Brexit: the EU data protection package Contents

Chapter 4: UK data protection policy after Brexit

Room for manoeuvre on UK data protection policy after Brexit

117.Even if the UK’s data protection regime is aligned with the EU regime to the maximum extent possible when the UK leaves the EU, there is the prospect that over time the EU will amend or update its rules, not least as the GDPR and the PCJ Directive both mandate reviews by the Commission every four years. The UK will be free to choose whether to align itself with any changes in EU law, but failure to do so could have consequences for the UK’s ‘adequacy’ status (assuming such a status has been secured). The same considerations may apply in choosing whether to follow the EU’s lead in recognising third countries or international organisations as providing adequate protection for the transfer of personal data, or in repealing or suspending such recognition.

‘White Space’ in the GDPR

118.The Information Commissioner told us:

“If the Government decide to proceed and obtain an adequacy finding for the UK as a third country, that will limit how much manoeuvre we have. We will have to keep our laws up to an equivalent standard, which will be assessed every three or four years. There will be some constraints around that.”159

119.She emphasised, however, that in the meantime the GDPR itself had “a lot of white space” in it: “There is still a lot of room for manoeuvre so that domestic authorities can carve out and make the laws they want.” The Information Commissioner cited the UK’s ability to make decisions at a domestic level “on children and age of consent and on balancing freedom of expression and the role of the media with data protection.”160

120.Stewart Room of PricewaterhouseCoopers also drew attention to “white space” within the GDPR, which would allow the UK to develop policy within the overall framework of the Regulation. Mr Room told us that “most of the things that businesses and other organisations will have to do operationally … are not yet described in the GDPR … they will have to come from somewhere. The primary source will be via regulatory guidance, for instance.” He concluded that there was “very significant space inside the GDPR framework for the United Kingdom to develop its positions for day-to-day operationalisation of this subject matter”, and suggested that “if the UK fills that white space via a strong regulator and industry bodies, we can have a data protection framework that in practical terms has been designed by the UK.”161

121.Rosemary Jay of Hunton & Williams highlighted what she saw as “scope within the GDPR framework for us to continue focusing on those things—for example, medical research—where we have huge resources and capacity, and to continue leading the way in areas such as fraud assessment and prevention.”162 She noted that there were “quite wide exemptions for research”, which would offer leeway to maintain support for medical research in oncology, for example, where the UK was already world-leading.163

122.Some of the ‘white space’ in the GDPR will be filled in by EU institutions, rather than Member States. The Information Commissioner noted that the Regulation contains many trigger terms such as ‘high-risk’, ‘large scale’, and ‘systematic,’ and that until the new European Data Protection Board and the courts start interpreting these terms “it is not clear what the GDPR will look like in practice.”164

Regulatory Divergence

123.The Minister, Matt Hancock MP, noted that “if the rest of the European Union, once we had left, chose to change its data rules, we would have to decide whether to change ours to mirror them—because there are advantages to being the same as the European system—or whether to maintain a slightly different system.” He anticipated that the UK would have to “make that decision at the time, according to what the changes are”, and that while “there is the potential to make the GDPR easier to comply with or more flexible … we would want to do that only consistent with maintaining unhindered data flows.”165

124.The Minister drew a parallel with the UK’s relationship with other major economies: “If the US changes its data rules now, the EU—and, in future, we and the EU—has to think about whether to update its own rules.” He predicted that the UK would need “a set of global relationships, rather than relationships only at a European level”, and emphasised that “the UK domestic government will be able to decide the changes that we make domestically, given everybody else’s position.”166

125.Antony Walker of TechUK argued that “the best thing for the UK economy and for UK citizens is to stay closely harmonised with European law.” He conceded that “over time, areas might emerge where it makes sense to diverge”, but argued that “we would have to make a very careful analysis of the pros and cons of diverging and, if the impact of diverging meant that an adequacy agreement would not be possible or would no longer be valid, you would have to question very carefully whether that was the right thing to do.”167

126.Ruth Boardman of Bird & Bird accepted that the GDPR was “not perfect”, and highlighted “opportunities to alter things and do things better in the medium term”, but warned that trying to do so in the short term could be “hugely unsettling; it stops you planning, you have too much change and it risks impacting on adequacy.”168

