Brexit: the EU data protection package Contents

Chapter 2: The EU data protection package

Background

11.Individuals’ right to protection of their personal data is enshrined in Article 8 of the EU’s Charter of Fundamental Rights, which became legally binding on the EU institutions and on Member States with the entry into force of the Lisbon Treaty on 1 December 2009. Article 16 of the Treaty on the Functioning of the European Union (TFEU) provides a specific legal basis for adopting data protection rules with regard to the processing of personal data “by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law,” and for adopting rules “relating to the free movement of such data.”

Box 1: Article 8 of the Charter of Fundamental Rights of the European Union

Article 8: Protection of personal data

Everyone has the right to the protection of personal data concerning him or her.

Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

Compliance with these rules shall be subject to control by an independent authority.

Source: Charter of the Fundamental Rights of the European Union (OJ C 326/391, 26 October 2012, pp 391–407)

12.In January 2012, the European Commission published proposals for a new legislative framework for data protection within the EU—consisting of a draft Regulation to replace the 1995 Data Protection Directive,11 and a draft Directive to replace the 2008 Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.12 These proposals came to the EU Home Affairs Sub-Committee for examination in the course of our scrutiny of draft EU legislation.

13.After four years of negotiations among Member States and the EU institutions, the proposals for a new General Data Protection Regulation (“GDPR”) and a Police and Criminal Justice Directive (“PCJ Directive”, also known as the “Law Enforcement Directive”) were adopted by the Council of Ministers and the European Parliament in April 2016. They are due to come into effect in EU Member States in May 2018.13 The Regulation will have direct effect, that is to say it will apply to all EU Member States from May 2018 without requiring transposition into national legislation. The Directive requires transposition into national law. The Government has said it will bring forward legislation in the current parliamentary session in order to amend and repeal provisions in the UK’s 1998 Data Protection Act—the Act that transposed the original 1995 Data Protection Directive—as required.14

14.The GDPR and the PCJ Directive recast data protection standards within the EU. But in response to events—principally the October 2015 ruling of the Court of Justice of the European Union in the Schrems case15 about the onward transfer of personal data from the EU to the United States under Safe Harbour, and Edward Snowden’s revelations about surveillance of personal data by intelligence services in the US and some of their allies—the EU also concluded two new agreements with the United States last year, in order to address concerns about the fate of personal data transferred from the EU to the US.

15.These new agreements are the EU-US Privacy Shield, which provides a new framework for transatlantic data transfers to replace Safe Harbour, and the EU-US Umbrella Agreement, which establishes a framework of data protection principles and safeguards for personal data transferred between the EU and the US for criminal law enforcement purposes. The Commission Implementing Decision on the adequacy of the protection provided by the EU-US Privacy Shield, and the Council Decisions on signature and conclusion of the EU-US Umbrella Agreement, were subject to our routine scrutiny of draft EU legislation, although in both cases the Government’s handling of the parliamentary scrutiny process left much to be desired.16

16.Upon leaving the EU, the UK will become a ‘third country’ for the purpose of EU data protection rules, and all four measures—the General Data Protection Regulation, the Police and Criminal Justice Directive, the EU-US Privacy Shield and the EU-US Umbrella Agreement—will cease to apply to the UK. In the remainder of this chapter, we briefly outline the contents of each of the four new measures adopted last year, then turn to the legal implications of Brexit for the UK’s data protection arrangements.

The General Data Protection Regulation

17.The General Data Protection Regulation updates the basic rules and principles enshrined in the 1995 Data Protection Directive, which it will supersede. It sets out the responsibilities of individuals and organisations who manage personal data (“controllers”) and those who process data on controllers’ behalf (“processors”), as well as the rights of individuals whose personal data is held or processed (“data subjects”).

18.The scope of the Regulation specifically excludes activities that fall outside the scope of European Union law, such as national security, and it does not extend to the processing of personal data for criminal law enforcement purposes, which will instead be subject to the new Police and Criminal Justice Directive. The handling of personal data by the EU institutions and agencies is also regulated separately, by instruments that are themselves in the process of being recast.17

19.The European Commission says that the GDPR “will enable people to better control their personal data”, and that “modernised and unified rules will allow businesses to make the most of the opportunities of the Digital Single Market.”18 In the latter respect, the main change is in the nature of the legal instrument, replacing a Directive with a Regulation, and thereby providing for a greater degree of harmonisation across the Member States.

