17.The Government recognised the importance of data in its January 2017 White Paper,32 and on 24 August 2017 published a future partnership paper on data which called for a model of exchanging and protecting personal data including:
18.In her Mansion House speech, the Prime Minister listed data protection as the fourth of five foundations that should underpin the future trading relationship, repeated that the UK had “exceptionally high standards of data protection” and emphasised that the UK wanted to “secure an agreement with the EU that provides the stability and confidence for EU and UK business and individuals”. She said:
That is why we will be seeking more than just an adequacy arrangement and want to see an appropriate ongoing role for the UK’s Information Commissioner’s Office. This will ensure UK businesses are effectively represented under the EU’s new ‘One-stop shop’ mechanism for resolving data protection disputes.34
19.On 23 May 2018, the UK Government published a set of slides on data protection. These set out a vision for a deep and special partnership with two core parts: an economic partnership (beyond any existing free trade agreement) and a security partnership. These would “sit alongside cross-cutting areas such as data protection.” It recognised that without an agreement on data, there would be risks to trade, consumers and public services, and to citizens’ security.35 The UK proposal said that while the “standard adequacy approach” is an effective way of ensuring a free flow of data from the EU to third countries, it “would not enable national data protection authorities to cooperate as effectively”.36 Therefore, the new model would “build on a statutory adequacy arrangement” and include:
It did not refer to the earlier proposal to “mutually recognise” each other’s data protection framework, or the request to agree a negotiating timeline for the longer-term arrangements.37
20.On 6 June 2018, the UK Government published a Technical Note on the benefits of a new data protection agreement. This repeated the argument that a “legally binding data protection agreement” between the EU and the UK will bring benefits around legal certainty, cooperation on enforcement and investigations, cost savings and efficient processes for EU businesses, and EU regulator access to the ICO’s resource and expertise. The paper said:
These are benefits that a standard Adequacy Decision cannot provide.38
Furthermore, it said:
An agreement will not affect the EU’s ability to change its own data protection legislation, nor the EU’s decision-making autonomy. The UK is not seeking decision-making power over future EU laws, has no intention to impede EU policy-making in data protection, and respects the fact that certain EU bodies are subject to CJEU jurisdiction.39
21.The UK Technical Note said that “a legally binding agreement would give a level of certainty and stability that an Adequacy Decision would not” and referred to the “uncertainty and disrupted data flows” that occurred when the Schrems case led to the EU-US Safe Harbour Agreement being struck down. In oral evidence to this Committee, the Secretary of State for Exiting the EU referred to the impact of the Schrems arrangements as a measure of how important it was to ensure an agreement on data.40
22.The UK Technical Note also drew attention to a Commission Communication, of January 2017, on the exchange of data with third countries, that said
The Commission will […] develop international cooperation mechanisms with key international partners to facilitate effective enforcement.41
23.The European Council Guidelines for the negotiations on the future UK-EU relationship, published on 23 March 2018, said:
14. In the light of the importance of data flows in several components of the future relationship, it should include rules on data. As regards personal data, protection should be governed by Union rules on adequacy with a view to ensuring a level of protection essentially equivalent to that of the Union.42
24.On 1 March 2018, in a speech in Brussels, Michel Barnier reiterated that the UK decision to leave the Single Market and the Customs Union, means the UK would leave the EU common supervision and enforcement structures, which would require the UK to make “a number of difficult but necessary choices.” He stated that if
the UK wants to regain its decision-making autonomy. We respect this, as the UK should respect our own decision-making autonomy.
Mr Barnier used the example of personal data to illustrate his point:
In the Single Market, we have a modern and very detailed regulatory framework that allows for the “free movement” of personal data. This facilitates the collection and exchange of such data. It also provides for supervisory mechanisms, overseen by the Court of Justice of the European Union.
The UK is going to leave this regulatory framework. In the future, the transfer of personal data from the EU to the UK will be subject to strict rules. These rules are designed to protect a fundamental right.