127.Mr Room told us that it was “plainly in the interests of our economy, if we want to trade with Europe, to be on the same platform. If we do not, we run the risk of a judicial decision by the Court of Justice [of the European Union] that prevents the flow of data into our country from Europe. That will have a serious impact.”169 Rosemary Jay of Hunton & Williams also focused on the UK’s trading relationships:

“If we wanted to carve out a different place in the world, have different trading partners and not focus on trade with Europe and the US, we could do what we wanted. It is not absolutely inevitable. We can pass whatever data protection law we want, but in consequence it would be extremely difficult to have a finding of adequacy or to build the equivalent of a Privacy Shield.”170

128.Antony Walker of TechUK emphasised that global companies would want to put in place “a single set of processes”:

“If you are running global operation, you will want to have consistent processes across your businesses. What we are seeing is that global firms based outside of the EU are taking the GDPR as the norm for their business and are building their processes around it, so, for very large companies, there is no desire to diverge from the GDPR—the opposite, because they worry about falling between the gaps.”

An important factor in this respect, Mr Walker suggested, was the introduction of “very significant new fines” in the GDPR.171 He concluded that overall, “businesses would like to see a settled regulatory framework”, and that “stability is good …This is the constant message that we get back from our members, large and small.”172

129.As for future evolution, Mr Walker predicted there would be constraints on the UK’s ability to innovate with regulation in this area: “We can try to be at the forefront of thinking about how things need to change, but we would need to bring the rest of the European Union with us, and it is not clear to me exactly how we would do that.” He stressed that “we have to remember the size of the UK market versus the size of the European market”, which meant that “we will have to do that very much in partnership with the European Union, rather than simply boldly striking out by ourselves and hoping others will follow.”173

130.Mr Room emphasised the importance of the UK having a “practical influence, with an embassy or whatever it might be” in Brussels, and “a strong regulator, so we do not allow ourselves to diverge in such a way that people can attack the UK’s adequacy.”174 Mr Walker also made the case for a dynamic process of review: “We do not want to see a process of accidental divergence happening as the European Union continues to legislate in areas where the UK does not. There needs to be a process that enables us to carefully track what is happening at a European level and to determine whether or not those changes should be implemented into UK law.”175

131.Ruth Boardman drew particular attention to the EU’s adequacy decisions in respect of third countries and organisations, noting that because the UK will have implemented the GDPR, “we will need a mechanism to judge countries as being adequate”, and arguing that “it would be sensible to allow the UK to follow EU decisions.”176

Reviews of ‘adequacy’

132.Professor Mitsilegas noted the requirement in the GDPR and the PCJ Directive for the Commission to review its adequacy decisions as part of the four-yearly review process. He noted that in the case of Schrems, “the problem was that the Commission [had] made an adequacy decision many, many years ago, and the Court said, ‘How do you know what is going on now? You need to check at regular intervals.” The Commission would in future be “obliged … to check regularly”, and this meant that countries that wanted an adequacy decision needed to prepare for sustained scrutiny of their own data protection framework.177

Privacy vs security

133.Continuing UK alignment with EU data protection laws could come into tension with the Government’s preferred approach to data retention and surveillance for national security purposes. While the UK remains a member of the EU, national security is the sole responsibility of each Member State, as outlined in the TFEU (Article 4.2). However, the boundaries between Member State competence over national security and EU competence over data protection and retention are increasingly being tested before the CJEU.178

134.For example, in the recent Tele 2 and Watson case,179 challenges were brought in Sweden and the UK against domestic legislation that imposed an obligation on communications providers to retain traffic and location data, questioning whether the obligations in question were compatible with EU data protection law. In the UK, the legislation being challenged was the Data Retention and Investigatory Powers Act 2014 (DRIPA), which has since expired and been replaced by the Investigatory Powers Act 2016. The CJEU gave its interpretation of what EU law requires in December 2016.180 It is now for the domestic courts to rule on the lawfulness of the domestic legislation in question. Lady Williams told us that:

