How UK’s GDPR law might not be judged 'adequate'
If it has Data Protection Act's defects, all bets are off
Comment Since 2005, I have tried to use Freedom of Information legislation to find out what is behind the “ongoing” infraction proceedings, commenced by the European Commission against the UK. This is because the UK’s Data Protection Act (DPA) is, according to the Commission, a defective implementation of Directive 95/46/EC.
So what are these defects? Should data protection practitioners know what they are?
Readers also know the answer to both questions is a resounding “NO” as publishing the requested data protection detail would cause irreparable damage to international relations between the UK and the European Union (re-confirmed in ICO Decision Notice FS50577377 (PDF), dated March 2016)!
So, after the Brexit referendum vote, I tried the European Union’s Access to Documents regime (Regulation (EC) No 1049/2001 (PDF)), and received another refusal to add to my collection. The refusal letter (see references at the foot of the page), dated mid-November last year, confirms that there are still major problems with the DPA; of the 20+ problems identified by the European Commission in 2005, four of them are serious and remain unresolved in 2017 (in the run-up to GDPR implementation).
Surprisingly, even information about the 16+ resolved issues remains a state secret. For instance, paragraph 33 of the 2016 Decision Notice confirms that the release of these details would cause “prejudice to international relations”. The ICO concluded that “…having viewed the withheld information, the Commissioner is satisfied that there would be a real and significant risk of prejudice … to the relationship between the UK and the European Commission”.
Indeed, someone who said he was “close to GCHQ/MI6” took me to one side at this month’s ICO conference. He told me that if I were to be given the top-secret list of data protection indiscretions on the part of the UK (none of which relate to national security, crime and taxation etc, I should add), then the damage to EU-UK relations would be so high that the European Commission’s mission in London would have to close, and the UK Ambassador to Brussels would become persona non grata. I was advised to “back off”, whatever that means.
A score of problems
In this article, I update readers with the latest chapter in this saga. I report the contents of a six-page refusal letter, dated 14/11/2016, which contains comments relevant to a UK adequacy decision under GDPR (see references: Document 0-6, where each is a single page).
The important comments are:
- the first complete paragraph at the top of Document 3 shows that the alleged defects in the UK’s DPA will be assessed in the context of the UK’s GDPR implementation and “could possibly lead to a complementary reasoned opinion”. In other words, if the identified DPA defects remain when the UK implements the GDPR, that implementation is likely to be judged defective.
- the bottom of Document 4 and top of Document 5 where the Commission confirm that “investigations are active and ongoing”; this means the DPA is still deemed to be defective. In other words, if the current DPA is defective in terms of Directive 95/46/EC it will also defective in terms of the GDPR (i.e. the status quo cannot remain as a basis for an adequacy determination by the Commission).
Where is the DPA defective?
The main areas of concern about the DPA in the context of the GDPR that I have identified in this decade long Freedom of Information process are as follows:
- The definition of “personal data” takes no account of Recital 26 of Directive 95/46/EC. The definition of “personal data” in the DPA requires personal data to relate to an identifiable data subject where that identification is undertaken by only the data controller. By contrast, Recital 26 suggests identification can be undertaken by the controller and, within reason, persons other than the controller. The UK Act definition of personal data is therefore unduly restrictive and has been so since 1998. The same problem is in the GDPR definition of “personal data”.
- The definition of “Relevant Filing System” of the DPA is not the definition of “Filing System” in the Directive 95/46/EC. Whilst the Directive allowed Member States to go their own way with manual filing systems this flexibility is not in the GDPR (which maintains the Directive definition). I have included it in my list as this could be a major headache for controllers preparing for the GDPR; personal information in manual filing systems that are excluded from the definition of “data” in the DPA (and therefore are excluded from any DP obligation as the information is not personal data) become fully subject to the GDPR in May 2018.
- The Information Commissioner in the DPA has limited role in assessing whether third countries offer an adequate level of protection (e.g. she does not authorise or approve transfers in a way other European data protection authorities do). The DPA is unique in that data controllers can assess adequacy (something removed in the GDPR unless very exceptional circumstances arise).
- The Information Commissioner cannot perform random audit checks on any data controller/data processor under the DPA. There is a limited ability to audit government departments, NHS and telcos but this came after the Commission commenced its “ongoing” infraction proceedings in 2005.