Allow me to be precise on this point. The transfer of personal data to the UK will only be possible if the UK provides adequate safeguards. One example to ensure that adequate safeguards are in place is an “EU adequacy decision”. This is an autonomous EU decision. There can be no system of “mutual recognition” of standards when it comes to the exchange and protection of such data.43
25.On 26 May 2018, Mr Barnier gave a speech in Lisbon in which he referred to a paper published by the UK earlier that week,44 which included the proposal for the UK’s Information Commissioner to remain on the European Data Protection Board, for the UK to remain in the ‘One-stop shop’, and that this would be in the interest of EU businesses. He said
It will especially run counter to the interests of our businesses if we abandon our decision-making autonomy. […] we cannot, and will not, share this decision-making autonomy with a third country, including a former Member State who does not want to be part of the same legal ecosystem as us.
26.The UK proposal is for a legally binding data protection agreement between the EU and the UK, and we heard supportive evidence for this approach. James Mullock said a treaty “is preferable to a decision,” and that “ a treaty is the ultimate standard to aim for”.46 He added that securing an agreement on data as an international treaty would:
add a layer of protection in terms of what European courts could do or not do if they felt that the level of adequacy was sufficient or insufficient.47
27.Elizabeth Denham also told us that “a bespoke agreement or a treaty is preferable”. She said:
the bespoke agreement or the treaty that is more of a mutual arrangement and not a one-way review is the better option, because, again, the Government have to protect the rights of UK citizens when their data is collected in the EU.48
28.This contrasts with an adequacy decision from the Commission, which would be a one-way decision judging whether data protection in the UK was essentially equivalent to that in the EU, and declared adequate according to the Commission, and according to the Council.49 Stephen Hurley, BT, said that there is a mutual interest in the EU awarding the UK an adequacy decision as
the flows in data [go] in both directions. I understand from the UK perspective 75% of our data flows are with the EU [and] From a BT perspective there is definitely an interest in having the mutual side of it and I would imagine that is replicated in many businesses across the EU.50
Elizabeth Denham said:
The point the Government are making and the point that all of the witnesses today are making is that the UK could strive for something more appropriate, which better reflects the integration of our economies and the integration of our security and policing initiatives. That would be a bespoke agreement or a treaty that sits alongside a trade agreement.51
29.Giles Derrington said that while the Commission still had the negotiating position that it expected any relationship to be maintained on the basis of an EU adequacy decision, he thought there was “a better understanding at Member State level” of the consequences for their businesses that operate in the UK, if the UK was in a regulatory framework separate from that of the EU. He said
our assessment is that individual countries are probably more willing to enter into a bigger negotiation than purely adequacy at the moment. […] At the Commission level there is still the idea, “We have an adequacy agreement”, and certainly in the current context of negotiation that is where they are.52
He hoped that the Commission would shift, for reasons of both business and security. But ultimately, he said:
the fall-back is just to get an adequacy agreement, because that is the thing that fundamentally breaks data from flowing.53
30.The UK’s proposals accept that the EU will need to assess the adequacy of the UK data regime. The UK is asking for this to be on the basis of a two-way agreement—rather than solely a one-way decision of the European Commission—and in the form of an international agreement—a Treaty. The UK should provide more information on the distinction between the procedure for an adequacy decision and the procedure that it expects both parties to go through to secure an international agreement on data.
31.The EU negotiating guidelines on the future relationship provide that data protection should be governed by EU rules on adequacy. The public statements from Michel Barnier have consistently said that the EU will not share its regulatory autonomy with a third country. The UK has said it does not wish to interfere with the EU’s decision-making autonomy and respects the fact that certain EU bodies are subject to CJEU jurisdiction. The EU appears to consider the UK proposals to be an attempt to retain influence on the EU regulatory regime from the position of a third country. The UK should accept, to increase the prospects of securing the Prime Minister’s objectives of continuing membership by the Information Commissioner on the European Data Protection Board and representation under the European One-stop shop, that the CJEU will continue to have jurisdiction over aspects of data protection law in the UK after exiting the EU.
