Last Thursday, the House of Commons Library published a briefing paper on the effects of GDPR and Brexit.
This summarises the background to EU data protection law and outlines that inconsistent implementation of the Data Protection Directive (95/45/EC) across EU Member States led to the European Commission proposing a new legislative framework for data protection. In its now finalised form, this has two elements:
- The General Data Protection Regulation (GDPR; Reg 2016/679). This came into force on 24 May 2016. There is two-year transition period for implementation, meaning that the UK is not obligated to enforce it until 25 May 2018. However this will before the country leaves the EU under Brexit.
- The Directive on data transfers for policing and judicial purposes (2016/680/EU). This came into force on 5 May 2016. EU Member States are required to transpose it into their national law by 6 May 2018. The Directive aims to protect citizens’ fundamental right to data protection whenever personal data is used by criminal law enforcement authorities and will especially protect the personal data of victims, witnesses and suspects of crime. It will apply to data transfers across borders within the EU as well as, for the first time, setting minimum standards for data processing for policing purposes within each Member State.
The Government has said that the GDPR will apply in the UK from 25 May 2018.
In February 2017, Matt Hancock, Minister for Digital and Culture, told the House of Lords Select Committee on the European Union that the GDPR was a “good piece of legislation”. He said that parts of the Data Protection Act 1998 would need to be repealed for data processing to be within the scope of the GDPR and that it was “necessary to ensure that we do not end up with the Data Protection Act duplicating or creating inconsistencies with the GDPR, because the GDPR will be directly applicable”.
The Queen’s Speech of 21 June 2017, also introduced a new Data Protection Bill which “will ensure that the United Kingdom retains its world-class regime protecting personal data”.
The Bill has not yet been introduced.
What will happen after Brexit?
Under the EU’s data protection framework, any country outside the EU and EEA is classed as a “third country”. Personal data can only be transferred to a third country when an adequate level of protection is guaranteed. One option is for the European Commission to make an “adequacy decision” so that personal data can flow from EU/EEA member states to third countries (or one or more specific sectors in those countries). Other options include binding corporate rules and standard contractual clauses.
The Government has stressed that it is “keen to secure the unhindered flow of data between the UK and the EU post Brexit”.
Lords Select Committee report (July 2017)
In a July 2017 report, the Lords Select Committee on the European Union said it was “struck by the lack of detail” on how the Government plans to deliver the unhindered flow of data after Brexit. According to the Committee, the most effective way would be through adequacy decisions from the European Commission. However, these can only be made in respect of third countries. There are therefore legal impediments to having decisions in place at the moment of Brexit. In the absence of a transitional arrangement, securing uninterrupted flows of data could be at risk. The Committee therefore recommended that the Government should ensure that any transitional arrangements agreed during withdrawal negotiations provide for continuity of data-sharing, pending the adoption of adequacy decisions in respect of the UK.
The Committee also said that, on data protection, there was no prospect of a “clean break”. “The extra-territorial reach of the GDPR means that the legal controls placed by the EU on transfers of personal data outside its territory will apply when data is transferred from the EU to the UK, affecting UK businesses that handle EU data”.
Speaking to the committee, Elizabeth Denham, the Information Commissioner, suggested that an adequacy decision would be the best way forward because “it is the most straightforward arrangement for the commercial sector and certainly for citizens and consumers who want their data transferred and interchanged between the EU and the UK”.