20.The Regulation introduces a broader definition of personal data.19 It makes clear that personal data includes online identifiers and location data—putting beyond doubt that IP addresses, mobile device IDs and the like are personal data and must be protected as such. It also introduces the concept of pseudonymous data (personal data that has been subjected to technological measures such as encryption so that it no longer directly identifies the individual) and provides definitions of genetic data and biometric data, which are added to the existing categories of ‘sensitive’ personal data, and subject to more stringent controls.

21.The GDPR includes new provisions on:

22.The Regulation also seeks to enhance the rights of data subjects with new provisions on:

23.The provisions highlighted above are only a sub-set of the provisions to be found in the GDPR—comprehensive overviews and legal commentary are readily available elsewhere.25

24.In evidence to our short inquiry, witnesses drew various aspects of the new Regulation to our attention. Ruth Boardman, joint head of the International Privacy and Data Protection Group at Bird & Bird, told us that because the Regulation builds on existing law, “about two-thirds” of the new Regulation “feels very familiar; all the key principles about fairness, transparency, data accuracy and security are there.” She highlighted two “key changes”, namely that the Regulation “imposes specific obligations on organisations to take certain steps to ensure that they comply by design rather than by accident”, and that in a number of areas, the Regulation tries to “tip things in favour of the individual to make it easier for them to enforce their rights.”26

25.TechUK drew to our attention the “new, much broader definition of what is personal data” in the new Regulation, meaning that “a huge amount of … data will be subject to the GDPR.” They warned that “many companies and organisations have not yet fully grasped the broader definition that sits in the GDPR.”27

26.Despite having registered “serious concerns”28 about the draft Regulation during negotiations on the text, the Government now regards the GDPR as a “good piece of legislation in and of itself”, thanks to “some significant negotiating success during its development.”29 It offers this as one of two reasons why it plans to implement the GDPR “in full.”30

27.We asked our witnesses about the resource implications of complying with the GDPR. Matt Hancock MP, Minister of State for Digital, assured us that inside Government, “we are fully resourced to deliver the GDPR.” Outside Government, the requirements brought in by the new Regulation “are consistent with best practice for handling data anyway.” The Minister predicted that:

“Companies that handle data appropriately, have good cybersecurity arrangements and respect the privacy of their customers and those whose data they hold should not find this much of a burden, but it will require some companies that do not have best practice to come up to speed.”31

28.That view was echoed by others. Elizabeth Denham, the Information Commissioner, told us that the impact on businesses “depends on how much work they have done to comply with the current regime.” She noted that Parliament passed the Data Protection Act in 1998, and that although the GDPR will introduce higher standards, “they are evolved standards … if a company has not been doing anything for the last 10 years on data protection … the resource implications are going to be larger.”32 Stewart Room, Partner, PricewaterhouseCoopers, Global Cyber Security and Data Protection Legal Services Leader and UK Data Protection Leader, suggested that although there were “significant capital and resource costs” associated with getting ready for the GDPR, “part of the issue to understand is the extent to which organisations will be spending this money to improve themselves to a new standard, or to catch up on things that they should have been doing under the Data Protection Act 1998 and that they have failed to do.”33 For example:

“Many organisations, in a technical sense, are retaining electronic data that may not be lawful under the UK’s current regime. The GDPR causes them to focus on the subject afresh and they discover a data lake that needs to be drained, so that capital cost is incurred. Arguably, they are incurring that capital cost because they have not worked on the Data Protection Act, not because the GDPR is requiring anything new.”34

29.Mr Room did, however, highlight the position of small to medium enterprises, warning that while large multinationals could procure professional services support to help them understand how things should be done, “that is not necessarily the same for every organisation in the economy.” He identified space for a “strong regulator”, suggesting that if the regulator could “create guidance, to-do kits and toolkits, it will reduce the resource load on small businesses.”35

