Legally and politically important
Not cleared from scrutiny; further information requested; document (b) recommended for debate together with document (a) (already recommended for debate by the Committee as reported on 23 May 2018); drawn to the attention of the Digital, Culture, Media and Sport Committee, the International Trade Committee, the Science and Technology Committee, the Business, Energy and Industrial Strategy Committee and the Exiting the EU Committee
(a) Communication from the Commission to the European Parliament and the Council on Exchanging and Protecting Personal Data in a Globalised World; (b) EU proposal for provisions on cross-border data flows and protection of personal data and privacy
(a) and (b):—
Digital, Culture, Media and Sport AND International Trade
(a) (38493), 5191/17, COM(17)7; (b) (40020),—
1.1Document (a), a Commission is significant in highlighting the future approach of the EU to the exchange of personal data with third countries in a way which adequately protects EU citizens. It is highly relevant to the UK’s position either at a negotiated or non-negotiated exit (alternative scenarios which we refer to as “exit/transition” for brevity’s sake throughout the rest of this chapter). The background to the Communication and a detailed summary of its content are set out in our Report of 8 March 2017.
1.2The Communication points to adequacy decisions as the best option for a third country to share data with the EU, though it also refers to international data-sharing agreements in certain contexts (e.g. data-sharing in some JHA areas). A data adequacy decision takes the form of a Commission implementing decision, as specified by the General Data Protection Regulation (GDPR). Although subject to comitology procedure, meaning that the Commission is assisted by a committee of national experts when refining the measure before adoption, it is essentially a unilateral decision by the Commission which the Commission can repeal, amend or suspend.
1.3To obtain an adequacy decision at either exit/transition the UK would have to demonstrate equivalent legal protections for EU citizens to EU data protection and e-privacy rules. This might present some challenges given that the UK will be outside the jurisdiction of the Court of Justice and outside the scope of the EU Charter of Fundamental Rights once no longer subject to EU law. However, it will be highly aligned with EU data protection laws and the Communication highlights the diverse range of third countries already benefiting from EU data-sharing arrangements. The conclusions to this Report chapter (see paragraphs 0.11–0.23) seek reassurance from the Government that alternative methods of data exchange with the EU would be sufficient for UK businesses and stakeholders, given that a “no deal” outcome to the exit negotiations increasingly seems possible. We refer here to the Commission’s which highlights those alternative mechanisms: Standard data protection clauses, binding corporate rules, Approved Codes of Conduct and approved certification mechanisms. At time of writing the Government has yet to publish its technical note on EU-UK data-sharing and “no deal”.
1.4The Government aspires in its initial on data-sharing, in its and in the on the UK’s Future Relationship with the EU to a data-sharing “agreement” with the EU which exceeds the normal adequacy decision model. Further details of the Government’s latest position set out in the White Paper are provided at paragraphs 0.29–0.32 below. In particular, the Government would like the Information Commissioner to be able to participate in EU data protection bodies and the One Stop Shop mechanism. Although the predominant view amongst commentators and others has been that a Commission adequacy decision would be the best option for future UK-EU data sharing after exit/transition, in an on 9 May with the Exiting the EU Committee, experts including the Information Commissioner agreed that the preferred mechanism for future EU-UK data sharing would be a bespoke data-sharing Treaty (international agreement) which could also provide for a role for the Information Commissioner’s Office. It is notable however that there seems to be a note of realism in the Government’s White Paper about whether a standard adequacy decision may have to be an interim step and the conclusions to this chapter address whether that might be particularly the case if timing before exit/transition becomes tight.
1.5At the same time, there has been pressure for the Commission to make provision in trade deals for cross-border data-flows. In February the Commission proposed some “non-negotiable” horizontal clauses for trade deals to govern the inclusion of personal data flows which we addressed in our last Report on document (a). We asked some questions about the potential legal effect of the provisions, how they relate to EU data protection rules and the adequacy decision process and the UK’s position after exit/transition.
