Brexit: the EU data protection package Contents

Summary of conclusions and recommendations

1.The Government has said that it wishes to secure unhindered and uninterrupted flows of data between the UK and the EU post-Brexit, to facilitate both trade and law enforcement cooperation. We support this objective, and note that any arrangement that resulted in greater friction around data transfers between the UK and the EU post-Brexit could hinder police and security cooperation. It could also present a non-tariff barrier to trade, particularly in services, putting companies operating out of the UK at a competitive disadvantage. The Government must not only signal its commitment to unhindered and uninterrupted flows of data, but set out clearly, and as soon as possible, how it plans to deliver that outcome. We were struck by the lack of detail in the Government’s assurances thus far. (Paragraph 110)

2.There was consensus among our witnesses that the most effective way to achieve unhindered flows of data would be to secure adequacy decisions from the European Commission under Article 45 of the General Data Protection Regulation and Article 36 of the Police and Criminal Justice Directive, thereby confirming that the UK’s data protection rules offered an equivalent standard of protection to that available within the EU. (Paragraph 111)

3.Although other legal mechanisms to facilitate cross-border flows of data are available, we were persuaded by the Information Commissioner’s view that the UK is so heavily integrated with the EU—three-quarters of the UK’s cross-border data flows are with EU countries—that it would be difficult for the UK to get by without an adequacy arrangement. We therefore recommend that the Government should seek adequacy decisions to facilitate UK-EU data transfers after the UK has ceased to be a member of the EU. This would provide the least burdensome and most comprehensive platform for sharing data with the EU, and offer stability and certainty for businesses, particularly SMEs. (Paragraph 112)

4.Adequacy decisions can only be taken in respect of third countries, and there are therefore legal impediments to having such decisions in place at the moment of exit. In the absence of a transitional arrangement, this could put at risk the Government’s objective of securing uninterrupted flows of data, creating a cliff-edge. We urge the Government to ensure that any transitional arrangements agreed during the withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK. (Paragraph 113)

5.In the absence of such transitional arrangements, the lack of tried and tested fall-back options for data-sharing in the area of law enforcement would raise concerns about the UK’s ability to maintain deep police and security cooperation with the EU and its Member States in the immediate aftermath of Brexit. (Paragraph 114)

6.The need for transitional arrangements also extends to the commercial sector. Although there are alternative mechanisms to allow data to flow out of the EU for commercial purposes, these are sub-optimal compared to an adequacy decision, and may not be available to some types of companies, for instance small companies or those dealing directly with consumers. Some are also currently subject to legal challenge, notably the Schrems II case against Standard Contractual Clauses, underlining the need for a transitional arrangement. (Paragraph 115)

7.The EU-US Privacy Shield and the EU-US Umbrella Agreement will cease to apply to the UK post-Brexit. Because of EU rules for onward transfers, securing unhindered flows of data with the EU may require the UK also to demonstrate that it has put arrangements in place with the US that afford the same level of protection as the Privacy Shield and the Umbrella Agreement. As regards data-sharing for commercial purposes, we note the approach taken by Switzerland, which has secured both an adequacy decision from the EU and a mirror of the Privacy Shield agreement with the US. (Paragraph 116)

8.Even if the UK’s data protection rules are aligned with the EU regime to the maximum extent possible at the point of Brexit, there remains the prospect that over time, the EU will amend or update its rules. Maintaining unhindered data flows with the EU post-Brexit could therefore require the UK to continue to align domestic data protection rules with EU rules that it no longer participates in setting. (Paragraph 163)

9.Even if the Government does not pursue full regulatory equivalence in the form of an adequacy decision, the UK will retain an interest in the way the EU’s regulatory framework for data protection develops. There is no prospect of a clean break: the extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK, affecting UK businesses that handle EU data. (Paragraph 164)

10.The way that EU institutions such as the new European Data Protection Board and the Court of Justice of the European Union interpret the EU’s data protection laws could also affect the UK, albeit indirectly—as demonstrated by the experience of the United States with Safe Harbour. Any changes to EU data protection laws would potentially alter the standards which the UK would need to meet to maintain an adequate level of protection. The UK could find itself held to a higher standard as a third country than as a Member State, since it will no longer be able to rely on the national security exemption in the TFEU that is currently engaged when the UK’s data retention and surveillance regime is tested before the CJEU. (Paragraph 165)

11.The UK has a track record of influencing EU rules on data protection and retention. Brexit means that it will lose the institutional platform from which it has been able to exert that influence. It is imperative that the Government considers how best to replace those structures and platforms in order to retain UK influence as far as possible. It should start by seeking to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board. (Paragraph 166)

12.In the longer term, it is conceivable that an international treaty on data protection could emerge as the end product of greater coordination between data protection authorities in the world’s largest markets. The Government’s long-term objective should be to influence the development of any such treaty. Given the relative size of the UK market compared to the EU and US markets, and its alignment with EU rules at the point of exit, the Government will need to work in partnership with the EU to achieve that goal—again underlining the need to adequately replace existing structures for policy coordination. (Paragraph 167)

© Parliamentary copyright 2017