A general debate on exiting the European Union and data protection is scheduled for Thursday 12 October 2017.Jump to full report >>
The EU data protection framework
The main piece of EU data protection law is the 1995 Data Protection Directive. The Directive was implemented into UK law by the Data Protection Act 1998. The 1998 Act provides the legal framework for data protection in the UK.
A 2008 Council Framework Decision applies to the processing of personal data in police and judicial cooperation in criminal matters. This was transposed into UK law by the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014.
The EU’s Charter of Fundamental Rights and Freedoms is also now central to EU data protection law, with a number of cases relying on Charter Article 8 in preference to other EU data protection provisions.
Since 1995, digital technology has profoundly changed the way data is collected, accessed and used. In addition, Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. In January 2012, the European Commission therefore proposed a new legislative framework for data protection. In its now finalised form, this has two elements:
The GDPR will apply in the UK from 25 May 2018.
The PCJ Directive must be transposed into national law by 6 May 2018.
Under the EU’s data protection framework, any country other than the EU and EEA Member States is classed as a “third country”.
Personal data can only be transferred to a third country when an adequate level of protection is guaranteed. One option is for the European Commission to make an “adequacy decision” so that data can flow from EU/EEA Member States to third countries (or one or more specific sectors in those countries). Other options include binding corporate rules and standard contractual clauses.
Data protection after Brexit
On leaving the EU and EEA, the UK would become a third country.
The Government has stressed that it wants to maintain the unhindered flow of data between the UK and the EU after Brexit. In a July 2017 report, the Lords Select Committee on the European Union said it was “struck by the lack of detail on how the Government plans to deliver this outcome”. The Committee recommended that the Government should seek adequacy decisions as “the least burdensome and most comprehensive platform for sharing data with the EU” after Brexit. It warned of a “cliff-edge” if transitional arrangements did not allow for continuity of data sharing.
Some business leaders have also expressed concern at what will happen after Brexit.
In an August 2017 position paper, the Government said that it “wanted to explore a UK-EU model for exchanging and protecting personal data that could build on the existing adequacy model.”
The Data Protection Bill [HL] 2017-19 will bring the GDPR and PCJ Directive into UK law and, according to the Government, “ensure that the UK is prepared for the future after we have left the EU”.
However, the Government proposes to exclude the Charter of Fundamental Rights from ‘EU retained law’ after Brexit. Instead, underlying rights and principles will be carried forward and will be substitute reference points in pre-Brexit case-law referring to the Charter.
This raises a number of questions for data protection. For instance:
For further discussion of the above issues, see the Library’s Briefing Paper, Brexit and data protection.
Commons Debate packs CDP-2017-0170
Authors: John Woodhouse; Sarah Pepin