The report considers four elements of the EU data protection package: the General Data Protection Regulation (GDPR), the Police and Criminal Justice Directive (PCJ Directive), the EU-US Privacy Shield, and the EU-US Umbrella Agreement. The GDPR and PCJ Directive will enter into force in May 2018, while the UK is still a member of the EU. When the UK leaves the EU, it will no longer be bound by the EU's data protection laws, including the GDPR and the PCJ Directive, and will no longer be party to the EU-US Privacy Shield or the EU-US Umbrella Agreement.
- The Government has stated clearly that it wants to maintain unhindered data flows. The Committee supports this objective, but was struck by the lack of detail on how the Government plans to deliver this.
- Any post-Brexit arrangement that leads to greater friction around UK-EU data flows could pose a non-tariff barrier to trade, putting the UK at a competitive disadvantage.
- Any impediments to data sharing could hinder police and security cooperation. For example, access to databases such as the Schengen Information System (SIS II) and the European Criminal Records Information System (ECRIS) rely on shared data protection standards.
- The report recommends that the Government pursue an 'adequacy decision' as the most comprehensive option for maintaining unhindered data flows post-Brexit. Alternatives, such as reliance on Standard Contractual Clauses would be less effective.
- Adequacy decisions are only made with regard to third countries–in this context, non-EU Member States–and follow a set procedure. To avoid a cliff-edge there will need to transitional arrangements to cover the gap between leaving the EU and obtaining an adequacy decision.
- The UK could find itself being held to a higher standard as a third country than it does as a Member State, since it will no longer be able to rely on the national security exemption on the Treaty on the Functioning of the European Union.
- Even though the UK will no longer be bound by EU data protection laws, there is no prospect of a clean break. Legal controls on the transfer of personal data to non-EU countries mean that any changes in the EU data protection regime could affect the standards that the UK needs to meet to maintain an adequate level of protection.
- Brexit means the UK will lose the institutional platform from which it has been able to influence EU data protection rules. We recommend that the Government secure a continuing role for the UK's Information Commissioner’s Office on the European Data Protection Board.
This report arises out of routine scrutiny of EU legislative proposals, but also forms part of the coordinated series of Brexit-themed inquiries launched by the European Committee and its six Sub-Committees following the referendum on 23 June 2016.