“The judicial review proceedings concerning the Data Retention and Investigatory Powers Act 2014—aka DRIPA—have not yet concluded. We are currently waiting on the Court of Appeal’s response to the CJEU December 2016 judgment. However, in the light of the CJEU judgment, and in order to bring an end to the litigation, the Government have accepted to the Court of Appeal that the Act was inconsistent with EU law in two areas.”181

135.Although DRIPA 2014 has expired, the CJEU’s ruling potentially has ramifications for the Investigatory Powers Act 2016, which contains similar provisions. Mr Hancock told us that, notwithstanding the CJEU’s verdict on DRIPA, the Government was “confident that the Investigatory Powers Act [which replaced DRIPA] is consistent with the GDPR.”182

Relevance of UK domestic legislation

136.As we noted in Chapter 2, if the UK were to seek an adequacy decision from the Commission post-Brexit, its data protection standards would be assessed without the benefit of the protection afforded by the national security exemption in the TFEU. Not only would the UK’s law and practice on data retention and surveillance for national security purposes become relevant to any initial assessment of adequacy by the Commission, but any future change in national practice could potentially affect the UK’s adequacy status.

137.Professor Mitsilegas suggested that the UK was “going down this route of increasing collection of and access to bulk data, which is increasingly incompatible with the EU.”183 He predicted that “in the field of security there may be challenges for the UK if EU Member States and the Commission perceive that UK data protection law is of a lower standard than EU law as interpreted by the Court of Justice.”184

138.The Information Commissioner emphasised that the courts were now doing some of the balancing between privacy and public safety or law enforcement, and that the involvement of the courts was “something that governments cannot control.”185 She anticipated that the Court of Appeal’s decision in the Tele2 and Watson case would be “telling” and “important for us to take into account for our domestic law.” Based on recent CJEU judgments, the Commissioner judged that “it seems likely that the UK’s surveillance and data retention regime would be a risk for a positive adequacy finding.” She consequently identified this as “an area of tension … I am hoping it is resolvable.”186

EU perception of UK practice

139.Rosemary Jay of Hunton and Williams noted that in transcripts from the Schrems court hearing, “there is occasionally a flavour to the comments that seems to suggest that Ireland and the UK do not take this as seriously somehow.”187 Professor Mitsilegas suggested there was a “differentiated picture”, with standards on the regulation of private companies perceived as “quite close together”, while in the field of security, “there are concerns about the United Kingdom.”188 He judged that “mass surveillance on the basis of bulk collection of personal data and the transfer of this data to the law enforcement authorities … is a red line for EU law now”, and predicted that “as long as you have domestic law that allows mass surveillance, you will have problems with EU law.” He emphasised that this was “not exactly the same as saying that the UK does not have adequate data protection supervision mechanisms in its own system. It does, but when you have political choices that say that more and more personal data should be collected indiscriminately, this causes problems for EU law.”189

Partial adequacy findings

140.Given the potential tension between the UK’s data retention and surveillance regime and EU data protection law as interpreted by the CJEU, we asked whether this could lead to a partial adequacy finding, with the UK being ruled adequate on commercial data but not on data protection in law enforcement, for example. Rosemary Jay told us that the GDPR had now formalised the concept of a partial adequacy finding, and that “it is possible that there is more flexibility than there has been previously.”190

141.Ruth Boardman, though, predicted that in the case of the UK, an adequacy finding would be “kind of all or nothing, and the reason why it might be nothing would be if there was no political will or if our national security legislation precluded an adequacy decision.”191 The Information Commissioner judged that while “partial adequacy is better than no adequacy”, the best way forward was to have a “unified, harmonised approach across all sectors”, and she therefore advocated a “more assertive” approach, seeking full adequacy.192

UK influence on data protection standards in the EU and beyond

142.We also explored whether and how the UK’s influence on data protection standards in the EU and elsewhere might change as a result of Brexit. Our witnesses emphasised that the UK had already exerted considerable influence on EU regulation, and the Minister, Mr Hancock, told us that “the UK voice remains influential” at the EU level in a range of areas, including data protection.193 The Information Commissioner told us that the UK has been “front and centre” in the development of the GDPR and the PCJ Directive, and that the UK had “a lot to be proud of in our contributions to the protection of personal data.”194

