House of Lords Committee Report on Brexit and Data Protection

July 17, 2017

 According to the House of Lords Committee, maintaining
unhindered and uninterrupted data flows between the UK and EU after Brexit is
an important aim, as any arrangement that results in greater friction could
present a non-tariff trade barrier that puts the UK at a competitive
disadvantage and hinders police and security cooperation. This will come as no surprise
to SCL members. The Committee notes that, although the Government has stated
that they ‘will seek to maintain the stability of data transfers between the
EU, Member States and the UK’, they ‘were struck by the lack of detail on how
the Government plans to deliver this outcome’.

In its report, by looking at four elements of the EU’s data
protection package the Committee examines the options available to the
Government for securing uninterrupted data flows between the UK and EU after
the UK leaves the EU. These elements are the General Data Protection Regulation
(GDPR), the Police and Criminal Justice Directive (PCJ), the EU-US Privacy
Shield and the EU-US Umbrella Agreement.

Key Findings

  • The most effective way to achieve unhindered flows of data
    would be to secure adequacy decisions from the European Commission under
    Article 45 of the General Data Protection Regulation and Article 36 of the
    Police and Criminal Justice Directive, thereby confirming that the UK’s data
    protection rules would offer an equivalent standard of protection to that
    available within the EU.
  • EU adequacy decisions can only be taken in respect of third
    countries – ie countries that are not EU Member States – and there will
    therefore be legal impediments to having such decisions in place at the moment
    of exit. If there is no transitional arrangement on data protection
    post-Brexit, this could put at risk the Government’s objective of securing
    uninterrupted flows of data, thereby creating a cliff-edge.
  • Without a transitional arrangement, the lack of tried and
    tested fall-back options for data-sharing in the area of law enforcement would
    raise concerns about the UK’s ability to maintain deep police and security
    cooperation with the EU and its Member States in the immediate aftermath of
  • Even if the UK’s data protection rules were aligned with the
    EU regime to the maximum extent possible at the point of Brexit, there remains
    the prospect that over time, the EU would amend or update its rules.
    Maintaining unhindered data flows with the EU post-Brexit could therefore
    require the UK to continue to align domestic data protection rules with EU
    rules that it no longer participates in setting.
  • It is imperative that the Government consider how best to
    replace those structures and platforms that have allowed it to influence EU
    rules on data protection and retention. It should start by seeking to secure a
    continuing role for the Information Commissioner’s Office on the European Data
    Protection Board.

Links to full report

Brexit: the EU data protection package (HTML)

Brexit: the EU data protection package (PDF)