Documents considered by the Committee on 12 September 2018 Contents

30Data Protection and the EU institutions

Committee’s assessment

Legally important

Committee’s decision

Cleared from scrutiny; further information requested

Document details

Proposal for a Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies, repealing Regulation (EC) No 45/2001 and Decision 1247/2002/EC

Legal base

Article 16(2) TFEU; ordinary legislative procedure; QMV


Culture, Media and Sport

Document Number

(38446), 5034/17, COM (17) 8

Summary and Committee’s conclusions

30.1The General Data Protection Regulation (GDPR) adopted in 2016 applies rules on the processing and free movement of personal data to Member States and data controllers/processors within the EU. It will be directly applicable in Member States from 25 May 2018. It is an important piece of EU legislation for facilitating the Digital Single Market. It will also update the EU’s 1995 data protection rules in line with technological developments, strengthen online privacy rights and address divergent implementation by Member States. The Government has already legislated to comply with the GDPR when it passed the Data Protection Act 2018 earlier this year.

30.2The purpose of this proposed Regulation is to adapt the new GDPR rules to EU institutions, agencies and other bodies. The proposal is a recast of the current Regulation (EC) 45/2001 applicable to the EC/EU institutions, agencies and other bodies which is based on the rules in the 1995 Data Protection Directive.

30.3As the obligations in this proposal are imposed on data controllers and processors in EU bodies, the previous Government broadly assessed any impact on the UK to be minimal (excluding UK-based external processors used by the EU). However, it intended to ensure that, where possible, the same obligations and protections are applied to EU institutions as under the GDPR.

30.4The Commission’s intention was that the proposal would take effect at the same time as the GDPR. In other words, as a directly applicable Regulation it should apply to the UK from 25 May 2018, in advance of Brexit. However, despite the agreement of a general approach on 8 June 2017, trilogues then stalled due to some “controversial amendments” from the European Parliament (EP). These concerned the inclusion of Eurojust and Europol and the CSDP within the scope of the Regulation.

30.5In a letter dated 21 August, the Minister for Digital and the Creative Industries (Margot James) reports that due to the strong link between this proposal and the GDPR, there had been an increasing sense of urgency to reach a final agreement on the text before the GDPR came into effect on 25 May 2018. Nevertheless it was still unexpected that at the trilogue talks on 16 May the Presidency and the EU Parliament Rapporteur managed to resolve most of the outstanding issues and produced a compromise text.

30.6On 21 May, the Government was informed that a compromise text would be examined at the COREPER meeting on 23 May, where it received clearance. The finalised text was agreed at the COREPER meeting on 6 June. The text will not be formally adopted until it has finished the lawyer-linguist and European Parliament plenary process and then will be put forward for discussion at a forthcoming Council.

30.7The Minister tells us that the UK abstained from voting at the meeting on 6 June as the file had not cleared Parliamentary scrutiny. She proposes to write further, setting out an agreed government position in time for the next Council meeting.

30.8We are now content to clear the proposed Regulation to enable the Government to support final adoption if it so chooses. This is on pragmatic grounds as the substance of this proposal, which is largely follows the General Data Protection Regulation (“GDPR”), has now been agreed between the Council and European Parliament following trilogues. It is also in UK interests that the EU institutions are made subject, as quickly as possible, to equivalent standards of data protection to those now being required at national level by the GDPR. However, we would still welcome the Minister’s further update and ask that when she does write to us, she highlights important changes in the compromise text agreed in June, providing us with a copy. For instance, did it include European Parliament amendments to bring Eurojust, Europol and the CSDP within its scope?

Full details of the documents

Proposal for a Regulation on data protection rules applicable to EU institutions, bodies, offices and agencies, repealing Regulation (EC) No 45/2001 and Decision 1247/2002/EC: (38446), 5034/17, COM(17) 8.

Previous Committee Reports

Sixteenth Report HC 301–xvi (2017–19), chapter 3 (28 February 2018);First Report, HC 301–i (2017–19), chapter 12 (21 November 2017); Thirty-first Report HC 71–xxix (2016–17), chapter 5 (8 February 2017).

Published: 18 September 2018