Has Europe cut the UK adrift on data protection?
EU reckons we've one foot out the door anyway
Comment In 1805, William Pitt the Younger, on hearing of Napoleon's victory at the Battle of Austerlitz, is reported to have said: "Roll up that map (of Europe) – it will not be wanted these 10 years". Well I have attended two meetings which suggest that the European Union has already rolled up its Data Protection Map of Europe so it excludes the UK.
The main reason for this? Anticipation of a likely UK withdrawal from European Union after the next General Election.
At the Information Commissioner’s press conference to launch his latest Annual Report (15 July), he reported that in the Working Party 29, it was difficult to get the British pragmatic view across – irrespective of the arguments. This was not because the UK was speaking in runes and riddles, it was down to the presumption that the UK could easily leave the European Union and therefore what it had to say carried little weight.
Indeed, perhaps it was this kind of sentiment that prevented the UK’s Information Commissioner from becoming head of WP29 Committee of Data Protection Authorities. If the UK is debating leaving the European Union (EU), it follows that you can’t have the UK Commissioner having a key role in such a leading EU Committee.
At a meeting on Monday 28 July held under Chatham House rules, an official said the UK was “lost” to Europe. The result is that the UK views on the Regulation can be seen as political posturing and part of the UK’s in/out debate. In short, since the UK might leave the EU, the Government’s opinions also carried little weight.
I have already reported in this blog that the UK government is largely seen as blocking progress on the Data Protection Regulation (Viviane Reding, the Commissioner responsible for the Regulation, was reported in the German press saying that discussions with Britain and Ireland were "not important" adding that she only had time for “constructive conversations” identifying those discussions with Great Britain as a waste of effort and "unnecessary”).
It is also well known that this Regulation was top of the Prime Minister’s “hit-list” of red-tape regulations at the Heads of States meeting in October 2013. The UK position is still that it wants a new Data Protection Directive; I should add that I was told last Monday that the Commission thinks that the UK is now isolated in this regard and that a Regulation will definitely appear in 2015.
A slice of data protection history
The European notion that the UK does not really care about data protection is not a new one; it has been around for more than two decades and developed during the protracted negotiations about the Directive 95/46/EC where the UK was instrumental as delaying agreement on the Directive for five years.
Rumour has it that in 1995 Chancellor Kohl and President Mitterrand, to avoid further delay, decided to give in to British demands and agreed a Directive that included huge carve-outs for Member States (e.g. manual files, an implementation timetable that could extend to 2008).
It was this decision which resulted in diverse implementation of Directive 95/46/EC by Member States and the consequent need for the current Regulation to establish consistent data protection rules for all Member States. Note that during these protracted Regulations negotiations, the view is also that the UK is too eager to cause delays in order minimise the impact on business.
This view is reflected in a cartoon (PDF) used in presentations about Data Protection Regulators at the time (in 2006). This depicted the Regulators as dogs protecting a block of personal data. The Spanish regulator was depicted as a Rottweiler whilst the UK was depicted as a cuddly poodle that could easily be rolled over (see references for the cartoon).
One does not know whether the advent of the Monetary Penalty Notice has changed this view, given the resistance from the UK government to implement a custodial element to the S.55 offence.
Data protection consequences if the UK leaves the EU
First, could I make some political observations?
- If Scotland votes for independence then the chances of EU withdrawal increases for the rest of the UK. The reason is that any Conservative majority in the next Parliament will derive its legitimacy from non-Scottish constituencies; indeed there is that old joke that there are more pandas in Scotland than Scottish Conservative MPs.
- If the Conservatives are returned to power after the next General Election, then it will be on a Euro-sceptic agenda as the party is likely to present an explicit Euro-sceptic manifesto in an attempt to reduce the UKIP vote.
- Any fresh UK-Euro negotiations will not result in much change in substance if the European view is that the UK has already a foot in the exit door; indeed I expect the Commission to draw up contingency plans for a UK exit.
- If there is an “in/out” referendum, then the popular tabloid press and Conservative supporting broadsheets will probably urge its readers for an “out” vote irrespective of what the UK negotiates with Europe. This referendum is likely to occur at the same time as any new Regulation will commence (ie, in 2017).
- Any Conservative commitment to withdraw from the European Convention on Human Rights will not be understood by European Countries whose recent history is characterised by a history of rule by a totalitarian regime or dictator (e.g. East Germany, the “Iron curtain” block, Spain, Greece and Portugal).
If we then assume there is no such thing as an “amicable” separation, can we now postulate what happens the data protection context if the UK votes to leave the EU:
- The UK will be outside the EEA and the transfer rules of any new Data Protection Regulation applies to transfers of personal data to the UK.
- The European Commission has already determined that the UK’s Data Protection Act is not a proper implementation of Directive 95/46/EC (see references); it is supposed to be thinking of implementing “ongoing” infraction proceedings (this is the main reason why my FOI requests have hitherto failed to confirm the nature of these deficiencies).
- The doubts surrounding transfers of personal data to the US because of the Snowden revelations will apply to transfers to the UK because of GCHQ (and the emergency DRIP legislation which extends the range of communications data which are subject to mass retention rules). These doubts would be enhanced if a future UK Government was not committed to the text of Article 8 of the Human Rights Convention.
In other words, there is a real risk that the EU might find that the UK does not offer “an adequate level of protection” (even under the current data protection rules). I am sure the financial centres in Germany and Paris might float that idea off to their respective and presumably receptive politicians.
In 1982, then UK prime minister Margaret Thatcher decided that the risks to a block on transfers of personal data to the City of London were such that the Data Protection Act 1984 had to be implemented.
It would be strange if a future Conservative government came to the opposite conclusion and that its policy of withdrawal from the European Union held no risks to the transfers of personal data into the UK.
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Becoming a Pragmatic Security Leader