30.Rosemary Jay, Senior Consultant Attorney at Hunton & Williams emphasised that there were some things in the Regulation that “are not catch-up and are going to be new”, such as the security breach notification requirement. But she argued that given the importance of cybersecurity, “one might say that it is a resource that businesses should be looking at.” She contrasted the security breach notification requirement with other new aspects of the Regulation, such as “the internal record-keeping requirements and some of the details of the notice requirements, which are heavier than one might have liked”, and which she considered “more of regret.”36

31.The Information Commissioner also noted that the GDPR will remove the requirement for data controllers to register their data processing with their national regulator. In the UK, data controllers pay a fee to register, which is used to fund the Information Commissioner’s Office. A new mechanism will therefore need to be devised to fund the regulator. Ms Denham told us that “our new fee structure needs to be approved by Parliament, hopefully before 2018, when our notification fees fall off a cliff and we no longer have £22 million in funding.”37

The Police and Criminal Justice Directive

32.The Police and Criminal Justice Directive updates the basic rules and principles enshrined in the 2008 Council Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, which it will supersede.38 The 2008 Council Framework Decision is one of the 35 pre-Lisbon police and criminal justice measures that the UK chose to re-join in December 2014, following the exercise of the UK’s block opt-out from pre-Lisbon police and criminal justice measures under Protocol 36 of the TFEU. The 2008 Framework Decision was transposed into UK law by the Criminal Justice and Data Protection (Protocol No.36) Regulations 2014.39

33.The 2008 Framework Decision applies to judicial cooperation in criminal matters and police cooperation. Its scope is limited to the processing of personal data transmitted or made available between Member States. The 2014 Regulations reflect this scope, applying to cross-border data processing, but not to processing activities by police and judicial authorities at a national level.

34.By contrast, the new PCJ Directive is intended to cover both cross-border and domestic processing of personal data “within the scope of EU law.” The Commission justified this on the grounds that the limited scope of application of the 2008 Framework Decision was “liable to create difficulties for police and other competent authorities [who] are not always able to easily distinguish between purely domestic and cross-border processing or to foresee whether certain personal data may become the object of a cross-border exchange at a later stage.”40 As a result of the UK opt-in arrangements under Protocol 21 TFEU, and notably Article 6a of that Protocol, the Directive only applies to the UK where processing is carried out pursuant to an EU police or judicial cooperation measure in which the UK participates.41

35.The text of the new Directive states that it will not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law, referring explicitly to activities concerning national security.42 The processing of personal data by Member States when carrying out activities that fall within scope of Chapter 2 of Title V of the Treaty on European Union (on the Common Foreign and Security Policy) is also outside the scope of the Directive, as is processing of data by the EU institutions and agencies.43

36.The European Commission says that the PCJ Directive “will ensure that the data of victims, witnesses, and suspects of crimes, are duly protected in the context of a criminal investigation or a law enforcement action.” It anticipates that “more harmonised laws will also facilitate cross-border cooperation of police or prosecutors to combat crime and terrorism more effectively across Europe.”44

37.Changes introduced by the PCJ Directive include:

38.In evidence to our short inquiry, Professor Valsamis Mitsilegas, Professor of European Criminal Law at Queen Mary University of London, emphasised that:

“In practice, the rights and principles in the Regulation and the Directive are the same—for example, the principle of purpose limitation or the right of access to personal data. However, the law enforcement measures contain more exceptions, to take into account the needs of law enforcement. They give national authorities greater discretion to limit the rights of individuals in certain circumstances.”45

39.He also drew attention to the nature of the legal instrument chosen, comparing it to the GDPR, which is “one size fits all across the EU Member States.” By contrast, the Directive “gives Member States breathing space: they have to implement it, taking into account their national particularities. In the field of criminal justice, this is very important.”46

40.Rosemary Jay of Hunton and Williams highlighted “a big difference in practical application” between the Regulation and the Directive, noting that the new European Data Protection Board will have “significant authority” in enforcing the GDPR, but a lesser “advisory role” to promote consistency in relation to the Directive.47

41.As for the burden of implementation, Professor Mitsilegas told us he did not “see any huge burden coming forward”, as “the police should have been following what is in the Directive anyway.”48

The EU-US Privacy Shield

42.The 1995 Data Protection Directive provides that personal data can only be transferred to third countries if the third country in question can ensure an adequate level of protection. It provides for the Commission to adopt an ‘adequacy decision’ in order to certify that a third country can provide that standard of protection. The practical effect of an adequacy decision is that cross-border data transfers can take place without any further safeguards.