1.6The Commission has now published this new (document (b)). In our , we recommended the Communication for debate with the EU-Japan Economic Partnership Agreement (EPA) documents. This was on the basis that although cross border data flows (including personal data) had been earmarked for that EPA, they were never agreed. This is because the Commission considered personal data flows to be unsuited to negotiation as part of a trade deal, including on procedural grounds.
1.7During discussions about scheduling the debate, DCMS officials informed Committee staff that the Government wanted to debate the Communication separately on the grounds of overcomplicating the EU-Japan debate with difficult data issues. The was therefore finally held on 26 June without debating the Communication at the same time. In advance of that debate, the then Minister of State for Trade Policy (Greg Hands) wrote to explain the Government’s position on the debate recommendation and on the clauses themselves (see paragraphs 0.26–0.27 below). During that debate a Member of both this Committee and the Science and Technology Committee and this Committee expressed interest (Darren Jones) expressed interest in a debate on related data issues. This interest has been followed by a supportive letter from the Chairman of the Science and Technology Committee (Norman Lamb). Further details of that letter are set out in paragraph 0.28 of this Report. The current Minister of State for Trade Policy at the Department for International Trade (George Hollingbery) has now also written to us in a letter of 3 September to endorse a debate on data flows “at the earliest opportunity”.
1.8In an of 16 August, the Minister explains that the purpose of the proposal is to set out horizontal provisions for cross-border data flows and for personal data protection in EU trade negotiations, including amendments based on feedback from EU Member States. These will be deployed in trade negotiations with Indonesia and so may change during negotiations. The full negotiated text will be published once the negotiations have concluded, in advance of signature and ratification. Negotiations will enter into their 6th round in the week of 15 October 2018 but are unlikely to conclude before the UK’s exit or the end of transition. However, he says that in the meantime the UK will continue to engage actively on the introduction of these new provisions in trade deals.
1.9The Minister emphasises that the provisions only address data in the context of trade agreements—i.e. seeking to remove unnecessary and unjustified barriers to trade. Importantly, they do not:
1.10He adds that there are no immediate exit implications of the proposed provisions but that the Commission “has stated that these provisions will be a model for future FTA negotiations. Therefore, there are potential implications for the UK’s future relationship with the EU”. The UK is supportive of “the removal of barriers to the free flow of data, along with high standards of protection for personal data”. It would like to see “ambitious data provisions and will continue to work with the EU to secure these in trade agreements”.
1.11Based on the areas of interest set out in the Conclusions below, we recommend document (b) for debate together with document (a) (already recommended for debate by us as ). These Conclusions should be read as superseding those set out in that Report in May. We invite both the Secretary of State for Digital, Culture, Media and Sport and the Minister for Trade Policy to attend that debate. Given the importance of these issue, we request that the debate takes place on the floor of the House.
1.12We thank the Minister for Trade Policy for responding to the request we made in our report of 23 May for the Government to voluntarily deposit these provisions on cross-border data flows in trade agreements. However, it is regrettable that we are only being provided the Government’s view of the clauses only after the provisions have been agreed by the EU’S Trade Policy Committee and Member States submitted their feedback on the provisions.
1.13We are also grateful for his Explanatory Memorandum, his letter of 3 September and for his predecessor’s letter of 12 June. As this Report chapter now concerns two documents for which two different Government departments have responsibility, we have attempted in the interests of clarity to direct certain of our conclusions to the Secretary of State for Digital, Culture, Media and Sport (further referred to in this chapter as “the Secretary of State”) and others to the Minister for Trade Policy. However, we leave it to the Government’s discretion as to who is best suited to answer these questions, whether a joint response is preferable and whether any response should be sent in advance of the debate.
