Documents considered by the Committee on 28 February 2018 Contents

3Data Protection and the EU institutions

Committee’s assessment

Legally important

Committee’s decision

Not cleared from scrutiny; further information requested; drawn to the attention of the Digital, Culture, Media and Sport Committee

Document details

Proposal for a Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies, repealing Regulation (EC) No 45/2001 and Decision 1247/2002/EC

Legal base

Article 16(2) TFEU; ordinary legislative procedure; QMV


Digital, Culture, Media and Sport

Document Number

(38446), 5034/17, COM(17) 8

Summary and Committee’s conclusions

3.1The General Data Protection Regulation (GDPR) adopted in 2016 applies rules on the processing and free movement of personal data to Member States and data controllers/processors within the EU.14 It will be directly applicable in Member States from 25 May 2018. It is an important piece of EU legislation for facilitating the Digital Single Market. It will also update the EU’s 1995 data protection rules in line with technological developments, strengthen online privacy rights and address divergent implementation by Member States. The Government has committed to ensuring that UK law complies with the GDPR by the May deadline. The Data Protection Bill is currently progressing through Parliament and is due its second reading in the Commons.

3.2The purpose of this proposed Regulation is to adapt the new GDPR rules to EU institutions, agencies and other bodies. It also anticipates the proposed reform of the current e-Privacy Directive.15 The proposal is a recast of the current Regulation (EC) 45/2001 applicable to the EC/EU institutions, agencies and other bodies which is based on the rules in the 1995 Data Protection Directive.

3.3As the obligations in this proposal are imposed on data controllers and processors in EU bodies, the previous Government broadly assessed any impact on the UK to be minimal (excluding UK-based external processors used by the EU). However, it intended to ensure that, where possible, the same obligations and protections are applied to EU institutions as under the GDPR.

3.4The Commission’s intention was that the proposal would take effect at the same time as the GDPR. In other words, as a directly applicable Regulation it should apply to the UK from 25 May 2018, in advance of Brexit. However, despite the agreement of a general approach on 8 June 2017, the Minister for Digital and Creative industries (Margot James) now reports that trilogues have stalled due to some “controversial amendments” from the European Parliament (EP). These concern the inclusion of Eurojust and Europol and the CSDP within the scope of the Regulation.

3.5We thank the Minister for her letter updating us on the stalling of trilogue negotiations.

3.6We support the Government’s view that both of amendments suggested by the European Parliament are objectionable from the point of view of legal certainty (the inclusion of Europol and Eurojust), in the case of the Common Defence and Security, a lack of competence. Unless the issues concerned are quickly resolved in trilogues, we ask the Minister to confirm that it is unlikely that the proposal will apply from the same date as the General Data Protection Regulation on 25 May 2018.

3.7We refer to our predecessors’ question about the potential for the proposal to have a greater impact on UK citizens once they are citizens of a third country. The concern behind this question was that as third country citizens, UK citizens might have to submit a greater volume of data to the EU to travel and work in the EU when they no longer have the free movement rights of EU citizens. We should clarify therefore that we and our predecessors were not concerned, as the Minister assumes, about different data protection rules applying to the EU institutions depending on whether the data of third country or EU citizens was being processed.

3.8We thank the Minister for the brief update on the proposed E-Privacy Regulation16 which we currently have under scrutiny. While this is helpful, we expect a fuller explanation in due course of why there has been a lack of progress on this proposal from a UK point of view. In particular, have there been any UK objections to restrictions in the text under negotiation or to amendments being proposed by the European Parliament (EP) to prevent or limit the ability of UK authorities to access encrypted communications used by some “Over-the-top” (OTT) providers such as What’s App for national security purposes? We note in this respect that:

3.9Pending the Minister’s responses, we retain the current proposal under scrutiny. We draw the document and this chapter to the attention of the Digital, Culture, Media and Sport Committee.

Full details of the documents

Proposal for a Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies, repealing Regulation (EC) No 45/2001 and Decision 1247/2002/EC: (38446), 5034/17, COM(17) 8.

The Minister’s letter of 7 February 2018

3.10The Minister for Digital and the Creative Industries at the Department for Digital, Culture, Media and Sport (Margot James) first provides background to the current proposal:

“As you will be aware, the European Institutions Regulation (5034/17) sets out the rules for processing personal data by the European Union institutions and bodies. The Regulations require that EU bodies must process all personal data under the same rules, whether they come from EU citizens or not.

“As the existing rules were heavily based on the 1995 Directive, differences exist between the current Regulation and the General Data Protection Regulation (GDPR). In accordance with Article 2(3) of the GDPR, the European Institutions Regulation therefore needs to be updated so as to create a coherent data protection framework.