43.Under the provisions of the 1995 Directive, the Commission’s adequacy decisions are subject to scrutiny by a working party composed of the representatives of national Data Protection Authorities (the Article 29 Working Party) and to approval by representatives of the Member States (the Article 31 Committee) before they can be adopted by the College of Commissioners.

44.In 2000 the Commission adopted an adequacy decision in respect of the ‘Safe Harbour’ framework for transferring personal data from the EU to the US. That framework had been established by the US Department of Commerce in consultation with the Commission. In 2013, the protection provided by the Safe Harbour framework—and by extension, the Commission’s adequacy decision in respect of it—was cast into doubt when Edward Snowden revealed details of the United States’ PRISM surveillance programme.

45.Privacy campaigner Max Schrems asked the Irish Data Protection Commission to audit what material Facebook might be passing on to the US authorities. The case reached the Court of Justice of the European Union (CJEU). The Court interpreted the requirement for a third country to provide an adequate level of protection to mean a level of protection “essentially equivalent” to that guaranteed within the EU under the 1995 Directive.49 The unlimited access to data by US security agencies and the limited means of redress led the Court to conclude that this standard was not met by the Safe Harbour framework. In October 2015 the CJEU declared the Commission’s adequacy decision in respect of Safe Harbour invalid.

46.The Court’s decision made all international transfers under the Safe Harbour framework unlawful, leading to an immediate period of legal uncertainty for companies using Safe Harbour. It also prompted further, related legal challenges by privacy campaigners, casting longer-term doubt over the legal basis for transfers of personal data from the EU to the US and, more broadly, from the EU to third countries.50

47.In February 2016 the European Union and the United States reached agreement on a new framework for transatlantic data transfers to replace Safe Harbour, the so-called ‘Privacy Shield’. In order for data transfers to take place under the new framework, the Commission needed to adopt a new adequacy decision in respect of the Privacy Shield, which it did in July 2016. Prior to the formal adoption of the adequacy decision by the College of Commissioners, the UK had voted in favour of the draft adequacy decision at the Article 31 Committee meeting on 8 July.51

48.In order to join the Privacy Shield framework, US-based companies are required to self-certify to the US Department of Commerce and publicly commit to comply with the framework’s requirements. While joining the Privacy Shield is voluntary, once an eligible company makes the public commitment to comply with the framework’s requirements, the commitment becomes enforceable under US law.

49.The key components of the Privacy Shield framework, which superseded Safe Harbour, are:

50.The Privacy Shield will undergo a first annual review by the European Commission this year. Separate from this requirement, the Article 29 Working Party suggested in April 2016 that a review “must be undertaken shortly after the entry into application of the General Data Protection Regulation.”52 Under the GDPR, the general prohibition on transfers of personal data outside the EU to jurisdictions which do not provide an adequate level of protection is maintained. Adequacy decisions adopted by the Commission under the 1995 Directive remain in force “until amended, replaced or repealed.” The adequacy decision on the Privacy Shield is therefore preserved, and the Regulation gives the Commission the power to make new adequacy decisions in respect of countries, sectors, territories and international organisations.

51.It is important to note that transfers of personal data outside the EU can be made in the absence of an adequacy decision, but require appropriate alternative legal safeguards, such as legally binding agreements between public bodies, model contract clauses, binding corporate rules, codes of conduct, or approved certification mechanisms.

52.This point was emphasised by Stewart Room of PricewaterhouseCoopers, who noted that only 1,700 multinationals have adopted the Privacy Shield. He told us that it was “not the default choice for US-headquartered multinationals to move data from Europe to the States. If they are using anything else, they are using the Model Contractual Clauses … Privacy Shield is still a fringe mechanism in the corporate environment.”53

53.Rosemary Jay of Hunton & Williams qualified this by highlighting the volume of data handled by the major US suppliers of cloud storage: “Companies such as Hewlett-Packard, Google and Microsoft are all privacy-shielded. Those are big data flows.”54 The Information Commissioner also told us that, while 1,800 US companies have signed up to use the Shield, “there are many, many more in the pipeline”, and that she had heard, “especially from small and medium-sized business, that this is the preferred fundamental mechanism for transferring data, because it is broader and more comprehensive than the standard contractual clauses.”55

