Thursday, 1 June 2023

Data Protection and Digital Information (No 2) Bill 2022-2023


In The Proposed Data Reform Bill I discussed the government's proposals for a new data protection statute. On 18 July 2022 - 23 days after I wrote that article - Nadine Dorries MP, the Secretary of State for Digital, Culture, Media & Sport, introduced the Data Protection and Digital Information Bill into the House of Commons.  That bill never got beyond its first reading because Ms Dorries was replaced by Michelle Donelan MP when Elizabeth Truss MP became Prime Minister.

At the Conservative Party conference Ms Donelan promised what sounded like far more reaching legislation (see Graham Turner UK Gov Pauses Data Reform Bill | What you Need to Know 4 Oct 2022 Digit News). On 8 March 2023, Ms Donelan withdrew the previous bill and introduced a new Data Protection and Digital Information (No. 2) Bill into the House of Commons.  That Bill has now completed its passage through the Commons and is about to proceed to the House of Lords.

The new Bill consists of 114 clauses divided into 6 Parts with 13 Schedules. 

Part 1 (clauses 1 to 34) and the first 9 Schedules amend the Data Protection Act 2018 and those provisions of the General Data Protection Regulation that are incorporated into the laws of England and Wales, Scotland and Northern Ireland by s.3 of the European Union (Withdrawal) Act 2019 ("UK GDPR") and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 419).

Part 2 (clauses 46 to 60) regulates "digital verification services."   These are defined by clause 46 (2) as "verification services provided to any extent by means of the Internet."  "Verification services" are defined in the same subsection as 

"services that are provided at the request of an individual and consist in—

(a) ascertaining or verifying a fact about the individual from 5 information provided otherwise than by the individual, and

(b) confirming to another person that the fact about the individual has been ascertained or verified from information so provided."

An article by Charlotte Bowyer on Onfido Ltd.s website adds that:

"Digital identity verification is how businesses confirm that a customer is who they say they are, online. They do this by assessing personal information and personal data related to an individual."

The technique is used by central and local governments, financial services institutions and other businesses to verify identity, age, qualifications and other personal attributes. 

Part 3 (clauses 61 to 77) permits the Secretary of State and the Treasury to make provision in connection with access to customer data and business data.   "Business data" is defined by clause 61 (2) as 

"(a) information about goods, services and digital content supplied or provided by the trader, 
(b) information relating to the supply or provision of goods, services and digital content by the trader (such as, for example, information about where they are supplied, the terms on which they are supplied or provided, prices or performance), 
(c) information relating to feedback from customers about the goods, services or digital content, and 
(d) information relating to the provision of business data to a person in accordance with data regulations."
"Customer data" means 
"information relating to a customer of a trader, including— 
(a) information relating to transactions between a customer and the trader, and 
(b) information relating to the provision of customer data to a person in accordance with data regulations; 'data holder', in relation to customer data or business data of a trader,"

Clauses 79 to 86 of Part 4 and Sched 10 amend The Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426). The Regulations implement arts 2, 4, 5 (3), 6 to 13, 15 and 16 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. Clauses 87 to 91 amend Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market. Reg 910/2014 (also known as eIDAS) regulates electronic identification and trust services, such as verifying the identity of individuals and businesses and authenticating electronic documents.

Clauses 94 to 98 and Sched 11 amend The Births and Deaths Registration Act 1953 to facilitate the electronic storage of the relevant data.  Clause 99 and Sched 12 provide for information standards for health and adult social care d and information technology.

Clauses 100 to 103 and Sched 13 establish an Information Commission to enforce the Act.

Anyone wishing to discuss this article may call me on 020 7404 5252 during office hours or send me a message through my contact page.

Saturday, 25 June 2022

The Proposed Data Reform Bill


 








Jane Lambert

In my article Consultation on Changing the Data Protection Laws (12 Sept 2021), I discussed the consultation on changing the data protection laws. According to the consultation outcome, Data: a new direction - government response to consultation of 23 June 2022, the government received 2,924 responses, 684 by email and 2,240 via a survey platform. It also attended over 40 round tables with academia, tech and industry bodies, and consumer rights groups.  The consultation outcome lists the organizations in Annex B, summarized the responses in the consultation outcome and set out the government's legislative intentions in the light of the responses on each issue in Annex A.

