded on its Digital Rights Ireland ruling holding that any national legislation providing for “general and indiscriminate” retention of data is incompatible with the EU law, including the Charter (Watson v Home Secretary). This ruling, when it is applied by the UK Court of Appeal, may mean that the UK’s Investigatory Powers Act 2016 will have to be amended.

23 Also, Article 47 (right to an effective judicial remedy) to enable EU citizens to enforce their data protection rights.

24 For Privacy Shield see Commission Communication of 27 November 2013 first setting out 13 recommendations for changing Safe Harbor. Privacy Shield was adopted by the Commission on 12 July 2016. For the Umbrella Agreement, the Commission proposed on 26 May 2010 a draft mandate for negotiating the agreement between the EU and the US. The Agreement was concluded (ratified) by the EU on 2 December 2016.

25 Case C-362/14, Maximillian Schrems v Data Protection Commissioner.

26 Joined Cases C293/12 and C594/12 Digital Rights ireland v Minister for Communications, Marine and Natural Resources and others.

27 Joined Cases C203/15 and C698/15 Tele2 Sverige AB and Home Secretary v Watson.

28 Respectively, the rights to private and family life, to protection for personal data and to an effective judicial remedy.

29 The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (CETS No. 108). The Convention opened for signature on 28 January 1981 and was the first legally binding international instrument in the data protection field. Under this Convention, the parties are required to take the necessary steps in their domestic legislation to apply the principles it lays down in order to ensure respect in their territory for the fundamental human rights of all individuals with regard to processing of personal data.

30 The Commission has to take into account “the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are transferred”. It also has to take into account the existence and independence of any supervisory authorities and legally binding commitments on data protection.

31 SCCs lay down the respective data protection obligations between the EU exporter and the third country importer.

32 BCRs are internal rules adopted by a multinational group of companies to carry out data transfers within the same corporate group to entities located in countries which do not provide an adequate level of protection.

33 Case C-362/14, Maximillian Schrems v Data Protection Commissioner, points 73, 74 and 96. See also recital 104 of the GDPR and recital 67 of the Police Directive which refer to the standard of essential equivalence.

34 The Commission’s wording which it derives from para 74 of Schrems.

35 To be replaced in 2018 by the European Data Protection Supervisory Board.

36 The Advocate General has already given his opinion in “Opinion 1/15” on 8 September 2016.

37 On 23 June, the EU referendum took place and the people of the United Kingdom voted to leave the European Union. Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force. During this period the Government will continue to negotiate, implement and apply EU legislation. The outcome of these negotiations will determine what arrangements apply in relation to EU legislation in future once the UK has left the EU.

< Back

Next >

10 March 2017