143.Mr Hancock highlighted specific occasions when the UK had been influential, citing recent discussions on data localisation, where the UK “managed to get an overwhelming majority of countries” to oppose the principle of data localisation (rules stipulating that data must be stored locally).195 On data-sharing for law enforcement purposes, he told us that “effective data-sharing with our international partners, both EU and non-EU, will remain a top UK priority”, and set out his expectation that the UK would “play a leading role in that, as we do now.”196 However, Ministers were less clear about precisely how they planned to sustain the UK’s influence after Brexit, beyond stating that “it is in our interests and in those of the EU that … cooperation … continues.”197

144.Antony Walker, Deputy CEO of TechUK, also judged that the UK had promoted its interests effectively. He told us that the UK had been “extremely influential” at the EU level in “establishing the principles and the framework that underpin data protection legislation.”198 His counterparts in Europe and within EU institutions viewed the UK’s input on [data protection] as being “extremely important … I would argue that the UK has been influential in shaping legislation.”199

145.The UK has also been actively engaged in discussions about data-sharing and surveillance for law enforcement purposes. Professor Mitsilegas told us that the UK was “instrumental” in encouraging other Member States to “increase access to personal data by law enforcement authorities”, and had been “very influential” in getting other Member States to expand surveillance.200 He noted that the UK had “advocated strongly” for the Directive on Passenger Name Records,201 and that the Data Retention Directive202 “was a UK initiative.”203 He predicted that “the UK absence from the negotiating table will be a loss for the EU and the other Member States.”204

146.The loss of the UK’s voice raises the possibility that EU data protection regulation could in future tilt towards privacy over security, or become less business-friendly. Professor Mitsilegas said it was “hard to predict the future”,205 but gave the example of the Data Retention Directive, which was pushed for by the UK only for it to be annulled after facing legal challenge from Digital Rights Ireland.206 EU law was “rebalancing itself”, and “different EU institutions are repositioning themselves”, but this did not mean that future EU regulation would necessarily be “pro-privacy.” He noted that Member States would still be likely to increase access to data for law enforcement purposes if they “perceive the population as being under threat.”207 Shona Riach, Europe Director at the Home Office, told us that “in all this debate there is always a balance to be struck between data protection and security, and the exact balancing point varies between Member States and, honestly, between different institutions in different Member States.” She suggested that “recent events in Europe have moved the debate forward”, and that there was movement towards “a recognition” that “security of citizens is of paramount importance.”208

147.Antony Walker suggested the UK could “still be at the forefront of the debate”, but argued that to remain influential the UK Government would need to be “at the forefront of thinking” about how we get the balance right between protection of citizens’ rights and security issues.209 The Information Commissioner agreed that finding the right balance between privacy and security would be “difficult” and “challenging.”210 She noted that following recent terrorist attacks, there was a “deep recognition” among national data protection authorities of the need to balance these two areas.211 She believed the UK had been “very influential” in emphasising that “it is not public safety or privacy, it is public safety and privacy … [it is] not a zero-sum game.”212 But like Professor Mitsilegas, she observed that “the courts are getting involved … more and more”, and that “it is up to the courts to do some of that balancing.”213

The European Data Protection Board

148.The ICO is the UK’s independent data protection regulator (or national supervisory authority) and the main body through which the UK works with EU and other data protection authorities around the world. The ICO regulates both public and private sectors with the aim of safeguarding the privacy and data protection rights of the public and administering relevant laws.214

149.For as long as the UK remains a member of the EU, the UK’s Information Commissioner will automatically be a member of the European Data Protection Board (EDPB) created by the GDPR.215 The EDPB will replace the Article 29 Working Party, on which the national data protection authorities of the 28 EU Member States, the European Data Protection Supervisor (EDPS) and the European Commission are currently represented.216