In a recent press release, the Department for Digital, Culture, Media and Sport outlined a new Data Reform Bill.  That Bill is intended to reduce the administrative burden on businesses in order to encourage more innovative uses of personal data for research, facilitate trade and save businesses up to £10 billion over the next 10 years. An example given by the press release is that an independent pharmacist will no longer have to recruit an independent data protection officer to comply with the data protection legislation provided that it can manage risks effectively.  The Bill will also increase penalties for nuisance calls and other serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 and reorganize the Information Commissioner's Office. 

The proposals have been welcomed by John Edwards, the recently appointed Information Commissioner, in a Statement in response to the government’s announcement on the upcoming Data Reform Bill which was published on 16 June 2022.   His predecessor contributed to the consultation (see Response to DCMSconsultation “Data: anew direction” 6 Oct 2021).

I shall return to this topic once the bill is published.  Anyone wishing to discuss this article or its subject matter may call me on 020 7404 5252 during office hours or send me a message through my contact form.

Sunday, 13 February 2022

Privacy and Electronic Communications - Leave.EU Group Ltd v The Information Commissioner

EU-Austritt (47521165961).svg
Author Mrmw Public Domain CCO 1.0









Jane Lambert

Court of Appeal (Sir Geoffrey Vos, Master of the Rolls, Lord Justice Lewison and Lady Justice Asplin) Leave.EU Group Ltd & Anor v The Information Commissioner [2022] EWCA Civ 109 (8 Feb 2022)

On 1 Feb 2020, the Information Commissioner issued a monetary penalty notice for £45,000 against Leave.EU Group Ltd. under s.55A of the Data Protection Act 1998 and an assessment notice under s.146 of the Data Protection Act 2018.  She issued those notices because Leave.EU Group Ltd. had sent email newsletters to some of its supporters that contained unsolicited marketing material relating to Eldon Insurance Services Ltd.   It appears that Eldon Insurance Services Ltd is now known as Somerset Bridge Insurance Services Ltd.

Leave.EU and Eldon appealed unsuccessfully to the First-Tier Tribunal (General Regulatory Chamber) (see Leave.EU Group Limited Eldon Insurance Services Limited v The Information Commissioner 2020 WL 01140646). They appealed to the Upper Tribunal which upheld the First-Tier Tribunal (see Leave.EU Group Limited and another v The Information Commissioner [2021] UKUT 26 (AAC)).  With the Upper Tribunal's permission, they appealed to the Court of Appeal.  On 1 Feb 2022, when the appeal was due to be heard, the Information Commissioner's legal representatives turned up at court but there was nobody from Leave.EU.

The Court asked the Information Commissioner's counsel what they should do. He replied that the Court could either dismiss the appeal for non-prosecution or decide the appeal on the Commissioner's oral and written submissions and Leave.EU's skeleton argument. The Commissioner was neutral as to the course that the Court should adopt but her counsel emphasized the importance of the issues under appeal. The Court decided (i) that it would not be just or appropriate to hear the substantive appeal in the absence of Leave.EU, (ii) that the Court was satisfied that Leave.EU was aware of the appeal hearing and had decided not to attend, and (iii) the appeal should be dismissed and that it would give its reasons in writing later.

The Information Commissioner and the tribunals below had found that Leave.EU and Eldon had contravened art 13 (1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) OJ L 201, 31.7.2002, p. 37–47. Leave.EU has appealed on the following grounds:
"First it contended that paragraph 22 did not prohibit the inclusion of any direct marketing information in an email which was otherwise solicited and not sent for direct marketing purposes, such as the political newsletters in this case. Secondly, Leave.EU contended that the FTT was wrong to hold that the subscribers had not freely consented to receive marketing information from Eldon, since they had consented to receive such material as Leave.EU felt might interest its subscribers. Thirdly, Leave.EU contended that the Information Commissioner ought to be regarded as having been required to give reasons for her decision, despite the absence of a statutory requirement to do so."

