Thank you for contacting me about the Data Protection Bill.
I understand you have concerns about safeguards for data-sharing in the Data Protection Bill, but the Bill provides that the intelligence services can only make transfers outside of the UK when necessary and proportionate for the purposes of the services’ statutory functions.
The General Data Protection Regulation (GDPR) does not deal with national security processing since that is outside the scope of EU law. The GDPR therefore is not designed for, and does not provide an appropriate basis for, the unique nature of intelligence services processing, including when they make international transfers to partners when necessary to safeguard national security.
The international transfer of personal data is vital to the intelligence services’ ability to counter threats to national security and they must be in a position to be able to operate across borders and share information quickly to protect the UK and its partners. In all cases the intelligence services apply robust necessity and proportionality tests before sharing any information. The inherent risk of sharing information must be balanced against the risk to national security of not sharing such information.