Legally and politically important
Cleared from scrutiny; further information requested; drawn to the attention of Exiting the EU Committee, the Science and Technology Committee, and the Digital, Culture, Media and Sport Committee and the Home Affairs Committee
Report from the Commission to the European Parliament and the Council on the first Annual Review of the functioning of the EU-US Privacy Shield
Digital, Culture, Media and Sport
(39148), 13524/17 + ADD 1, COM(17) 611
12.1The ability to continue to share commercial data with the EU after Brexit will be crucial to the UK’s future trading relationship with the EU. It may also be a concern during any transition or implementation period. Personal data can only be shared by data processors and controllers in the EU with third countries who provide equivalent levels of data protection. This is usually established by a Commission implementing act called an “adequacy decision”. The necessary implementing powers for the Commission are provided by the EU parent legislation, currently the Data Protection Directive 95/46/EC (the DPD). It is also a matter of concern that after Brexit the UK can share data with countries who already have an EU adequacy decisions.
12.2On 12 February 2016 the EU and US came to political agreement on a framework for EU-US personal data transfers for commercial purposes. On 12 July, the Commission adopted a partial adequacy decision which approved the Privacy Shield. This followed the invalidation of the previous adequacy decision, known as Safe Harbor in the Schrems case for incompatibility with the DPD and Articles 7 and 8 of the Charter of Fundamental Rights (right to a private and family life and right to protection of personal data).
12.3The proposed Commission Implementing Decision for the approval of the Privacy Shield was itself deposited at the request of the previous Committee who scrutinised it closely. A summary of the content of Privacy Shield is provided at paragraphs 6.12–6.14 of our last Report.
12.4The current document is the first annual review of the Privacy Shield. Overall, the Report shows that the Privacy Shield continues to ensure an adequate level of data protection for personal data transfers for commercial purposes from the EU to the 2,400 participating companies in the US. Details of the Commission’s review are provided at paragraphs 6.15–6.19 of our last Report.
12.5The Government told us in its Explanatory Memorandum that the UK was a firm supporter of the Privacy Shield agreement being finalised and viewed it as a major step forward for restoring certainty and a stable legal footing for transatlantic data flows. It also says that the EU-US Privacy Shield is essential to UK businesses, who would find other mechanisms for transfer more complicated and expensive.
12.6We expressed our disappointment in our last Report that the Government did not address, to any extent, the Brexit implications of the UK sharing personal data with third countries or the EU. However, we were already engaged in ongoing scrutiny of how the UK will share data with the EU after Brexit in relation to the Commission’s Communication on “Exchanging and Protecting Data in a Globalised World”. We had also taken the opportunity to ask the Government questions about its Future Partnership paper “The exchange and protection of personal data” when it was sent to us for our information. We therefore decided not to duplicate that scrutiny. So instead, we focussed on the Minister’s comments about exploring how to share data with the US after Brexit. We asked to hear more broadly from the Government on this third country issue and how the UK will continue to exchange data with the EU and with third countries who have an adequacy decision with the EU:
a)during any transitional/implementation period; and
12.7We were also interested in the legal longevity of the EU-US Privacy Shield, in the light of current legal challenges, Digital Rights Ireland and La Quadrature du Net. We asked the Government for an update, including whether the UK was intervening in these proceedings.
12.8We thank the Minister (Margot James) for her letter of 29 January 2018 and her responses to our questions.
12.9We appreciate current uncertainties over the precise arrangements for the UK to exchange personal data with both the EU and third countries during a transition/implementation period. However, we would request that the Minister write to us when specific agreement on transitional arrangements has been reached. We would like the Minister to address these specific areas of recent concern:
a)The Council’s negotiating directives adopted on 29 January, reflected more precisely in the MS27 legal text published on 7 February, state that the UK will no longer attend meetings of Commission experts’ groups, committees or other similar entities where Member States are represented. However, exceptionally on a case-by-case basis, the UK might be invited to attend one of these meetings without voting rights. As things stand there is no specific arrangement for UK national data protection experts to be involved in any way in relation for the comitology process for making third country adequacy decisions during the transition/implementation period. These decisions could be of important precedential value for future EU-UK data-sharing. We would be interested to learn, in due course, what, if any arrangements, have been agreed for the UK to continue to have some expert input into adequacy decisions and other data protection instruments during transition.
b)Connected with (a), we note the oral evidence of the UK Information Commissioner (Elizabeth Denham) provided in late January to the Science and Technology Committee about the loss of UK influence as a third country regulator:
“I have the experience of once being a third-country regulator in Canada, because Canada is an adequate jurisdiction to the EU. I can tell you that Canada is not horrendously influential in what happens in the EU. That said, the ICO has a strong influence around the table with our European Union counterparts, because we are a really, large authority. We are probably the largest data protection authority in Europe and perhaps globally.
“However, if we were a third country, and even if we had an equivalent law, if we are not a decision-maker in trans-border cases and we are not making decisions, then we are not going to be as influential as we are now. The EU is a large block of data protection supervisors.”
In the light of this, we would be interested to learn what cooperation is envisaged between the Information Commissioner’s Office as the UK data protection regulator and EU data protection bodies both during transition and as part of a future EU-UK relationship.
c)The recent Court of Appeal judgment in the Watson case has applied the earlier CJEU ruling in those proceedings to the Data Retention and Investigatory Powers Act 2014 (now repealed) with implications for the Investigatory Powers Act 2016. It serves as reminder of the exigencies of EU law when it comes to obtaining an adequacy finding from the Commission as to the level of data protection afforded by a third country. Related to these developments, we would be interested in any information the Government has about progress in the Bulk Personal Datasets preliminary reference to the CJEU by the Investigatory Powers Tribunal, including the expected date of a ruling. We note that this case concerns whether the CJEU’s judgment in the Watson case covers data retained for national security purposes. We would therefore also like to know whether any ruling would have implications for UK data-sharing or surveillance for national security purposes during a transition/implementation period. We appreciate that these matters might fall within the remit of the Home Secretary but are confident that an answer can be provided through cross-departmental liaison.