54.As for EU companies, Antony Walker, Deputy CEO of TechUK told us that the Privacy Shield was “disproportionately important for the UK within the European Union”:

“As a member of the European Union, the UK has a particularly strong relationship with the US both in terms of UK trade with the US and with the UK being a destination for foreign direct investment into the EU from the US. Compared to other EU Member States, the UK has a higher proportion of US firms that are based and located in the UK and, partly by nature of geographical position, a lot of the data transfers between the US and the EU emanate from the UK.”56

55.Despite the scale of UK-US data transfers, the Information Commissioner told us that her office “does not record the number or types of UK data controllers who use the Privacy Shield.”57

56.While the speed with which the Privacy Shield was negotiated, in the words of Professor Mitsilegas, “testifies to the importance of this for both sides”,58 he also noted that it “came out of the previous Administration in the US.” Antony Walker warned that “we do not yet really know what the view of the new US administration is on it.”59

57.Adding to uncertainty over the future of the Privacy Shield are the legal challenges launched against it. Mr Hancock told us he had been notified of two challenges to the Commission’s adequacy decision in respect of the Privacy Shield, one led by Digital Rights Ireland, and another by La Quadrature du Net and Others. The Government had applied to intervene on the Digital Rights Ireland challenge in support of the Commission, and was “content that it is legal and that the challenges will not succeed.” The Minister added that the Government would consider whether to intervene in the second case, “in support of the Commission and in defence of the agreements that have been reached. We think that the agreements that have been reached are very good.”60

The EU-US Umbrella Agreement

58.In May 2016 the Council adopted a Decision permitting the EU to sign an international agreement with the United States on the transfer of data for criminal law enforcement purposes (the ‘Umbrella Agreement’). The Agreement was signed in December 2016, after the European Parliament had given its consent, and entered into force in the EU on 1 February 2017.61 The Agreement establishes a comprehensive framework of data protection principles and safeguards that are to apply when personal data (for example names, addresses, criminal records) is transferred between the EU (or its Member States) and the United States, “in relation to the prevention, investigation, detection or prosecution of criminal offences, including terrorism.”62 The Agreement’s twin objectives are to ensure a high level of protection of personal data and to enhance law enforcement cooperation between the EU and the US.

59.The Umbrella Agreement does not itself authorise the transfer of personal data to the US. Rather, it sets out the overarching data protection principles and standards which should apply to existing and future data transfer agreements between the US and the EU or between the US and individual Member States for criminal law enforcement purposes. The Agreement therefore supplements existing agreements to the extent that they lack the necessary data protection safeguards. For example, it will apply to data transfers under existing agreements such as the EU-US Mutual Legal Assistance Treaty, and to existing agreements providing for the transfer of personal data by private entities for law enforcement purposes, such as the EU-US Passenger Name Records Agreement and the Terrorist Finance Tracking Programme.

60.Data transfers for national security purposes are exempt from the scope of the Umbrella Agreement. In the UK, personal data transfers to overseas partners for national security purposes are governed by the Intelligence Services Act 1994 and the Security Service Act 1989. Data transfers to third countries outside the EEA are governed by exemptions in the ministerial certificates granted to the security and intelligence agencies under section 28(2) of the Data Protection Act 1998. The Investigatory Powers Act 2016 also provides safeguards that apply when relevant material is disclosed to other countries.63

61.The UK’s opt-in arrangements under Protocol 21 TFEU, and notably Article 6a of that Protocol, mean that the Umbrella Agreement only applies to the UK where data transfers take place under an EU agreement in which the UK participates. For example, the UK does not participate in the EU-US Mutual Legal Assistance and Extradition Agreements, and so is not bound by the terms of the Umbrella Agreement in relation to them. But it is bound by the Umbrella Agreement in respect of EU-US agreements in which it does participate, such as the EU-US Passenger Name Records Agreement. The Government’s position is that the Umbrella Agreement does not cover information exchanged between the UK and the US under UK-US agreements, such as the UK-US Mutual Legal Assistance Treaty.64

62.Key features of the Umbrella Agreement include:

63.Less than a month after the Umbrella Agreement was initialled in September 2015, the CJEU ruled on the Schrems case. The European Data Protection Supervisor issued an opinion highlighting the CJEU’s decision in Schrems and identifying three improvements to the text of the Umbrella Agreement that he deemed essential to ensure compliance with the Charter of Fundamental Rights and Article 16 TFEU in light of that ruling. These were, first, clarification that all the safeguards in the agreement apply to all individuals, not only to EU nationals; second, ensuring judicial redress provisions are effective within the meaning of the Charter; and third, clarification that transfers of sensitive data in bulk are not authorised. These changes were not made, as the Council took the view that the Umbrella Agreement was lawful as it stood. The Minister told us he “was and is content with this Council position.”65

64.The Information Commissioner described the Umbrella Agreement as “a high-level set of principles that tries to create a level playing field for all the agreements and activities that come under it.” It tries to “raise the standard of protection but to allow and facilitate appropriate data flows.”66

65.Professor Mitsilegas told us that the “main advance” achieved by the Umbrella Agreement was “bringing EU law to the existing EU-US Mutual Legal Assistance Agreement.” He noted that that agreement was concluded shortly after 9/11, and contained an Article (Article 9) “which says that generic differences in the data protection systems of the US and the EU should not prevent the exchange of personal data. The umbrella agreement takes it a step forward, because the United States had to provide a series of further safeguards in order for this transfer to take place.”67

Implications of Brexit for the UK’s data protection arrangements

66.Upon leaving the EU, the UK will become a ‘third country’ under EU data protection rules, and will cease to be bound by EU law, including the four instruments described above.

67.The Government has said it will implement both the GDPR and the PCJ Directive in full.68 It will need to bring forward legislation to transpose the requirements of the PCJ Directive into UK law. The Queen’s Speech outlined “a new law” on data protection and “proposals for a new digital charter.”69 The Government has also said, as a general principle, that “the same rules and laws will apply on the day after exit as on the day before.”70 Notwithstanding this, the UK’s data protection framework will need to be reviewed before exit in order to identify provisions that are contingent on EU membership. Those provisions would need to be amended or replaced as part of the Repeal Bill, or through dedicated legislation enacted before the date of withdrawal in order to ensure that the domestic statute book in this area is exit-proofed and can stand alone.

68.After the date of withdrawal, UK data controllers that wish to continue receiving personal data transferred from the EU71 will have to demonstrate that they provide an adequate level of protection of personal data under Article 44 of the GDPR. In principle, this could be achieved in one of two ways:

(a)either the UK will need to show it has data protection laws in place that are of an equivalent standard to those in the GDPR, and aim to have those recognised by the European Commission as offering adequate protection for personal data. That is, the Government would seek to obtain an adequacy decision from the European Commission under the provision in the GDPR;

(b)or individual data controllers and processors in the UK will have to adopt their own safeguards to demonstrate that they can offer adequate protection to personal data transferred out of the EU, using the tools permitted by the GDPR, such as Standard Contract Clauses and Binding Corporate Rules.

69.Most third countries rely on the second of these options, because they have not obtained an adequacy decision from the European Commission. The Commission has thus far issued adequacy decisions under the 1995 Directive only in respect of Andorra, Argentina, the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. In addition, Canada has a partial adequacy decision (in respect of commercial organisations only), and the US has an adequacy decision in respect of the Privacy Shield, such that organisations certified under the Shield need demonstrate no further safeguards in order to receive personal data from the EU.

70.The adequacy decisions described above (based on the 1995 Directive) do not cover data exchanges in the law enforcement sector. For personal data that is subject to the Police and Criminal Justice Directive, two options would in principle be available:

(a)either the UK will need to show it has data protection laws in place which meet equivalent standards to those in the Police and Criminal Justice Directive, and have those recognised by the Commission as offering adequate protection under Article 36 of the PCJ Directive. That is, the Government would seek to obtain an adequacy decision from the European Commission under the provision in the PCJ ;

(b)or the exporting data controllers and processors in the police and criminal justice sector in the EU will need permission to make transfers under Article 35(1)(c) of the PCJ Directive and/or appropriate safeguards will need to be offered by the recipient UK authority. Article 37 of the PCJ Directive sets out what safeguards are permissible.