1.14We note that when he gave to the House of Lords European Union Committee on 29 August, the Secretary of State for Exiting the EU (Dominic Raab) was asked why data-sharing was an area of the draft Agreement still to be finalised. He responded by not being drawn on the specifics of the negotiation but by commenting that: “Data sharing is very technical, very complicated, and we are trying to make sure that we cover all the potential scenarios in a way that is responsible on all sides”. We presume here that the Secretary of State is referring to of the draft “Protection of personal data” which appears to address what legal regime will govern data processed under EU law before the end of the transitional period or as a consequence of the Withdrawal Agreement. We understand the need for the Government not to disclose the detail of its negotiating position. But we do not think it prejudicial for the Minister to confirm to us that any outstanding areas of discussion are indeed only at a technical level and there are no bigger points of principle at issue, for example, the continued jurisdiction of the Court of Justice in respect of that provision. Also, since the Secretary of State for the Exiting the EU has claimed that there has been “real” progress in this area of the withdrawal negotiations in his to the House of 4 September, it would helpful if the Minister could provide further details of that progress.
1.15There have been various position papers on sharing data with the EU after the UK exits/transition, specifically the Future Partnership Paper on the exchange and protection of data, the technical slides and the White Paper. In those papers the Government appears to aspire to an international data-sharing agreement (or Treaty), as opposed to an adequacy decision. The use of the term data-sharing “agreement” in the UK position papers seems to deliberately distance what is being sought from an adequacy decision which is essentially a unilateral measure adopted by the Commission. The Information Commissioner has given evidence to the Exiting the EU Committee, identifying that an international data-sharing Treaty would be the best option for the UK to share data with the EU after UK exit/transition. However, we have seen reports in the press to suggest that UK officials are “paring down” any Treaty ambitions. Can the Secretary of State clarify which of these legal instruments the UK is seeking as the basis for future data exchange with the EU: an adequacy decision or a data-sharing Treaty? Have UK ambitions been “pared down”?
1.16We also understand from the same press reports that Commission officials are not prepared to begin the process for an EU-UK data-sharing arrangement until the Withdrawal Agreement has been agreed. Whilst this is not ideal, this seems some improvement on the position that the Commission might not begin any preparatory work before the UK becomes a third country on 29 March 2019. Can the Secretary of State clarify the actual state of play? If timing is tight, will it be the Government’s aspiration to have a standard adequacy decision in place before exit/transition, rather than the enhanced arrangement it had in mind, particularly in its Future Partnership Paper and technical note? Would the Government see this as an interim step towards an enhanced arrangement, specifically an EU-UK data-sharing Treaty?
1.17The General Data Protection Regulation (GDPR) applies on an extraterritorial basis to any data processors/controllers established outside the EU. This means it will apply, for example, to UK businesses wishing to supply services to EU citizens after UK exit/transition. In the event of “no deal” (meaning here that the has not been agreed and/or ratified by both the EU and the UK by exit day nor an adequacy decision put in place), can the Secretary of State confirm that other mechanisms for third country transfer of data will be adequate for the needs of UK business and other stakeholders in the event of “no deal”. has been given to the Exiting the EU Committee to suggest to the contrary and the Government has yet to publish its own “no deal” technical note on EU-UK data-sharing.
1.18The White Paper says that although for the most part the Economic and Security Partnerships that it seeks, together with areas of Cross-Cutting Cooperation, will be subject to the overarching institutional framework proposed, some chapters of the future EU-UK future relationship agreement would “sit outside” of this framework with their “own governance arrangements” where “this made sense”. Would a data protection chapter be one of those exceptional areas with its own governance arrangements, with perhaps a role for the CJEU and its case-law? We note that the Government’s on data called for a bespoke dispute resolution procedure for data-sharing.
1.19We welcome the Minister’s assurances that the UK will continue to engage actively on the introduction of these new provisions in trade deals and “wants to continue to work with the EU to secure these in trade agreements”. He further commits to keeping us up-to-date with how the provisions might change during trade deal negotiations. We ask him to explain to us whether he expects the UK to continue to be consulted on ongoing trade negotiations with third countries given its imminent exit from the EU. If so, how meaningful will this consultation be during transition, given that the UK is to lose its vote in the Council?