150.The Information Commissioner predicted that the EDPB will have “a more powerful role” than the Article 29 Working Party, “primarily because a disagreement between supervisory authorities over how to deal with a particular matter can be resolved through a legally binding majority vote”—in contrast to the Article 29 Working Party, which serves as an advisory body.217 The EDPB will “adjudicate between national supervisory authorities over cases/investigations/complaints and will issue independent and binding decisions.”218 The Information Commissioner also drew attention to the EDPB’s new powers to “make decisions about the data processing of companies and organisations that impact on UK citizens”,219 and its role in interpreting ‘trigger terms’ in the GDPR, suggesting that this was “why the ICO has been more active than ever as the Article 29 Working Party transforms into the EDPB.”220

151.Only EU Member States’ national data protection authorities will be members of the EDPB. It follows that once the UK leaves the EU, it will no longer be represented on the EDPB. The Information Commissioner told us that the ICO’s relationship with the EDPB would “necessarily change”,221 and that it would be “very important” for the Government to consider how the ICO could continue to exert influence on the EDPB post-Brexit. She anticipated that the EDPB would “continue to be very influential in setting EU and international data protection standards”, and noted that because of the “extra-territorial reach of the GDPR, the EDPB will have direct effect on UK businesses providing services to European citizens.”222 There was a risk therefore that the UK could find itself “outside, pressing our faces on the glass … without influence and yet have adopted fulsomely the GDPR.”223 She urged the Government to “do anything they can” to ensure that the ICO had “some status, be it observer status” or something similar, on the EDPB.224 Failure to achieve this would be “frustrating for citizens and for Government.”225

Oversight of Europol, Eurojust and EU data-sharing for law enforcement

152.In addition to its role on the EDPB, the ICO, as the national data protection authority of an EU Member State, plays a role in providing oversight of data protection by EU agencies and data-sharing platforms—a role that is also set to end once the UK leaves the EU.

153.Europol’s operations are currently supervised by the Europol Joint Supervisory Body (JSB), which ensures it complies with data protection rules. The Europol JSB draws its membership from the national data protection authorities of the EU Member States, including the Information Commissioner’s Office. Under the Europol Regulation226 the European Data Protection Supervisor—an independent supervisory authority responsible for ensuring that EU institutions and bodies comply with EU data protection law when processing personal data—will take over responsibility from the JSB for the data protection supervision of Europol from 1 May 2017. The EDPS will provide advice on data protection issues to Europol and carry out inspections, as well as investigating complaints from individuals. The new Europol Regulation also sets up a new Cooperation Board comprising the EDPS and Members States’ national supervisory authorities.

154.Eurojust has its own Joint Supervisory Body, established by Article 23 of the Eurojust Decision. The Euorojust JSB monitors Eurojust’s activities where they involve the processing of personal data and ensures they are carried out in accordance with the Eurojust Decision.

155.The Information Commissioner told us that the ICO contributed to the “cooperative oversight” of Europol and Eurojust as well as the Schengen Information System (SIS II), to ensure that privacy and data protection rights of UK citizens “are respected.” 227 She warned that the UK, as a third country post-Brexit, “will not have any oversight role” of any investigations and reviews conducted by the EDPS (or by the EDPS jointly with national supervisory authorities in the Member States) of “very sensitive data”, including potentially the data of UK citizens.228

UK influence on regulation in other jurisdictions

156.Antony Walker judged that it was “an open question” whether the ICO would be able to gain observer or some other type of status on the EDPB post-Brexit, but he believed that the UK would still have “opportunities to influence” the EU by “talking to data protection authorities across Europe.”229 He proposed that such bilateral discussions should focus on the EU’s largest economies, Germany, France, Spain and Italy, as well as “the economies that are at the forefront of digital innovation”, such as the “Scandinavian countries and the Baltic States.”230

157.Mr Walker also emphasised that for the UK to be on the “front foot” in such discussions would require a better funded and “more outward-looking ICO”, able to “engage internationally.”231 He continued:

“The ICO can be a very powerful advocate on an international stage. It can be an advocate for good practice in getting the balance of practical and pragmatic regulation right—regulation that means something and is not just words on a page … the ICO has an extremely important enabling role for business and for citizens, and an important role … to work with our counterparts internationally, and it needs the resources to be able to do that.”232