3.11Next, she updates us on the stalled trilogue negotiations on the proposal:

“In relation to the current status of this Regulation, the Estonian Presidency began trilogue in late autumn 2017. These talks have reached an impasse because of some controversial amendments being proposed by the European Parliament namely:

“a. The inclusion of Eurojust and Europol under the measure’s scope. The Government notes that these bodies’ data processing is already covered by strong, comprehensive data protection provisions which are specifically tailored to meet the operational needs of law enforcement agencies, in their respective Regulations. In each of the founding acts for the Justice and Home Affairs agencies, data protection law was thoroughly discussed, taken into account and recently improved. The proposed amendments foreseeing a “one size fits all” approach is thus not necessary and also risks generating gaps and creating legal uncertainty.

“b. The inclusion of Common Security and Defence Policy in these Regulations: The Government notes that these matters are not within EU competence.”

3.12She adds that:

“No resolution of the above matters has been reached under the Estonian Presidency, and they will be passed to the Bulgarian Presidency in the New Year for further discussion.”

3.13The Minister also addresses previous scrutiny questions about the extent to which the European Data Protection Supervisor (EDPS)’s recommendations were taken into account in relation to the General Approach on this current proposal. She responds, by listing the key recommendations of the EDPS in turn:

“(a) In relation to the various derogations in the proposal (Article 25), the EDPS advised that restrictions on rights and obligations should only be permitted where set out in legal acts based on the Treaties and not just in administrative rules. This is to align with the GDPR requirement for Member States to enact such restrictions in national legislation. This has been partially addressed by virtue of the fact that, although the ability of Institutions and Bodies to set internal rules will remain, this will be subject to certain conditions and various safeguards, ensuring internal rules are published and transparent, and can be legally challengeable.

“(b) The EU institutions exercising public authority should not be able to outsource the function of a Data Protection Officer. This recommendation was not followed in the Council’s General Approach.

“(c) Article 66, which would grant the EDPS the power to impose administrative fines on the EU institutions was justified because otherwise they would enjoy a privileged position compared with public sector institutions in Member States under the GDPR. This recommendation was accepted, with the text permitting the EPDS to fine EU bodies.”

3.14The Minister then turns to the previous scrutiny questions about the impact of the proposed Regulation on UK citizens as third country nationals after the UK has left the EU. She says:

“The EU Institutions Regulation has the same effect as the GDPR but regulate processing for the EU Institutions and Bodies. It requires EU institutions, bodies, and agencies to process personal data in the same way, whether they relate to EU citizens or third country nationals.”

3.15Finally, the Minister also provides us with a short update on the proposed e-Privacy Regulation. Discussions have not progressed on this proposal in Council. This is partially due to great uncertainty over the text’s effect and its relation to the GDPR, with many Member States yet to take a position. She adds:

“In addition to the crossover with the GDPR, discussions have focused on seeking clarity about which types of processing fall under the proposal’s scope, on the effects of the proposed limited range of circumstances for processing e-comms data, and on the proposed new cookies rules. The UK has posed six questions to the Commission on the effect of the proposed rules for cookies. These questions were adopted by the Presidency, and the Commission has recently produced a non-paper in response. The Government is currently analysing the Commission’s answers.”

Previous Committee Reports

First Report, HC 301–i (2017–19), chapter 12 (21 November 2017); Thirty-first Report HC 71–xxix (2016–17), chapter 5 (8 February 2017).

14 It will also be extended to the EEA.

15 Proposal for a Regulation of the Council and European Parliament concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications): 5358/17.

16 Proposal for a Regulation concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), 5358/17, COM (2017) 10.

17 Report of the Civil Liberties, Justice and Home Affairs Committee of the EP dated 20 October 2017, A8–0324/2017,

18 “(1a) Providers of electronic communications services shall ensure that there is sufficient protection in place against unauthorised access or alterations to the electronic communications data, and that the confidentiality and integrity of the communication in transmission or stored are also guaranteed by technical measures according to the state of the art, such as cryptographic methods including end-to-end encryption of the electronic communications data. When encryption of electronic communications data is used, decryption by anybody else than the user shall be prohibited. Notwithstanding Articles 11a and 11b of this Regulation, member States shall not impose any obligations on electronic communications service providers or software manufacturers that would result in the weakening of the confidentiality and integrity of their networks and services or the terminal equipment, including the encryption methods used.”

19 BBC Website, 1 August 2017.

5 March 2018