Documents considered by the Committee on 13 November 2017 Contents

12Data Protection and the EU institutions

Committee’s assessment

Legally important

Committee’s decision

Not cleared from scrutiny; further information requested

Document details

Proposal for a Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC

Legal base

Article 16(2) TFEU; ordinary legislative procedure; QMV


Digital, Culture, Media and Sport

Document Number

(38446), 5034/17, COM (17) 8

Summary and Committee’s conclusions

12.1The recently adopted General Data Protection Regulation (GDPR) applies rules on the processing and free movement of personal data to Member States and data controllers/processors within the EU.106 It will be directly applicable in Member States from 25 May 2018. It is an important piece of EU legislation for facilitating the Digital Single Market. It will also update the EU’s 1995 data protection rules in line with technological developments, strengthen online privacy rights and address divergent implementation by Member States. The Government has committed to ensuring that UK law complies with the GDPR by the May deadline.

12.2EU data protection rules are likely to remain relevant and significant for the UK after Brexit. This is because any future trading with the EU will probably involve the cross-border exchange of personal data from the UK as a third country to the EU.

12.3The purpose of this proposed Regulation is to adapt the new GDPR rules to EU institutions, agencies and other bodies. It also anticipates the proposed reform of the current e-Privacy Directive.107 The proposal is a recast of the current Regulation (EC) 45/2001 applicable to the EC/EU institutions, agencies and other bodies which is based on the rules in the 1995 Data Protection Directive. It is likely to be directly applicable in the UK before Brexit, coming into effect at the same time as the GDPR.

12.4As the obligations in this proposal are imposed on data controllers and processors in EU bodies, the previous Government broadly assessed the impact on the UK to be minimal (excluding UK-based external processors used by the EU). However, it intended to ensure that, where possible, the same obligations and protections are applied to EU institutions as under the GDPR.

12.5The conclusions in the previous Committee’s first Report:

a)Encouraged the Government to continue negotiating consistency between this proposal and the GDPR so that UK and other EU citizens and businesses could enjoy similar levels of protection whether their data is processed by EU bodies or by data controllers/processors and Member States;

b)Questioned whether the handling of the personal data of UK citizens by EU institutions might assume more significance after Brexit. Subject to any future EU-UK future relationship agreement, “third country” UK citizens might have to submit even more data than at present to EU bodies and centralised EU databases to acquire authorisation respectively to travel, work or provide services in the EU;

c)Asked the Minister to comment from a Brexit viewpoint on Chapter V of the proposal which addresses the transfer of personal data to “third countries and international organisations”. Even putting Brexit to one side, the Court ruling in Schrems on the EU-US Privacy Shield highlights this as an area on which the Minister should comment; and

d)Also asked the Minister to explain how obligations under this proposal tie in with discrete obligations in relation to the handling of data relating to EU centralised databases, many related to law enforcement.

12.6We now report to the House two letters from the Minister of State for Digital (Matt Hancock). The first was considered by the previous Committee (19 April) and the second was received in the intervening period before we were reconstituted (4 July). Most importantly, the Minister informs us that a General Approach was agreed by consensus on 8 June, despite one Member State objecting. The UK remained silent having notified the Council that the UK Parliament scrutiny resolution reserve still applied to the proposal. We comment further on this situation in our conclusions, as well as on the publication by the European Data Protection Supervisor (EDPS) of an Opinion on the proposal in the Official Journal of the EU on 25 May.108

12.7We thank the Minister for both of his letters.

12.8We note that a General Approach was agreed on 8 June without a formal vote, with one Member State objecting and the Government remaining silent. Such informal practices subvert our scrutiny resolution reserve and amount to a breach of its spirit, if not strictly of its letter. It would have been clearer had the Government insisted on a formal vote. It could then have abstained if it wanted to avoid a scrutiny override. This confusing situation may not augur well for the Government’s ability to handle scrutiny competently for potentially important dossiers in the run-up to Brexit. The lack of a formal vote also has obvious relevance to the previous Committee’s report on transparency of Council decision-making.109

12.9We recognise that the situation may have been complicated by the fact that:

a)This new Committee had not yet been formed and a scrutiny waiver could not therefore be sought; and

b)The Government had managed to influence the text in a beneficial way, to ensure as far as possible that EU citizens enjoy the same level of protections under the current proposal as they will do under the new General Data Protection Regulation (GDPR).

12.10In any event, we request that when the Minister next updates on the progress in triologues, he should:

a)send us a copy of the General Approach text as agreed;

b)comment on how the General Approach text took account of the Opinion of the European Data Protection Supervisor (EDPS) which was officially published on 25 May;110 and

c)respond to the previous Committee’s observations about the Brexit implications of this proposal for UK citizens as “third country” nationals.

12.11In the meantime, we retain the document under scrutiny.

Full details of the documents

Proposal for a Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC: (38446), 5034/17, COM(17) 8.

