Government responds to Brexit: the EU data protection package report
26 October 2017
- Report: Brexit: the EU data protection package (PDF)
- Report: Brexit: the EU data protection package (HTML)
- Response: UK Government response
- Parliament TV: Watch the debate
- Inquiry: Brexit: the EU data protection package
- EU Home Affairs Sub-Committee
The Committee's report looks at the four elements of the EU's data protection package in order to examine the options available to the Government for securing uninterrupted data flows between the UK and EU after the UK leaves the EU:
- There was consensus among our witnesses that the most effective way to achieve unhindered flows of data would be to secure adequacy decisions from the European Commission under Article 45 of the General Data Protection Regulation and Article 36 of the Police and Criminal Justice Directive, thereby confirming that the UK's data protection rules would offer an equivalent standard of protection to that available within the EU.
- EU adequacy decisions can only be taken in respect of third countries – i.e. countries that are not EU Member States – and there will therefore be legal impediments to having such decisions in place at the moment of exit. If there is no transitional arrangement on data protection post-Brexit, this could put at risk the Government's objective of securing uninterrupted flows of data, thereby creating a cliff-edge.
- Without a transitional arrangement, the lack of tried and tested fall-back options for data-sharing in the area of law enforcement would raise concerns about the UK's ability to maintain deep police and security cooperation with the EU and its Member States in the immediate aftermath of Brexit.
- Even if the UK's data protection rules were aligned with the EU regime to the maximum extent possible at the point of Brexit, there remains the prospect that over time, the EU would amend or update its rules. Maintaining unhindered data flows with the EU post-Brexit could therefore require the UK to continue to align domestic data protection rules with EU rules that it no longer participates in setting.