158.The Information Commissioner told us that her office was “engaging in global enforcement work beyond Europe, to build bridges with other regulators around the world.” She suggested that reaching out beyond Europe was important, “not just because of exiting the EU but because data knows no borders.”233 She noted that the ICO had the “ability in law” to conclude agreements with jurisdictions outside the EU “to cooperate and enforce the law”, and could also cooperate in “an investigation or data breach that involves several jurisdictions.”234

159.Regarding the UK’s global role in influencing data protection standards, the Information Commissioner identified the International Conference of Data Protection and Privacy Commissioners as “a really important forum”, bringing together data protection authorities from around the world.235 She also highlighted the network of Asia Pacific Privacy Authorities (of which the UK is not a member) and Common Thread, a network co-chaired by the UK and comprising Commonwealth member states.236 Through Common Thread, the UK was working with Commonwealth countries to “raise the bar” on data protection laws, and “to work on consistency across the board.”237 When asked if the UK’s influence was likely to change post-Brexit, she told us that while the UK would continue to “be involved” in these global fora, “the one I am worried about is the European Data Protection Board. It will be very influential.”238

160.Stewart Room stressed that data protection issues were “not just a European and UK interest” but a matter of global concern.239 The UK was “at the heart” of the Global Privacy Enforcement Network (GPEN), comprising regulatory authorities around the world including the EU (currently represented by the European Data Protection Supervisor) and the US Federal Trade Commission, and the UK had “led the development” of Common Thread.240 Mr Room told us that these networks and fora “should give us confidence” that the UK would continue to “have influence behind the scenes and potentially at the sharp end of data protection.”241 Mr Room was also “sure” the UK would continue to have influence in Europe post-Brexit, adding that he did “not perceive any sense at all that the UK’s skill and leadership are not valued” in the field of data protection, including in law enforcement.242

Prospect of an international treaty

161.In the longer term, the Information Commissioner told us that “there is now a great desire for more harmonisation and higher standards.”243 She noted that data protection laws were “converging more than they did”, that international fora were “active”, and that there was “much collaboration”, demonstrating that data protection was no longer “a back-room, back-office, backburner issue.”244 Ms Denham predicted that “the end game, five or 10 years from now, probably needs to be an international treaty on data protection … It is on the horizon … that is where we need to go if we recognise the global nature of data flows.”245

162.Antony Walker also saw the appeal of working on data protection at the global level, arguing that driving “a more harmonised approach internationally” would make it “easier for businesses to trade and means that consumers and citizens are confident and clear about the way in which their rights are protected.”246 He told us that, within the technology sector internationally, there was “a striking commonality of view”, and that TechUK was keen to build relationships aimed at developing a “common international understanding across major markets about how we can create the kind of framework that our businesses and our citizens will need going forward.”247

Conclusions and recommendations

163.Even if the UK’s data protection rules are aligned with the EU regime to the maximum extent possible at the point of Brexit, there remains the prospect that over time, the EU will amend or update its rules. Maintaining unhindered data flows with the EU post-Brexit could therefore require the UK to continue to align domestic data protection rules with EU rules that it no longer participates in setting.

164.Even if the Government does not pursue full regulatory equivalence in the form of an adequacy decision, the UK will retain an interest in the way the EU’s regulatory framework for data protection develops. There is no prospect of a clean break: the extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK, affecting UK businesses that handle EU data.

165.The way that EU institutions such as the new European Data Protection Board and the Court of Justice of the European Union interpret the EU’s data protection laws could also affect the UK, albeit indirectly—as demonstrated by the experience of the United States with Safe Harbour. Any changes to EU data protection laws would potentially alter the standards which the UK would need to meet to maintain an adequate level of protection. The UK could find itself held to a higher standard as a third country than as a Member State, since it will no longer be able to rely on the national security exemption in the TFEU that is currently engaged when the UK’s data retention and surveillance regime is tested before the CJEU.

166.The UK has a track record of influencing EU rules on data protection and retention. Brexit means that it will lose the institutional platform from which it has been able to exert that influence. It is imperative that the Government considers how best to replace those structures and platforms in order to retain UK influence as far as possible. It should start by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.