71.We asked witnesses what the default position would be, as a matter of law, for data transfers from the EU to the UK were the UK to leave the EU without having made alternative arrangements governing UK-EU data transfers. Stewart Room of PricewaterhouseCoopers said:

“At the moment, most countries in the world do not have an adequacy decision … yet they are able to receive personal data from Europe. A range of mechanisms can be deployed or utilised to maintain the flow of data from Europe to third countries that do not have an adequacy decision … The default position is that the UK would have to rely upon these other mechanisms to maintain the movement of data from Europe into our country.”72

72.The Information Commissioner also noted that “there are measures other than adequacy that allow data to continue flowing.” For example, “companies can rely on Standard Contractual Clauses, Binding Corporate Rules, and the consent of individuals. These are all legal measures to allow and provide for the transfer of data. They are just more difficult than having an adequacy finding so that data can flow.”73

73.Professor Mitsilegas warned that in the law enforcement field, the fall-back position was “less clear.” He therefore advocated seeking a Commission adequacy decision as a means of providing certainty, “including to the law enforcement authorities of the remaining EU Member States.”74

74.Withdrawal from the EU also has legal implications for the UK’s place on relevant institutions. Ruth Boardman of Bird & Bird pointed out that once the UK is no longer a member of the EU, it will no longer be able to participate in the formal institutions that regulate data protection within the EU.75 The Information Commissioner warned that the Information Commissioner’s Office (ICO) was set to lose its place on the new European Data Protection Board and its oversight role in respect of EU institutions and agencies. Ms Denham told us: “If we leave Europol and the other arrangements and we become a third country … the impact is that the ICO—the UK’s regulator—will not have an oversight role when it comes to investigating and reviewing the very sensitive data, which could be UK citizens’ data, involved in those cooperative arrangements.”76 She also noted that once the UK ceases to be an EU Member State, the ICO’s relationship with the EDPB “will necessarily change”, even though the decisions of the EDPB will continue to affect UK businesses providing services to European citizens.77

75.The Minister, Mr Hancock, refused to be drawn on the default position, as a matter of law, were the UK to leave the EU without having made alternative arrangements. He emphasised that the Government would be seeking “unhindered data flows” between the UK and the EU after Brexit, and that it was “confident of being able to achieve that.”78 He did, however, express “hope that on D+1 life will continue much as on D-1, because we have taken the decision domestically to bring the GDPR into UK law.”79 As regards data transfers for law enforcement purposes, Baroness Williams of Trafford, the Minister of State at the Home Office also refused to be drawn on the default position, noting instead that the UK’s laws will be “compatible with those of the EU on the day we leave” and that the Government is “determining how best to maintain that ability to share the day after we leave the EU.”80

76.In the next chapter, we consider the policy options available to the Government to manage the transition to a new, post-Brexit data protection regime.


11 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23 November 1995, pp 31–50)

12 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350/60, 30 December 2008, pp 60–71)

13 Regulation 2016/679 EU on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC; and Directive 2016/680 EU on the protection of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
(OJ L 119/1, 4 May 2016, pp 1-88)

16 Q 8, see also European Union Committee, Report on 2016–17 (1st Report, Session 2017–19, HL Paper 3) paras 82 and 86.

17 The current Regulation is Regulation 45/2001/EC, which adapted the rules in the original 1995 Data Protection Directive to the EU institutions (OJ L 008, 12 January 2001, pp 1–22). It was supplemented by Decision 1247/2002/EC (OJ L 183, 12 July 2002, pp 1–2). A proposed new Regulation (Council No 5034/17) will repeal and replace both those measures in order to bring the rules governing EU institutions into line with the GDPR and the proposed reform of Directive 2002/58/EC (the so-called “e-Privacy Directive”) (OJ L 201, 31 July 2002, pp 37–47).

