Original URL: https://www.theregister.com/2014/07/31/has_europe_cut_the_uk_adrift_on_data_protection/

Has Europe cut the UK adrift on data protection?

EU reckons we've one foot out the door anyway

By Amberhawk Training

Posted in Channel, 31st July 2014 08:32 GMT

Comment In 1805, William Pitt the Younger, on hearing of Napoleon's victory at the Battle of Austerlitz, is reported to have said: "Roll up that map (of Europe) – it will not be wanted these 10 years". Well I have attended two meetings which suggest that the European Union has already rolled up its Data Protection Map of Europe so it excludes the UK.

The main reason for this? Anticipation of a likely UK withdrawal from European Union after the next General Election.

At the Information Commissioner’s press conference to launch his latest Annual Report (15 July), he reported that in the Working Party 29, it was difficult to get the British pragmatic view across – irrespective of the arguments. This was not because the UK was speaking in runes and riddles, it was down to the presumption that the UK could easily leave the European Union and therefore what it had to say carried little weight.

Indeed, perhaps it was this kind of sentiment that prevented the UK’s Information Commissioner from becoming head of WP29 Committee of Data Protection Authorities. If the UK is debating leaving the European Union (EU), it follows that you can’t have the UK Commissioner having a key role in such a leading EU Committee.

At a meeting on Monday 28 July held under Chatham House rules, an official said the UK was “lost” to Europe. The result is that the UK views on the Regulation can be seen as political posturing and part of the UK’s in/out debate. In short, since the UK might leave the EU, the Government’s opinions also carried little weight.

I have already reported in this blog that the UK government is largely seen as blocking progress on the Data Protection Regulation (Viviane Reding, the Commissioner responsible for the Regulation, was reported in the German press saying that discussions with Britain and Ireland were "not important" adding that she only had time for “constructive conversations” identifying those discussions with Great Britain as a waste of effort and "unnecessary”).

It is also well known that this Regulation was top of the Prime Minister’s “hit-list” of red-tape regulations at the Heads of States meeting in October 2013. The UK position is still that it wants a new Data Protection Directive; I should add that I was told last Monday that the Commission thinks that the UK is now isolated in this regard and that a Regulation will definitely appear in 2015.

A slice of data protection history

The European notion that the UK does not really care about data protection is not a new one; it has been around for more than two decades and developed during the protracted negotiations about the Directive 95/46/EC where the UK was instrumental as delaying agreement on the Directive for five years.

Rumour has it that in 1995 Chancellor Kohl and President Mitterrand, to avoid further delay, decided to give in to British demands and agreed a Directive that included huge carve-outs for Member States (e.g. manual files, an implementation timetable that could extend to 2008).

It was this decision which resulted in diverse implementation of Directive 95/46/EC by Member States and the consequent need for the current Regulation to establish consistent data protection rules for all Member States. Note that during these protracted Regulations negotiations, the view is also that the UK is too eager to cause delays in order minimise the impact on business.

This view is reflected in a cartoon (PDF) used in presentations about Data Protection Regulators at the time (in 2006). This depicted the Regulators as dogs protecting a block of personal data. The Spanish regulator was depicted as a Rottweiler whilst the UK was depicted as a cuddly poodle that could easily be rolled over (see references for the cartoon).

One does not know whether the advent of the Monetary Penalty Notice has changed this view, given the resistance from the UK government to implement a custodial element to the S.55 offence.

Data protection consequences if the UK leaves the EU

First, could I make some political observations?

If we then assume there is no such thing as an “amicable” separation, can we now postulate what happens the data protection context if the UK votes to leave the EU:

In other words, there is a real risk that the EU might find that the UK does not offer “an adequate level of protection” (even under the current data protection rules). I am sure the financial centres in Germany and Paris might float that idea off to their respective and presumably receptive politicians.

In 1982, then UK prime minister Margaret Thatcher decided that the risks to a block on transfers of personal data to the City of London were such that the Data Protection Act 1984 had to be implemented.

It would be strange if a future Conservative government came to the opposite conclusion and that its policy of withdrawal from the European Union held no risks to the transfers of personal data into the UK.

References

European Commissioner for Justice Viviane Reding comments about the UK’s approach to Regulation discussions

Cameron’s speech puts UK accession to any Data Protection Regulation and Directive in doubt

The history of the UK approach to data protection being more a cost on business and less of a protection of the individual

Why the UK’s Data Protection Act is a deficient implementation of Directive 95/46/EC

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.