- The Monetary Penalty regime is too restrictive (eg, it requires serious breach that causes real or likely substantial damage/distress). I suspect the Commission would prefer penalty fines for many lesser infringements, and that if the UK maintains the current enforcement regime in the GDPR, it risks being judged as being inadequate.
- There is no ability (except for judicial review) for the data subject to challenge the Information Commissioner’s failure to enforce the DPA against a data controller. Whereas a data controller can appeal to the Tribunal against the ICO’s enforcement action in general, there is no equivalent appeal mechanism available to data subjects. The main enforcement regime is therefore unbalanced and comprise last resort powers that are designed only to be used (eg, Enforcement Notices, Information Notices) when a data controllers does not “co-operate” with the ICO’s wishes. That is why there are very few Information Notices, for example.
- The Courts in the UK have unfettered powers to exempt personal data from subject access in circumstances when the exemption is not grounded in the exemptions found in Directive 95/46/EC (this arises from the use of “may” in Section 7(9) of the DPA). In addition, the Courts could even refuse to order inaccurate personal data to be corrected or erased (the use of “may” in Section 14). I should add that I find both problems to be hypothetical and I am not aware of any case where these Sections have proved to be a problem but I do know the Commission is concerned about this.
Note that the last five in the above list relate to enforcement issues and improperly implemented data subject rights. They serve to reinforce the widely-held perception in Europe that the UK enforcement regime is weak.
Some of the issues raised by the Commission have been resolved by the UK Courts over time. For instance, the right to compensation in the DPA was limited to damage that could be assessed on monetary grounds. In the case of Johnson v Medical Defence Union, the Court of Appeal stated that compensation for distress would only be available where a claimant could also show pecuniary loss.
This was overturned in the Court of Appeal in Google Inc. v Vidal-Hall & Ors which ruled that section 13(2) of the Data Protection Act should be ignored as it was a deficient implementation of Article 23 of Directive 95/46/EC. Note that it took 14 years, and a long march through the legal institutions, to fix this “bug”.
Other issues have been resolved by CJEU Judgements which do not apply in a post-Brexit UK. For instance, I am sure that the domestic purpose exemption (Section 36 of the DPA) was criticised by the Commission as being too broad; this was subject to a landmark ruling in Lindqvist, which narrowed its scope to processing of personal data for “purely personal” matters.
I do not know what the missing 10+ issues are; they have to be kept secret so not to “prejudice international relations”.
The fact that a score of issues was identified as potential defects suggests that the DPA was, from the European perspective, implemented well below the minimum standard required (and deliberately so). Quite simply, the UK has applied a “minimal implementation” policy to the implementation of Directive 95/46/EC.
If this policy continues with GDPR implementation (eg, all the indications are that the government intends to take maximum advantage of the flexibility that the GDPR gives to Member States in 50+ Articles), then a minimal implementation policy is likely to jeopardise any adequacy determination by the European Commission.
The conclusion that I have reached is that the risk of a “GDPR-lite” implementation is significant; it follows that the risk of the UK not getting an adequacy determination is therefore high. That is why “a hard Brexit” could be very relevant to those with Third Country transfer issues.
This conclusion is not helped by stated government policy that, in a post-Brexit UK, it can ignore CJEU judgements (and by implication European Data Protection Board determinations concerning harmonising the GDPR across European Union). Such a policy, if implemented, is also likely to jeopardise any adequacy determination from the Commission.
In summary, 60,000,000 UK data subjects, 500,000 data controllers and a host of Parliamentary Committees have been kept ignorant, for over a decade, about the alleged defects in the UK’s DPA by successive governments. From the ID Card database in 2004 to the widespread data sharing policies of the Digital Economy Bill of 2017, ministers down the ages have reassured Parliament that privacy is preserved: “Don’t worry, the personal data are protected by the DPA”.
All these statements are wholly misleading, and in many circumstances, ministers or their civil servants knew they were misleading. Any evidence lies in these infraction documents which, for reasons I cannot fathom, are being kept secret.
This state of affairs now risks carrying over to the GDPR. If so, then this could torpedo any hopes of an adequacy determination by the Commission.
Find a list of Articles that the European Commission say the UK DPA has not implemented properly here (page 2 has quite a long list of Articles).
Please download the letter here:
- Download Document 1 (PDF)
- Download Document 2 (PDF)
- Download Document 3 (PDF)
- Download Document 4 (PDF)
- Download Document 5 (PDF)
- Download Document 6 (PDF)
This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.
Sponsored: Becoming a Pragmatic Security Leader