32.The UK argues that an international agreement on data would allow additional matters to be taken into account beyond those set out by the EU adequacy procedure. It would enable discussion as to the role of the Information Commissioner and the UK’s participation in the One-stop shop.54 Asked whether it would be unprecedented for a regulator from a non-Member State to participate in the European data regulatory forum, Elizabeth Denham said:
There are ways to be an observer at the European Data Protection Board, but unless a role for the ICO was negotiated through a bespoke agreement or a treaty there is no way in law at present that we could participate in the One-stop shop, which would bring huge advantages to both sides, and also to British businesses.55
Article 68 (3) of the GDPR outlines the membership of the European Data Protection Board as being composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives. It does not refer to the EEA Agreement countries of Norway, Iceland or Liechtenstein.56
33.Stephen Hurley, BT, said the ICO had “a strong voice around the table of the European Data Protection Board” and if the UK was outside the One-stop shop mechanism,
BT itself will have to look elsewhere within the EU for an ICO equivalent, essentially, to have that role and be our lead regulator in the EU, which again is another burden that we frankly want to avoid.57
Mr Hurley also raised doubt as to whether the Information Commissioner’s role on the European Data Protection Board would continue during transition.58
34.The GDPR introduces the concept of the “One-stop shop”, creating a role of lead data protection authority in a Member State, which would regulate the GDPR in that state. The UK Technical Note said of the One-stop shop:
in the case of a major data breach in the UK affecting EU personal data, the One-stop shop would allow a straightforward process, allowing a much simpler way for EU regulators to work with the ICO. The ICO would provide UK expertise and proximity, and would conduct a fuller, more effective and quicker investigation than an EU regulator could. A standard Adequacy Decision would not deliver this.59
35.Elizabeth Denham described continued participation in the One-stop shop as being “really advantageous to business”.60 Giles Derrington said the UK’s participation in the One-stop shop would be “necessary for businesses to have true confidence that they will be able to continue and that in the long term the alignment works and can function correctly.”61
36.The EU have said that, as a third country, the UK cannot have continued participation on the European Data Protection Board or One-stop shop. No non-EU states are represented on the European Data Protection Board; and while non-EU EEA countries such as Norway are within the internal market on data they do not participate on the European Data Protection Board. The EU wishes to retain its decision-making autonomy, and the UK may be put in a position where it does not have a role in helping to frame future EU wide rules on data.
37.As things currently stand, UK businesses will be outside the provisions of the new One-stop shop, a coordination mechanism designed to reduce cost and bureaucracy to businesses across the EU.
38.In her Florence speech, the Prime Minister said her proposal for future co-operation in areas of security, law enforcement and criminal justice co-operation “is underpinned by high standards of data protection.”62 And in her Munich Speech, the Prime Minister said:
People across Europe are safer because of this [practical co-operation, data driven law enforcement and co-operation with EU agencies] co-operation and unique arrangements we have developed between the UK and EU institutions in recent years.63
In its partnership paper on Data protection, the UK Government said:
The EU and UK need to continue to cooperate on the secure and timely exchange of personal data between law enforcement agencies to protect our citizens.
39.The UK has opted in to several EU wide data sharing mechanisms, such as the Schengen Information System II (SIS II) which issues alerts for missing and wanted individuals, the Prüm arrangements allowing for checking databases on DNA, fingerprints and vehicle registrations, and the European Criminal Records Information Service (ECRIS) which enables data on criminal convictions to be exchanged.64 The UK future partnership paper on security, law enforcement and criminal justice, referred to the value of systems for real-time, or very rapid, data exchange. It also referred to the value of multilateral cooperation between Europol and Eurojust.65
40.There are different arrangements for accessing EU wide law enforcement databases. The SIS II database is operational in 26 Member States and four non-EU Schengen countries (Norway, Iceland, Liechtenstein and Switzerland.) ECRIS is only available to EU Member States.66 Europol can transfer personal data to a third country if there is an adequacy decision or if there is an international agreement between Europol and the third country including adequate safeguards on privacy and fundamental rights.67 The UK partnership paper on security, law enforcement and criminal justice pointed out that “A number of third countries, including the US and Australia, have agreements with the EU on the protection of PNR” and that two non-EU countries—Norway and Iceland—have agreements to participate in Prum.68 (We note that both Norway and Iceland are in Schengen.) The EU and the US have an agreement, called the EU-US Umbrella Agreement, which, taking account of the Schrems decision, establishes a framework for the protection of personal data and law enforcement. It does not provide for the lawful authority to transfer data from the EU to the US.69
41.The UK proposal stated that existing precedents for EU third country data exchange were not the right starting point for the UK-EU partnership. The UK proposal said the ambition should be to construct a model that enables operational capabilities between the UK and the EU and its Member States, and
is underpinned by shared principles, including a high standard of data protection and the safeguarding of human rights
At the same time, it said the UK will no longer be subject to direct jurisdiction of the CJEU”.70
42.The Law Enforcement Directive—which the UK has implemented in the Data Protection Act—allows for data to be shared between EU Member States and third countries if they can ensure an adequate level of protection.71 Data transfer for commercial reasons and law enforcement reasons are not necessarily discrete, so the UK would need an adequacy agreement in addition to any provision in place to exchange data for policing and security reasons.72
43.The content of the UK proposal is unprecedented for an EU third country arrangement on data and there are no existing models for third country data exchange covering the degree of data sharing in criminal justice that the UK is seeking. The UK would need an adequacy decision to be able to engage in data sharing for law enforcement purposes. It would also have to accept the jurisdiction of the CJEU. It is not in the interests of the people and governments of Europe for there to be a reduction in cooperation in respect of policing and law enforcement. We urge both sets of negotiators to find a way to secure continued high level cooperation on this incredibly important and sensitive matter.