1.20The Minister says that the proposed data flow clauses for trade deals are not to provide legal authority for the data transfer themselves. However, the Commission said in its letter appending its first draft of the provisions (see our Report of 23 May) that there will be times where the “adequacy decision” cannot be realistically adopted in time for the completion of the trade negotiations but protectionist “data flow” barriers need to be addressed from the entry into force of the trade deal. To address this problem, the Commission produce the draft data flow provisions to be included in trade agreements “in full compliance with and without prejudice to the EU’s data protection and data privacy rules”:
1.21We note that the explanations provided in the Minister’s Explanatory Memorandum on the cross-border data flow provisions are in tune with and do not go beyond those produced in the Commission’s on the use of the clauses in the 5th round of the EU-Indonesia Trade Negotiations. However, we would be interested to learn where, if at all, the Government’s own legal analysis of this provisions differs from the Commission’s view. We are particularly interested in Article 2 paragraph 2. If the legal basis for data exchange as a consequence of trade with the EU is one of the alternative legal bases to an adequacy decision (where a decision is not already in place), how can the third country adopt whatever data protection standard it wants in relation to those trade data flows as provided in Article 2? Surely the standard must be as required by the EU mechanism in question, given the extraterritorial reach of the GDPR?
1.22Looking to future trade deals that the UK wishes to strike with non-EU countries, can the Minister tell us how the data of UK citizens exchanged during that trade will be protected to the same high standards currently enjoyed under EU law? What provisions on cross-border data flows does the UK envisage for those agreements? What protections will the Government be seeking and will these as a minimum envisage that the other trading partner will be Party to or will accede to the as this is open to non-Member States? How will protections be enforced? Will bespoke dispute resolution mechanisms be developed, enabling individual citizens to be able to challenge how their data is being processed in a non-EU country and vice versa?
1.23We look forward to hearing the Ministers’ responses to these questions. In the meantime, we ask the Minister for Trade to keep us updated on any developments in relation to the provisions on data flows in trade deals. We retain these documents under scrutiny and draw them to the attention of the Digital, Culture, Media and Sport Committee, the International Trade Committee, the Science and Technology Committee, the Business, Energy and Industrial Strategy Committee and the Exiting the EU Committee. In so doing, we thank the Science and Technology Committee for their support in calling for a debate on these important issues and we acknowledge the contribution already made to scrutiny of them by the Exiting EU Committee in their report
1.24The Minister further explains that:
1.25The proposal includes revisions to the original annex that Member States requested, and it contains three Articles:
1.26In advance of the debate the former Minister of State for International Trade (Greg Hands) wrote in response to the Committee’s report. In his of 12 June, the former Minster said first, in relation to the draft horizontal data flow clauses, that:
1.27On the question of the debate, the Minister said that the Government could support a debate on:
1.28In our of 18 July, we responded to the Minister’s letter by saying that we still wished to pursue the debate on the Communication in respect of the issues we had identified in our Report of 23 May. We note in that letter that although the former Minister of State for Trade Policy had answered many of our questions about the origin and progress of the proposed horizontal trade clauses on data flows in trade agreements, he had neglected to respond on the legal or Brexit implications for the UK of the proposed clauses. We highlighted the support we had received from the Science and Technology Committee by annexing a copy of the letter written to our Chairman (Sir William Cash) by the Chairman of the Science and Technology Committee (Norman Lamb) dated 10 July. In that letter Mr Lamb says that the Committee would be interested in a debate on several areas, including:
1.29In the the Government states that the future relationship should include areas of cooperation that sit outside of the two core partnerships (Economic and Security Partnerships), but which are still of vital importance to the UK and the EU. It calls these areas of “Cross-Cutting Cooperation” and they would include the protection of personal data. The Government says that this would ensure that the future relationship “facilitates the continued free flow of data to support business activity and security collaboration and maximises certainty for business”. It envisages that data protection would for the most part, fall under the overarching institutional framework set out in the White Paper but acknowledges that some chapters of an agreement on the Economic and Security Partnerships and Cross-Cutting Cooperation would “sit outside” of that framework with their “own government arrangements where this made sense”.
