This Library Briefing Paper looks at data protection and what might happen after Brexit.Jump to full report >>
The basis of EU data protection law is the 1995 Data Protection Directive (95/46/EC), which was implemented into UK law by the Data Protection Act 1998. This general Data Protection Directive has been complemented by other legal instruments, such as the e-Privacy Directive (2002/58/EC) for the communications sector. There are also specific rules for the protection of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).
Since 1995 technological progress and globalisation have profoundly changed the way data is collected, accessed and used. In addition, EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. In January 2012 the European Commission therefore proposed a new legislative framework for data protection. In its now finalised form, this has two elements:
This Paper focuses on the GDPR. The Regulation includes new provisions on:
It enhances data subjects’ rights with new provisions covering:
A European Commission factsheet (May 2017) gives an overview of the GDPR and what it will mean for citizens and businesses.
The UK and the GDPR
The Government has said that the GDPR will apply in the UK from 25 May 2018.
In February 2017, Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union that the GDPR was a “good piece of legislation”. He said that parts of the Data Protection Act 1998 would need to be repealed for data processing to be within the scope of the GDPR and that it was “necessary to ensure that we do not end up with the Data Protection Act duplicating or creating inconsistencies with the GDPR, because the GDPR will be directly applicable”.
Queen’s Speech, June 2017
The Queen’s Speech of 21 June 2017 said that a Bill will be introduced to "ensure that the United Kingdom retains its world-class regime protecting personal data”. Background briefing notes on the Queen’s Speech explain that the Bill would:
The Bill has not yet been introduced.
What will happen after Brexit?
Under the EU’s data protection framework, any country outside the EU and EEA is classed as a “third country”. Personal data can only be transferred to a third country when an adequate level of protection is guaranteed. One option is for the European Commission to make an “adequacy decision” so that personal data can flow from EU/EEA member states to third countries (or one or more specific sectors in those countries). Other options include binding corporate rules and standard contractual clauses.
The Government has stressed that it is “keen to secure the unhindered flow of data between the UK and the EU post-Brexit”.
Lords Select Committee report (July 2017)
In a July 2017 report, the Lords Select Committee on the European Union said it was “struck by the lack of detail" on how the Government plans to deliver the unhindered flow of data after Brexit. According to the Committee, the most effective way would be through adequacy decisions from the European Commission. However, these can only be made in respect of third countries. There are therefore legal impediments to having decisions in place at the moment of Brexit. In the absence of a transitional arrangement, securing uninterrupted flows of data could be at risk. The Committee therefore recommended that the Government should ensure that any transitional arrangements agreed during withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK.
The Committee also said that, on data protection, there was no prospect of a “clean break”– “the extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK, affecting UK businesses that handle EU data”.
Commons Briefing papers CBP-7838
Author: John Woodhouse