The Opinion of the European Data Protection Supervisor

12.12The key conclusion in EDPS Opinion is that the proposal is generally successful in aligning data protection obligations for EU institutions with the GDPR, whilst taking into account the specific context of the EU public sector.

12.13However, the EDPS made the following recommendations:

The Minister’s letters of 19 April 2017 and 4 July 2017

12.14In the letter of 19 April, the Minister of State for Digital (Matt Hancock) told the previous Committee:

12.15We reproduce in full the Minister’s latest letter of 4 July 2017 as it informs us of the agreement of a General Approach before we were reconstituted as a Committee and describes the UK’s role in how that agreement was achieved:

“I am writing to inform you about the progress of the “EU Institutions Regulation”, which concerns the protection of personal data processed by EU institutions, bodies, offices, and agencies. On 19th April 2017, I wrote to inform you that the proposal had been discussed at Coreper but received insufficient support. Since then, the Maltese Presidency made progress and were able to agree a General Approach to the proposal at the Justice and Home Affairs Council on 8th June 2017.

“The General Approach was adopted by consensus at Council. There was no vote and thus no possibility of formally abstaining in the voting procedure. However, the UK did formally reassert its Parliamentary scrutiny reserve prior to the Council with both the Presidency and the Council Secretariat. During the debate only one Member State objected to the proposal and with the UK remaining silent due to its scrutiny reserve, the Presidency concluded there was sufficient support to agree a General Approach.

“The Council General Approach text contains a number of changes from the original Commission proposal. The UK succeeded in addressing inconsistencies with the General Data Protection Regulation (GDPR), including removing restrictions to the international transfer provisions for EU institutions that were not permitted to Member States under the GDPR. Another inconsistency with the GDPR was the ability for EU institutions to make “ad hoc” restrictions from various provisions for certain purposes in the absence of Union law or an internal rule.

“Lastly, in its General Approach, the Council decided to clarify the scope of the proposed Regulation. The proposal will not apply to processing of personal data by missions. Nor will it apply when there are measures that themselves have comprehensive data protection rules if the processing is for criminal investigation purposes under the scope of Chapters 4 and 5 of Title V of Part Three of the Treaty on the Functioning of the European Union. This means that the rules in this Regulation will not apply to operational personal data processed under Europol, Eurojust, the European Public Prosecutor’s Office, and similar bodies, but will apply if the data is administrative, e.g. human resources data.”

Previous Committee Reports

Thirty-first Report HC 71–xxix (2016–17), chapter 5 (8 February 2017). See also (33649), 5853/12: Twenty-fifth Report HC 342–xxiv (2015–16), chapter 15 (9 March 2016); Twenty-second Report HC 342–xxi, chapter 3 (3 February 2016); Sixteenth Report HC 342–xv (2015–16), chapter 1 (6 January 2016); Fifteenth Report HC 342–xiv (2015–16), chapter 1 (16 December 2015); Eleventh Report HC 342–xi (2015–16), chapter 2 (2 December 2015); Seventh Report HC 342–vii (2015–16), chapter 5 (28 October 2015); Fifth Report HC 342–v (2015–16), chapter 5 (14 October 2015); First Report HC 342–i (2015–16), chapter 41 (21 July 2015); Thirty-six Report HC 219–xxxv (2014–15), chapter 11 (11 March 2015); Thirty-first Report HC 219–xxx (2014–15), chapter 5 (28 January 2015); Twenty-second Report HC 219–xxi (2014–15), chapter 9 (26 November 2014); Twelfth Report HC 219–xii (2014–15), chapter 8 (10 September 2014); Forty-seventh Report HC 83–xlii (2013–14), chapter 14 (30 April 2014); Thirteenth Report HC 83–xiii (2013–14), chapter 24 (4 September 2013); Eighth Report HC 83–viii (2013–14), chapter 11 (3 July 2013); Third Report HC 83–iii (2013–14), chapter 15 (21 May 2013); Thirty-first Report HC 86–xxxi (2012–13), chapter 7 (6 February 2013); Twenty-sixth Report HC 86–xxvi (2012–13), chapter 11 (9 January 2013); Eighth Report HC 86–viii (2012–13), chapter 5 (11 July 2012); Fifty-ninth Report HC 428–liv (2010–12), chapters 7 and 8 (14 March 2012).

106 It will also be extended to the EEA.

107 Proposal for a Regulation of the Council and European Parliament concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications): 5358/17.

108 Published on the EDPS website on 15 March 2017.

109 Second Report (2016–17), HC 128, “Transparency of decision-making in the Council of the EU” (26 May 2016).

110 Article 28 of Regulation 45/2001 requires the Commission to consult the EDPS on any “legislative proposal relating to the protection of individuals’ rights and freedoms with regard to the processing of personal data”.

20 November 2017