18 European Commission, ‘Agreement on Commission’s EU data protection reform will boost Digital Single Market’ (IP/15/6321), 15 December 2015: http://europa.eu/rapid/press-release_IP-15-6321_en.htm [accessed 11 July 2017]

19 Article 4 (1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119/1, 4 May 2016, pp 1–88)

20 European Commission Fact Sheet, ‘Questions and Answers - Data Protection Reform’, MEMO/15/6385, 21 December 2015: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm [accessed 11 July 2017]

21 Written evidence from the UK Information Commissioner (DPP0001)

22 Rosemary Jay, Guide to the General Data Protection Regulation, 1st Edition (London: Sweet and Maxwell, 2017)

23 Google Spain SL and Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014) Case C-131/12: http://curia.europa.eu/juris/document/document.jsf?text=&docid=152065&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=521255

24 European Union Committee, EU Data Protection law: a ‘right to be forgotten’? (2nd Report, Session 2014–15, HL Paper 40)

25 See for example DLA Piper, ‘A guide to the General Data Protection Regulation’ (December 2016): https://www.dlapiper.com/en/uk/insights/publications/2016/12/a-guide-to-the-general-data-protection-regulation/ [accessed 11 July 2017]; Bird & Bird, ‘Guide to the General Data Protection Regulation’ (May 201): https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-regulation.pdf?la=en [accessed 11 July 2017]; Rosemary Jay, Guide to the General Data Protection Regulation, 1st Edition (London: Sweet and Maxwell, 2017)

28 Written Statement HCWS126, Session 2015–16

38 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, (OJ L 350/60, 30 December 2008, pp 60–71)

39 The UK also re-joined Council Framework Decision 2006/960/JHA of 18 December 2006 on simplifying the exchange of information and intelligence between law enforcement authorities
(OJ L 386/89, 13 December 2006, pp 89–100), which was also transposed by the 2014 Regulations.

40 Explanatory Memorandum for a Proposal for a Directive of The European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, COM(2012) 10

42 Article 2(3)(a), Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119/89, 4 May 2016, pp 89–131)

43 See footnote 13 above.

44 European Commission, Agreement on Commission’s EU data protection reform will boost Digital Single Market, 15 December 2015: http://europa.eu/rapid/press-release_IP-15-6321_en.htm [accessed 11 July 2017]

49 Maximillian Schrems v Data Protection Commissioner (2015) Case C-362/14

50 For example, the Irish Data Protection Commissioner has commenced proceedings to the Irish High Court seeking a referral to the Court of Justice of the European Union on the adequacy of Model Contract Clauses, which can be used as an alternative to transfers under an adequacy decision. So-called Schrems II case.

51 Letter from Rt Hon. Matt Hancock MP, Minister of State for Digital to Lord Boswell of Aynho, Chairman of the European Union Select Committee, 25 November 2016: http://www.parliament.uk/documents/lords-committees/eu-home-affairs-subcommittee/Matt%20Hancock%20Letter.pdf.

52 Article 29 Data Protection Working Party, Opinion 01/2016 on the EU-US Privacy Shield draft adequacy decision, 13 April 2016: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2016/wp238_en.pdf [accessed 12 July 2017]

62 Article 1, Agreement between the United States of America and the European Union on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences (OJ L 336/3, 10 December 2016, pp 3–13)

63 Letter from the Minister of State for Digital and Culture to Lord Boswell of Aynho, 21 September 2016: http://www.parliament.uk/documents/lords-committees/eu-home-affairs-subcommittee/data-protection/dcms-lb-21-9-16.pdf

65 Letter from the Minister of State for Digital to Lord Boswell of Aynho, 19 December 2016: http://www.parliament.uk/documents/lords-committees/eu-home-affairs-subcommittee/data-protection/dcms-lb-19-12-16.pdf

68 Q 2 and Q 55

69 Cabinet Office, ‘Queen’s Speech 2017’ (21 June 2017): https://www.gov.uk/government/speeches/queens-speech-2017 [accessed 11 July 2017]

70 Department for Exiting the European Union, Legislating for the United Kingdom’s withdrawal from the European Union, Cm 9446, March 2017, p.5: https://www.gov.uk/government/publications/the-great-repeal-bill-white-paper/legislating-for-the-united-kingdoms-withdrawal-from-the-european-union [accessed 12 July 2017]

71 Technically the EU plus the three EEA countries that are not members of the EU: Norway, Liechtenstein and Iceland.

77 Q 26 and written evidence from the UK Information Commissioner (DPP0001)

78 Q 1 and 2




© Parliamentary copyright 2017