Has Europe cut the UK adrift on data protection?

EU reckons we've one foot out the door anyway

Providing a secure and efficient Helpdesk

Comment In 1805, William Pitt the Younger, on hearing of Napoleon's victory at the Battle of Austerlitz, is reported to have said: "Roll up that map (of Europe) – it will not be wanted these 10 years". Well I have attended two meetings which suggest that the European Union has already rolled up its Data Protection Map of Europe so it excludes the UK.

The main reason for this? Anticipation of a likely UK withdrawal from European Union after the next General Election.

At the Information Commissioner’s press conference to launch his latest Annual Report (15 July), he reported that in the Working Party 29, it was difficult to get the British pragmatic view across – irrespective of the arguments. This was not because the UK was speaking in runes and riddles, it was down to the presumption that the UK could easily leave the European Union and therefore what it had to say carried little weight.

Indeed, perhaps it was this kind of sentiment that prevented the UK’s Information Commissioner from becoming head of WP29 Committee of Data Protection Authorities. If the UK is debating leaving the European Union (EU), it follows that you can’t have the UK Commissioner having a key role in such a leading EU Committee.

At a meeting on Monday 28 July held under Chatham House rules, an official said the UK was “lost” to Europe. The result is that the UK views on the Regulation can be seen as political posturing and part of the UK’s in/out debate. In short, since the UK might leave the EU, the Government’s opinions also carried little weight.

I have already reported in this blog that the UK government is largely seen as blocking progress on the Data Protection Regulation (Viviane Reding, the Commissioner responsible for the Regulation, was reported in the German press saying that discussions with Britain and Ireland were "not important" adding that she only had time for “constructive conversations” identifying those discussions with Great Britain as a waste of effort and "unnecessary”).

It is also well known that this Regulation was top of the Prime Minister’s “hit-list” of red-tape regulations at the Heads of States meeting in October 2013. The UK position is still that it wants a new Data Protection Directive; I should add that I was told last Monday that the Commission thinks that the UK is now isolated in this regard and that a Regulation will definitely appear in 2015.

A slice of data protection history

The European notion that the UK does not really care about data protection is not a new one; it has been around for more than two decades and developed during the protracted negotiations about the Directive 95/46/EC where the UK was instrumental as delaying agreement on the Directive for five years.

Rumour has it that in 1995 Chancellor Kohl and President Mitterrand, to avoid further delay, decided to give in to British demands and agreed a Directive that included huge carve-outs for Member States (e.g. manual files, an implementation timetable that could extend to 2008).

It was this decision which resulted in diverse implementation of Directive 95/46/EC by Member States and the consequent need for the current Regulation to establish consistent data protection rules for all Member States. Note that during these protracted Regulations negotiations, the view is also that the UK is too eager to cause delays in order minimise the impact on business.

This view is reflected in a cartoon (PDF) used in presentations about Data Protection Regulators at the time (in 2006). This depicted the Regulators as dogs protecting a block of personal data. The Spanish regulator was depicted as a Rottweiler whilst the UK was depicted as a cuddly poodle that could easily be rolled over (see references for the cartoon).

One does not know whether the advent of the Monetary Penalty Notice has changed this view, given the resistance from the UK government to implement a custodial element to the S.55 offence.

Data protection consequences if the UK leaves the EU

First, could I make some political observations?

  • If Scotland votes for independence then the chances of EU withdrawal increases for the rest of the UK. The reason is that any Conservative majority in the next Parliament will derive its legitimacy from non-Scottish constituencies; indeed there is that old joke that there are more pandas in Scotland than Scottish Conservative MPs.
  • If the Conservatives are returned to power after the next General Election, then it will be on a Euro-sceptic agenda as the party is likely to present an explicit Euro-sceptic manifesto in an attempt to reduce the UKIP vote.
  • Any fresh UK-Euro negotiations will not result in much change in substance if the European view is that the UK has already a foot in the exit door; indeed I expect the Commission to draw up contingency plans for a UK exit.
  • If there is an “in/out” referendum, then the popular tabloid press and Conservative supporting broadsheets will probably urge its readers for an “out” vote irrespective of what the UK negotiates with Europe. This referendum is likely to occur at the same time as any new Regulation will commence (ie, in 2017).
  • Any Conservative commitment to withdraw from the European Convention on Human Rights will not be understood by European Countries whose recent history is characterised by a history of rule by a totalitarian regime or dictator (e.g. East Germany, the “Iron curtain” block, Spain, Greece and Portugal).

If we then assume there is no such thing as an “amicable” separation, can we now postulate what happens the data protection context if the UK votes to leave the EU:

  • The UK will be outside the EEA and the transfer rules of any new Data Protection Regulation applies to transfers of personal data to the UK.
  • The European Commission has already determined that the UK’s Data Protection Act is not a proper implementation of Directive 95/46/EC (see references); it is supposed to be thinking of implementing “ongoing” infraction proceedings (this is the main reason why my FOI requests have hitherto failed to confirm the nature of these deficiencies).
  • The doubts surrounding transfers of personal data to the US because of the Snowden revelations will apply to transfers to the UK because of GCHQ (and the emergency DRIP legislation which extends the range of communications data which are subject to mass retention rules). These doubts would be enhanced if a future UK Government was not committed to the text of Article 8 of the Human Rights Convention.

In other words, there is a real risk that the EU might find that the UK does not offer “an adequate level of protection” (even under the current data protection rules). I am sure the financial centres in Germany and Paris might float that idea off to their respective and presumably receptive politicians.

In 1982, then UK prime minister Margaret Thatcher decided that the risks to a block on transfers of personal data to the City of London were such that the Data Protection Act 1984 had to be implemented.

It would be strange if a future Conservative government came to the opposite conclusion and that its policy of withdrawal from the European Union held no risks to the transfers of personal data into the UK.


European Commissioner for Justice Viviane Reding comments about the UK’s approach to Regulation discussions

Cameron’s speech puts UK accession to any Data Protection Regulation and Directive in doubt

The history of the UK approach to data protection being more a cost on business and less of a protection of the individual

Why the UK’s Data Protection Act is a deficient implementation of Directive 95/46/EC

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
JINGS! Microsoft Bing called Scots indyref RIGHT!
Redmond sporran metrics get one in the ten ring
Driving with an Apple Watch could land you with a £100 FINE
Bad news for tech-addicted fanbois behind the wheel
Murdoch to Europe: Inflict MORE PAIN on Google, please
'Platform for piracy' must be punished, or it'll kill us in FIVE YEARS
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Found inside ISIS terror chap's laptop: CELINE DION tunes
REPORT: Stash of terrorist material found in Syria Dell box
Sony says year's losses will be FOUR TIMES DEEPER than thought
Losses of more than $2 BILLION loom over troubled Japanese corp
Show us your Five-Eyes SECRETS says Privacy International
Refusal to disclose GCHQ canteen menus and prices triggers Euro Human Rights Court action
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.