44.In 2016, the CJEU ruled that the indiscriminate retention of electronic communications without further safeguards, including independent judicial authorisation, breached EU law, including the Charter.73 It is possible that there will be continuing concerns about the UK’s data retention and bulk powers in the Investigatory Powers Act.74 In 2017, following a request from the European Parliament, the CJEU found the EU-Canada Passenger Name Record Agreement to not be compliant with EU law, citing the EU Charter on Fundamental Rights, and the bulk transfer of sensitive data.75 Following a claim by a single individual, the EU-US Safe Harbour framework was declared invalid as it could not prevent the US intelligence agencies accessing personal data transferred from Europe.76
45.When asked about the approach of Member States to the UK’s investigatory powers legislation, Fredrick Erixon told us that there are several Governments in the EU that will raise concerns about data protection in the UK and “especially the use of mass surveillance techniques.” He said that Germany, in particular, has had problems with the UK in a similar fashion that it had with the US at the start of the TTIP negotiations following the NSA spying scandal.77 He pointed out that if the Member States took the standard for data protection that it wanted to apply to the US, and applied it against other Member States in the EU, then there would be
complications for data transfer and data portability inside the EU, simply because what the UK, France and some other Governments in Europe have done is pretty much similar to what existed in America.78
He said that while European Governments “did not make a strong legal point of that” at the time, but “it may be that they are going to press on this issue now.” He pointed out that this could lead to the UK being judged to a higher standard on data protection to receive an adequacy decision than it would have been as a Member State.79 As a Member State, the UK can rely upon exemptions in the Law Enforcement Directive on national security grounds.80
46.In her Mansion House speech, the Prime Minister acknowledged that after the UK has “left the jurisdiction of the ECJ, EU law and the decisions of the ECJ will continue to affect us.” And to illustrate the point, said
For a start, the ECJ determines whether agreements the EU has struck are legal under the EU’s own law—as the US found when the ECJ declared the Safe Harbour Framework for data sharing invalid.81
An EU-UK data agreement could be referred to the CJEU, and there is a risk that this could delay ratification and implementation of the agreement.82 Giles Derrington, techUK, acknowledged “we would expect there to be a challenge ultimately.”83
47.There is a high chance of a legal challenge to any proposed UK-EU data international agreement. A legal challenge could create regulatory gaps and uncertainty for business.