12.10We will consider the Minister’s responses to our questions in paragraphs 9(a)-(c) above in the context of our continuing scrutiny of the Commission Communication on Exchanging and Protecting Data in a Globalised World.
12.11Given that, we now clear this non-legislative report from scrutiny. We also draw it and this chapter to the attention of the Exiting the EU Committee, the Digital, Culture, Media and Sport Committee, the Science and Technology Committee and the Home Affairs Committee.
12.12The Minister for Digital and the Creative Industries at the Department for Digital, Culture, Media and Sport (Margot James) says:
“The Committee has asked a number of follow-up questions relating to how the UK intends to continue sharing data with the EU and third countries (regarded as adequate by the EU) when we leave the EU. The Committee has also asked for further detail on the current legal challenges against the EU-US Privacy Shield and the UK’s approach to them.
“As set out in our Future Partnership Paper on data, the UK recognises the need for, and is one of the leading drivers of, high data protection standards across the globe. After our exit, the UK will remain a global leader on data protection, by promoting both the flow of data internationally and appropriate high levels of data protection rules.
“Furthermore, and as my predecessor set out in his letter to the Committee of 26 October (in response to the Committee’s EU Data Protection Package report), the Government recognises the importance of maintaining uninterrupted data flows with the EU after UK exit.
“In the light of the recent agreement that sufficient progress has been made to move to the second phase of EU exit negotiations, we will propose a strictly time-limited implementation period from our exit to our future partnership arrangements. Our goal is to ensure that the unhindered free flow of data between the UK and the EU continues after the UK’s exit from the EU. Combined with that, the EU (Withdrawal) Bill will ensure that the remainder of the GDPR is incorporated into domestic law post exit.”
12.13The Minister adds that the Data Protection Bill’s Statement of Intent states:
“The ability to transfer data across international borders is crucial to a well-functioning economy. We are committed to ensuring that uninterrupted data flows continue between the UK, the EU and other countries around the world. The Data Protection Bill will place us on the front foot in allowing the UK to maximise future data relationships with the EU and elsewhere.”
“On the EU-US Privacy Shield, the UK has intervened in both legal challenges brought against the framework. In the case of La Quadrature du Net, the UK submitted written observations to the Court. We understand that the challenge brought by Digital Rights Ireland has been struck out by the Court and therefore will not require further action from a UK perspective at this time. The UK remains a strong supporter of the Privacy Shield and believes it provides a resilient framework for data transfers that meet the requirements set out by the Court of Justice of the European Union in the Schrems litigation. It also provides the most efficient method for transatlantic data transfers, and it is important to UK businesses to ensure that they can continue sending personal data to the US.”
Third Report HC 301–iii (2017–19), (29 November 2017). See also (38493), 5191/17: Thirty-fourth Report HC 71–xxxiii (2016–17), (8 March 2017); also (37695),—: Seventeenth Report HC 71–xv (2016–17), (2 November 2016); Eighth Report HC 71–vi (2016–17), (13 July 2016); and Third Report HC 71–ii (2016–17), (25 May 2016).
169 A form of EU tertiary legislation.
170 The Directive is itself an EU secondary legislative measure.
171 C (2016) 4176. Commission Implementing Decision 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.
172 C-362/14 Maximillian v Data Protection Commissioner, 6 October 2015.
173 See the Report listed under “Previous Committee Reports” for (37695) at this end of this Report chapter.
174 Third Report HC 301–iii (2017–19), (29 November 2017).
175 See footnote 6.
176 (38493), 5191/17. See reports listed under “Previous Committee Reports” for 38493 at the end of this Report chapter.
177 See Letter from Sir William Cash, Chairman, European Scrutiny Committee to the Minister for Digital (Matt Hancock) at the Department of Digital, Culture, Media and Sport dated Monday 13 November 2017.
The position paper accessible from the DEXEU website at:
178 Digital Rights Ireland v Commission, Case
179 La Quadrature du Net and Others v Commission, Case .
180 We note that the cumulative effect of paras 1 and 6 of Article X+1 “Scope of the transition” of the proposed legal text on Transitional Arrangements published by the MS27 on would appear to be that the UK would be treated as an EU Member State and not as a third country during transition for the purposes of EU legislation and law, including that on data protection and data sharing, subject any relevant restrictions stated in the second sub para of 6.
181 Negotiating directives adopted by the Council on
182 Para 1 of Article X+2 “Institutional Arrangements” of the proposed draft legal text on Transitional Arrangements published by the MS27 on .
183 Para 4 of Article X+2 “Institutional Arrangement” of the legal text on Transitional Arrangements published by the MS27 on .
184 Oral evidence taken before the Science and Technology Committee on , HC 351 (2017–19), Q319 [Elizabeth Denham]
185 Secretary of State for the Home Department (Appellant) and (1) Tom Watson MP (2) Peter Brice (3) Geoffrey Lewis and Respondents (1) Open Rights Group (2) Privacy International (3) The Law Society of England and Wales, Judgment of the Court of Appeal, .
186 Privacy International v Secretary of State for Foreign and Commonwealth Office, Secretary of State for the Home Office, GCHQ, Security Service and Secret Intelligence Service: Order for a Preliminary Ruling request dated
187 Joined Cases Tele 2 Sverige and Watson.
23 February 2018