167.In the longer term, it is conceivable that an international treaty on data protection could emerge as the end product of greater coordination between data protection authorities in the world’s largest markets. The Government’s long-term objective should be to influence the development of any such treaty. Given the relative size of the UK market compared to the EU and US markets, and its alignment with EU rules at the point of exit, the Government will need to work in partnership with the EU to achieve that goal—again underlining the need to adequately replace existing structures for policy coordination.

164 Written evidence from Elizabeth Denham (DPP0001)

170 Q 19. Note in this context that the UK has ratified the Council of Europe Data Protection Convention of 1981 (known as Convention 108) and so any data protection laws passed by the UK would still have to comply with the Convention, which is binding on its signatories.

172 QQ 47 and 53

178 See for example Stefano Melloni v Ministerio Fiscal (2013) C-399/11 and N.S v Secretary of State for the Home Department and M.E and Others v Refugee Applications Commissioner (2011) C-411/10

179 Tele2 Sverige AB v Postoch telestyrelsen (2016) Case C-203/15 and Case C-698/15, R v Secretary of State for the Home Department ex p David Davis MP, Tom Watson MP, Peter Brice and Geoffrey Lewis (2015) EWCA Civ 1185. David Davis MP has had to recuse himself from the legal challenge having been appointed to the UK Government in July 2016.

180 Preliminary Ruling, 21 December 2016: Tele2 Sverige AB v Postoch telestyrelsen (2016) Case C-203/15 and Case C-698/15

189 Q 13. As regards supervision mechanisms within the UK’s own system, see for example Section 227 of the Investigatory Powers Act 2016 provides for the appointment of an Investigatory Powers Commissioner, whose role is to authorise and oversee the use of Investigatory Powers by public authorities. See Prime Minister’s Office, ‘Investigatory Powers Commissioner appointed: Lord Justice Fulford’ (3 March 2017) [accessed 11 July 2017]

201 Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (OJ L 119/132, 4 May 2016, pp 132–149)

202 Directive 2006/24/EC of the European Parliament and of the Council of 27 April 2016 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ L 105/54, 13 April 2006, pp 54–63)

206 Q 15. Directive 2006/24/EC was declared invalid by the Court of Justice of the European Union in April 2014 in the joined cases of Digital Rights Ireland and Seitlinger and Others v Minister for Communications, Marine and Natural Resources, Minister for Justice, Equality and Law Reform, The Commissioner of the Garda Síochána, Ireland and the Attorney General (2014) C-293/12 and C-594/12

214 See Q 22. The ICO administers the 1998 Data Protection Act, 2000 Freedom of Information Act and the Privacy and Electronic Communications Regulations.

215 Under Article 68(3), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4 May 2016, pp 1 –88) the EDPB is comprised of “the head of one supervisory authority of each Member State and of the European Data Protection Supervisor, or their respective representatives.” See Chapter one for more information about the EDPB. Article 54(1)(b) of the 1998 Data Act states that the Information Commissioner will be the supervisory authority for the United Kingdom for the purposes of the Data Protection Directive and the Data Protection Framework.

216 The Article 29 Working Party is established by Article 29 of the 1995 Data Protection Directive. It provides the European Commission with independent advice on data protection matters and assists with the development and coordination of data protection policy across EU Member States.

217 Written evidence from Elizabeth Denham (DPP0001)

218 Written evidence from Elizabeth Denham (DPP0001)

220 Written evidence from Elizabeth Denham (DPP0001)

221 Written evidence from Elizabeth Denham (DPP0001)

222 Written evidence from Elizabeth Denham (DPP0001)

226 Regulation 2016/794/EU of the European Parliament and the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA
(OJ L 135/53, 24 May 2016, pp 53–114)

227 Q 23. See here for a more detailed description of the ICO supervisory role at an EU level: Information Commissioner’s Office, ‘International Duties’: [accessed 11 July 2017].

236 Q 29. See also The Common Thread Network, ‘Homepage’: [accessed 11 April 2017].

© Parliamentary copyright 2017