1.30In chapter 3 on “Cross-Cutting Cooperation, the Government addresses the “continued exchange and protection of personal data”. It states:
“The UK believes that the EU’s adequacy framework provides the right starting point for the arrangements the UK and the EU should agree on data protection but wants to go beyond the framework in two key respects:
a. on stability and transparency, it would benefit the UK and the EU, as well as businesses and individuals, to have a clear, transparent framework to facilitate dialogue, minimise the risk of disruption to data flows and support a stable relationship between the UK and the EU to protect the personal data of UK and EU citizens across Europe; and
b. on regulatory cooperation, it would be in the UK’s and the EU’s mutual interest to have close cooperation and joined up enforcement action between the UK’s Information Commissioner’s Office (ICO) and EU Data Protection Authorities”.
1.31It adds: “The UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement [our emphasis] is in place by the end of the implementation period at the latest, to provide the earliest possible reassurance that data flows can continue”.
1.32Further on in Section 3.2.2 of the White Paper the Government adds: “…the future UK-EU arrangements on data protection should provide for ongoing cooperation between the ICO and EU data protection authorities”, noting that currently under the GDPR, this is achieved through the ICO’s participation in the One Stop Shop mechanism. It cites in support the Communication (document (a)) as evidence of the Commission’s commitment to cooperating with key international partners.
(a) Communication from the Commission to the European Parliament and the Council on Exchanging and Protecting Personal Data in a Globalised World: (38493), , COM(17)7; (b) EU proposal for provisions on cross-border data flows and protection of personal data and privacy: (40020), —.
1 Either at 29 March 2019 if there is a non-negotiated exit, or 31 December 2020 if the draft Withdrawal Agreement is adopted and ratified and there is a transition/implementation period.
2 Thirty-fourth Report HC 71–xxxii (2016–17), (8 March 2017).
3 See the Commission on adequacy decisions.
4 Article 45 General Data Protection Regulation
5 For further explanation, see the Commission
6 See Article 45(5) General Data Protection Regulation
7 To date, the Commission has adopted 12 Adequacy Decisions under the previous 1995 Data Protection Directive with: Andorra, Argentina, Canada (for transfers to commercial organisations who are subject to the Canadian Personal Information Protection and Electronic Documents (PIPED) Act), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, and the US (for certified companies). All are subject to routine review.
8 The Commission has adopted three sets of model clauses which are available on the Commission’s website:
9 Legally binding data protection rules approved by the competent data protection authority which apply within a corporate group.
10 Together with binding and enforceable commitments of the controller or processor in the third country
11 In that paper entitled “The exchange and protection of personal data—A Future Partnership Paper—August 2017, the Government said that the UK:” …wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal.”
12 Data Protection Technical Note, published 7 June 2018, DEXEU website
13 “The Future Relationship between the United Kingdom and the European Union”, published 12 July 2018, DEXEU website
14 In the White Paper, the Government says: “The UK is ready to begin preliminary discussions on an adequacy assessment so that a data protection agreement is in place by the end of the implementation period at the latest, to provide the earliest possible reassurance that data flows can continue”.
15 This enables businesses to only have to deal with one single supervisory authority under the GDPR in relation to cross-border data issues.
16 See for example “Brexit: the EU data protection package”, Third Report of Session 2017–19, , HL Paper 7, Summary of conclusions and recommendations, paragraph 2.
17 Oral Evidence Session, 9 May 2018, “The progress of the UK negotiations on UK withdrawal, HC 372,
18 The Government says at paragraph 94 of the White Paper: ”The UK believes that the EU’s adequacy framework provides the right starting point for these arrangements but wants to go beyond this to allow ongoing cooperation between data protection authorities”.
19 Cover note from the Commission to “Delegations” of 1 March enclosing a letter from the Commission to the Chair of the DAPIX Working Group in the European Council and appending “Horizontal Provisions for cross-border data flows and for personal data protection”. When these clauses were produced, they were classified as “Limité” but that classification was lifted before our last Report.
20 The horizontal clauses relating to data flows in trade agreements (paragraph 5(iii) above) were appended to a letter from the Commission to the Chair of the Data Working Group (DAPIX) at the European Council dated 9 February 2018.
