On 18 July 2017 the House of Lords European Union Committee (the “Committee“) published a report covering the impact of Brexit on four aspects of the EU Data Protection Package:

  • the General Data Protection Regulation (the “GDPR“) which will become directly applicable in all EU member states with effect from 25 May 2018. A Data Protection Bill is expected to be introduced by Parliament after the summer recess.
  • the Police and Criminal Justice Directive (the “PJC“) which EU member states must transpose into national law by 6 May 2018;
  • the EU-US Privacy Shield which enables personal data transfers from the EU to the US for commercial purposes and replaced the previous Safe Harbour international transfer mechanism to the US; and
  • the EU-US Umbrella Agreement which establishes a common framework for the protection of personal data transferred between the EU and the US for criminal law enforcement purposes.

In particular:

  • The report acknowledged that “the volume of data stored electronically and moving across borders has grown a huge amount over the last 20 years.
  • The maintenance of unhindered and uninterrupted data flows between the UK and the EU after Brexit is crucial for both business and for effective police and security cooperation. Any arrangement that results in “greater friction could present a non-tariff trade barrier that puts the UK at a competitive disadvantage “.
  • Whilst the UK Government has stated that it “will seek to maintain the stability of data transfers between the EU, member states and the UK”, the Committee expressed concern that little detail has been provided to date on how this will be achieved in practice.
  • It was acknowledged that the most effective way to achieve unhindered flows of data would be to achieve an “adequacy decision” from the European Commission, confirming that the UK’s data protection legislation offers an equivalent standard of protection to that available within the EU. However, an adequacy decision can only be taken in respect of third countries (countries that are not EU member states) and therefore there is a legal impediment to such a decision being in place at the moment of exit. If there are no transitional arrangements in place post-Brexit, this could put at risk securing uninterrupted flows of data.
  • In addition, there were mixed opinions on the UK’s ability to achieve adequacy due to ongoing concerns about the UK’s surveillance and data retention regime following the CJEU’s decision in the DRIPA case and its implications for the Investigatory Powers Act 2016 (refer to article below). Since the CJEU’s decision in Maximilllan Schrems, it is also thought the bar to achieve adequacy has risen.
  • Even if the UK’s data protection rules were aligned with the EU regime to the maximum extent at the point of Brexit, there is a risk that EU and UK data protection legislation could diverge over time – in an effort to mitigate this risk, the Committee urged the Government to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board.

The House of Lords European Union Committee Report can be found here.