48.The Government has expressed a willingness to protect data exchanged before the end of the transition period, and it to be “essentially equivalent” to the level of protection in the EU.84 The various institutions involved in the adequacy process would be assessing the state of UK law “at the point of Brexit”.85 James Mullock of Bird & Bird told us that, based on previous examples, adequacy decisions generally take about two years.86 The techUK report No Interruptions said that “In normal circumstances, [the] adequacy process can take between three to five years” with “the quickest assessment completed in eighteen months” which was for Argentina.87 James Mullock said the EU-US Privacy Shield decision took about one year.88
49.Our witnesses thought the timetable for adequacy could be shortened if the UK carried out preparatory work in advance, such as anticipating the difficult questions that the UK would be asked. Elizabeth Denham said:
We have a good story to tell when it comes to adequacy, but work could begin before that time, so that the UK is ready to have those more difficult discussions about national security, intelligence services and data. We have seen those discussions play out in the Privacy Shield assessment.89
Stephen Hurley, from BT, said that however the Government chose to proceed, for business planning purposes the concern was the risk “of a gap at some point in the process because of the time it takes”, and that at the end of transition “there may be some period of months or possibly longer where there is no adequacy decision in place”.90 At a previous evidence session in the City of London, Huw Evans, Director General, of the Association of British Insurers, told the Committee:
The agreement on the transition allows enough time to negotiate an adequacy agreement that could then come into force at the point the transition period ends. It is vital it does. Nobody knows how you would possibly manage any form of gap. Data transfers are absolutely central to how all our businesses work and how individuals and businesses are served.91
50.The techUK No Interruptions report said:
there is no provision for the European Commission to determine the adequacy of the UK as a third country while the UK remains a Member State, there is also no clear prohibition on doing so […] Thus there would appear to be arguments allowing an adequacy assessment for the UK to begin now.92
51.The UK should accept the provisions in Title 7 of the draft Withdrawal Agreement providing assurance about the future protection of personal data already in the UK at the time of withdrawal. Following the passage of the Data Protection Act, the UK’s data protection law will be aligned with EU law on the day the UK leaves the EU. As a result, the UK will be in a very strong position when it seeks a declaration of essentially equivalent data protection. However, it is seeking an unprecedented agreement which will be subject to negotiation. The UK Government should be preparing for the adequacy process and ensuring that there is no risk of a gap in legal provision for transferring data between the UK and the EU after December 2020. This would have serious implications for businesses and consumers on both sides. The UK Government needs to establish with the Commission whether it is possible for the adequacy process to be initiated before the UK leaves the EU and, if so, to initiate the process without delay. It needs to provide concrete assurances that data will be able to flow between the UK and the EU after December 2020 on the same terms as now. Beyond this, the UK should explore the possibility of negotiating a bespoke agreement with the EU allowing much closer cooperation in data protection and data sharing which once achieved could replace the third party arrangements conferred by a simple adequacy decision.
41 European Commission, Communication from the Commission to the European Parliament and the Council, Exchanging and Protecting Personal data in Globalised World, 10 January 2017
54 Q1578, Q1582
56 Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
58 Q1567. See Article 6(c) and Article 123(5) of the Withdrawal Agreement
64 UK Government, Framework for the UK-EU partnership: Data protection, May 2018
65 UK Government, Security, law enforcement and criminal justice, future partnership paper, 18 September 2017 See evidence from the National Crime Agency to the Home Affairs Committee PSC0009
66 Oral evidence to the Home Affairs Committee, 6 December 2016, Q29
67 Europol Regulation (EU) 2016/794 Article 25
68 UK Government, Security, law enforcement and criminal justice, future partnership paper, 18 September 2017
70 UK Government, Security, law enforcement and criminal justice, future partnership paper, 18 September 2017
72 Q1594, Q1570
73 C698/15. The Court of Appeal applied the CJEU judgment to the issues in proceedings and found section of DRIPA 2014 to be incompatible with EU law.
75 House of Commons Library, Brexit: implications for national security, 31 March 2017; Home Affairs Committee, UK-EU security cooperation after Brexit, HC 635
76 Computer Weekly, Max Schrems welcomes ECJ ruling that Safe Harbour is invalid, 6 October 2015
80 Home Affairs Committee, UK-EU security cooperation after Brexit, HC 635, para 95, Law Enforcement Directive 2016/680;
82 Qq1610–1611. Home Affairs Committee, UK-EU security cooperation after Brexit, HC 635, para 105 Article 218(11) TFEU 11 states “A Member State, the European Parliament, the Council or the Commission may obtain the opinion of the Court of Justice as to whether an agreement envisaged is compatible with the Treaties. Where the opinion of the Court is adverse, the agreement envisaged may not enter into force unless it is amended or the Treaties are revised.”
88 Qq1570–1571. See also Oral evidence to the Home Affairs Committee 5 December 2017 Q110
Published: 3 July 2018