21 This is explained in the Commission’s Communication itself: “The EU data protection rules cannot be the subject of negotiations in a free trade agreement. While dialogues on data protection and trade negotiations with third countries have to follow separate tracks, an adequacy decision, including a partial or sector-specific one, is the best avenue to build mutual trust, guaranteeing uninhibited flow of personal data, and thus facilitate commercial exchanges involving transfers of personal data to the third country in question. Such decisions can therefore ease trade negotiations or may complement existing trade agreements, thus allowing them to amplify their benefits.”
22 Mr Jones said: “I note that the agreement between Japan and the European Union on the free flow of data has been separated from the free trade agreement. Will the Minister give the House a commitment that we will have the opportunity both to debate the data trade agreement that the EU and Japan wish to negotiate and to explore the opportunities and risks for the UK as part of the Brexit process?” Col 799. In response, the current Minister of State for International Trade (George Hollingbery) said: “It was not possible in putting together this agreement to reach the agreement that we wished to reach on data. The discussion between the two countries on that is still ongoing, and I have no doubt that the matter will come back to the House in due course” Col 799 (continued).
23 This letter of 3 September 2018 from the Minister to Sir William Cash, the Chairman of European Scrutiny Committee should be accessible in due course from this
24 We infer this is because non-EU EEA States are not bound the EU’s Common Commercial Policy.
25 from the former Minister of State for International Trade (Greg Hands) to the Chairman of the European Scrutiny Committee (Sir William Cash) of 12 June 2018
26 Oral evidence taken before the European Union Committee of the House of Lords on 29 August 2018, HL (2017–19), page 9
27 Article 67 provides “Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data:
(a) were processed in accordance with Union law in the United Kingdom before the end of the transition period; or
(b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement”.
28 HC Deb, 4 September 2018, cols 50 and 54.
29 We refer the Minister also to the exchange on these issue between the Brexit Secretary and Mr Darren Jones in the oral evidence session before our Committee on Wednesday 5 September: HC763,
30 Politico Pro Morning Tech, 22 August 2018 [Pay Wall].
31 We refer the Minister also to the exchange on these issue between the Brexit Secretary and Mr Darren Jones in the oral evidence session before our Committee on Wednesday 5 September: HC763,
32 General Data Protection Regulation
33 This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Article 3 GDPR “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behaviour as far as their behaviour takes place within the Union.”
34 Oral Evidence Session, 9 May 2018, “The progress of the UK negotiations on UK withdrawal, HC 372,
35 5th Round of Trade Negotiations between the European Union and Indonesia: EU provisions on Cross-border data flows and protection of personal data and privacy in the Digital Trade Title of EU trade agreements, Explanatory note—July 2018.
36 “Each Party may adopt and maintain the safeguards it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this agreement shall affect the protection of personal data and privacy afforded by the Parties’ respective safeguards”.
37 See footnote 27, Article 3 GDPR.
38 Proposed Council Decisions authorising EU Member States to sign and ratify a modernised Convention 108 are the subject of chapter xx of this Report: (39866–7).
39 HC 1317, Seventh Report (2017–19), 3 July 2018.
40 Notwithstanding the provisions in Article 1, either Party can apply any data protection or privacy arrangements that it deems necessary to protect fundamental rights, as long as they inform the other Party.
41 Members may be aware that the Committee already has under scrutiny the proposed Council Decisions to authorise the Member State to sign and ratify the Amending Protocol to the Council of Europe’s Convention 108 on personal data protection. See Thirty-fourth Report, HC 301–xxxiii (2017–19), (4 July 2018). The UK ratified the Convention back in 1985 in its own right. The EU is seeking to become a party to the Convention once international organisations can accede as a result of the envisaged changes to be made by the Amending Protocol once it is in force when all Contracting Parties have signed and ratified it. The proposed Council decision on signature was adopted on 26 June. But it is not expected that the proposed Council Decision on ratification will be signed until Autumn, when it is hoped the EP’s consent has been obtained. When considering a data adequacy decision for a third country, the Commission is required by the GDPR to take ratification of the Convention into account.
42 See footnote xx
43 See Paragraphs 126.96.36.199. 5 to 9 of the White Paper.
44 Sub-paragraphs 11 and 12.
Published: 18 September 2018