1.The central plank of data protection law in the European Union is the 1995 Data Protection Directive. The Directive was designed to protect personal data stored electronically or in hard copy, but it was adopted in the age of personal computers and dial-up Internet connections in the mid-1990s. In the intervening decades, technology has moved on: both the volume of data stored electronically and cross-border data flows have grown rapidly.
2.Internet traffic across borders increased 18-fold from 2005 to 2012. This trend is consistent with the wide range of routine activities that now require cross-border data flows, from the sharing of personal data on social networking sites like Facebook, to online shopping from companies like Amazon, to cloud-based computing, which allows individuals and businesses to store data remotely and to access it from any location.
3.The ability to move data across borders has also become central to trade. About half of all trade in services is enabled by digital technologies and the associated data flows. The UK is a leading exporter of services globally, second only to the US, with services accounting for 44% of the UK’s total global exports. Cross-border data flows in and out of the UK increased 28-fold between 2005 and 2015 and are expected to grow another five times by 2021. Three-quarters of the UK’s cross-border data flows are with EU countries.
4.The effectiveness of the EU’s data protection regime (and indeed that of other jurisdictions) relies on legal controls over cross-border transfers, to prevent EU rules being circumvented when personal data is transferred to jurisdictions with less stringent regulation. In practice, the application of such controls can present a non-tariff barrier to trade—which also helps to explain why the 1995 Data Protection Directive was adopted under a Single Market legal base. For the same reason, some trade agreements, such as the Trans-Pacific Partnership Agreement (TPP), seek to impose limits on the restrictions on cross-border data transfers that signatories can provide for in their national laws.
5.Police and judicial cooperation across national borders also relies on cross-border flows of data. Successive UK Governments have chosen to participate in a range of EU platforms and agreements facilitating data-sharing among EU law enforcement agencies, such as the Second Generation Schengen Information System (SIS II), the European Criminal Records Information System (ECRIS) and the Prüm Decisions, as well as the databases maintained by EU agencies such as Europol and Eurojust. Access to the information and intelligence currently sourced through these channels is vital for UK law enforcement, but relies on shared standards of data protection. These have hitherto been set out in a 2008 Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, and in the individual legal instruments enabling and regulating specific areas of cooperation.
6.In this report, we examine the overhaul of the European Union’s data protection standards enacted in 2016, including the adoption of new instruments that will replace the 1995 Data Protection Directive and the 2008 Council Framework Decision. These two instruments will come into force in May 2018, while the UK is still a member of the European Union.
7.When the UK leaves the EU, it will cease to be bound by the EU’s data protection laws. But there is no prospect of a clean break: the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK. Even after an initial transfer has taken place, EU rules may apply when the personal data of EU residents is processed in the UK. And the data protection agreements that the EU has reached with third countries like the US will cease to apply to the UK, raising the issue of whether those agreements can or should be renegotiated independently. Our report therefore considers the implications of the UK’s exit from the EU for cross-border data transfers and for UK data protection policy more generally.
8.This report arises from our routine scrutiny of EU legislative proposals, but also forms part of the coordinated series of Brexit-themed inquiries launched by the European Union Committee and its six Sub-Committees following the referendum on 23 June 2016, which aim to shed light on the main issues likely to arise in negotiations on the UK’s exit from, and future partnership with, the European Union. It draws on a series of evidence sessions that the Sub-Committee held between 1 February and 15 March. The Sub-Committee was stood down with the dissolution of Parliament in advance of the June 2017 General Election. These inquiries, though short, are an opportunity to explore and inform wider debate on the major opportunities and risks that Brexit presents to the UK. This report will also have a bearing on any domestic legislative proposals on data protection that the new Government may introduce in the coming session of Parliament in order to implement the GDPR and the PCJ Directive and pave the way for the UK’s post-Brexit data protection regime.
9.The reform of the EU’s data protection framework is continuing: related measures, such as the draft e-Privacy Regulation and the draft Regulation on processing of personal data by the EU institutions, are currently under negotiation. The scope of our report does not extend to these proposals, which are still under scrutiny by this Committee and by the European Scrutiny Committee in the House of Commons.
10.We make this report to the House for debate.
1 Directive 95/46/EC on the protection of individuals with regard to the protection of personal data and on the free movement of such data (, 23 November 1995, pp 31-50)
2 CISCO Systems, Cross Border Data Flows, Digital Innovation, and Economic Growth, The Global Information Technology Report 2016 (July 2016): [accessed 11 July 2017]
3 Frontier Economics, The UK Digital Sectors After Brexit (January 2017): [accessed 11 July 2017]
4 The USA exported 15.6% of the world’s services in 2015, while the UK exported 7.1%. HSBC and Oxford Economics, Unlocking the growth potential of services trade (2016), p.6: (see footnotes 11 and 12 of Trade in Services report) [accessed 11 July 2017]
5 Frontier Economics, The UK Digital Sectors After Brexit (January 2017): [accessed 11 July 2017]
6 Article 100a, Treaty Establishing the European Community (, 31 August 1992, p 32)
7 See TPP, Article 14.11: [accessed 05 July 2017]. The TPP has been signed but not ratified. The US withdrew from the agreement on 23 January 2017.
8 The UK’s participation in EU legislation on Justice and Home Affairs (JHA) is principally governed by Protocols 19 and 21, Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU) (, consolidated version of 26 October 2012, pp 1-390) which allow the UK to opt in (Protocol 21) or opt out (Protocol 19) of JHA and Schengen measures.
9 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (, 30 December 2008, pp 60-71). See also our report on (7th Report, Session 2016–17, HL Paper 77). See for example Chapters III to V of the 2009 Europol Decision.
10 Proposal for a Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communication), and Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No. 45/2001 and Decision No 1247/2002/EC,