In its reasoned judgment which was delivered on 8 Feb 2022, The Master of the Rolls described those issues as "important and in some respects novel" at para [19]. He was satisfied that the Court had power to hear the appeal in the absence of the appellant under CPR 52.20 and rule 38 of the Tribunal Procedure (Upper Tribunal) Rules 2008 as well as its inherent jurisdiction but thought it undesirable in the circumstances of this case to try to decide such important questions at the level of the Court of Appeal without full oral argument.

Lord Justice Lewison and Lady Justice Asplin agreed.

According to the Commissioner's counsel, Eldon had been sold to a third party on 31 Jan 2022 who had consented to judgment and reached an agreement with the Commissioner (see her Statement on an agreement reached between Somerset Bridge Insurance Services Limited and the ICO of 1 Feb 2022). The solicitors who had acted for both appellants had applied to come off the record a few days earlier. The Court had tried to communicate with Leave.EU's sole director but he did not respond to its approaches.

The failure of Leave.EU to take any steps in the appeal in the days leading up to the hearing is regrettable.  As Sir Geoffrey Vos noted at [19] an appropriately qualified panel of the Court of Appeal had been ready to hear this case for many months.  The issues upon which the Court had been asked to decide are likely to concern other parties and cases of this kind do not come before the Court of Appeal often. 

Anyone wishing to discuss this article or the procedural or standard issues may call me on 020 7404 5252 during normal business hours or send me a message through my contact form.

Tuesday, 11 January 2022

Information Rights - Driver v Information Commissioner

Ramsgate Sands in 1854
Artist William Frith 

 













First Tier Tribunal (General Regulatory Chamber) (Upper Tribunal Judge Rintoul, J Randall and Raz Edwards) Driver v Information Commissioner and another [2021] UKFTT 2017-0218 (GRC)

In his preface to the white paper Your Right to Know (Cm 3818), the then Prime Minister, Tony Blair, introduced his government's proposals for a Freedom of Information Bill as one of several important constitutional reforms.  Others included the Human Rights Bill,  devolution statutes for Scotland and Wales and the Data Protection Act 1998.  The government's intention was to redefine its relationship with the governed.

S.1 (1) of the Freedom of Information Act 2000 states that:
"Any person making a request for information to a public authority is entitled—
(a) to be informed in writing by the public authority whether it holds information of the description specified in the request, and
(b) if that is the case, to have that information communicated to him."

However, those rights are subject to several exceptions pursuant to s.1 (2) and s.2 (1), (2) and (3) (g) of the Act. One of those exceptions is s.41:

"(1) Information is exempt information if—
(a) it was obtained by the public authority from any other person (including another public authority), and
(b) the disclosure of the information to the public (otherwise than under this Act) by the public authority holding it would constitute a breach of confidence actionable by that or any other person.
(2)  The duty to confirm or deny does not arise if, or to the extent that, the confirmation or denial that would have to be given to comply with section 1 (1) (a) would (apart from this Act) constitute an actionable breach of confidence."
In Higher Education Funding Council for England v Information Commissioner and another (unreported, 13 Jan 2010). the Information Tribunal held that a public authority seeking to rely on that exception would have to show that the disclosure would be likely to give rise to a successful action for breach of confidence:
“Our conclusion on this part of the case, therefore, is that the HEFCE must establish that disclosure would expose it to the risk of a breach of confidence claim which, on a balance of probabilities, would succeed. This includes considering whether the public authority would have a defence to the claim.  Establishing that such a claim would be arguable is not sufficient to bring the exemption into play.”

An example of such a claim was  Driver v Information Commissioner and another   [2021] UKFTT 2017_0218 (GRC).

The information in question was the identity of certain claimants and the amounts paid to each of them in an out of court settlement with a local authority that had banned the transport of live animals through its port in contravention of EU law.  Those claimants had successfully challenged the ban in the Chancery Division on the grounds that it breached art 35 of the Treaty on the Functioning of the European Union.  They subsequently claimed damages for losses occasioned by the ban.  

 A local resident who had opposed live animal exports asked the authority for the above information under s.1 (1) of the Freedom of Information Act 2000. The authority declined on the ground that disclosure of that information would be an actionable breach of confidence. The resident asked the Information Commissioner to intervene.  The Commissioner sided with the local authority.  The resident appealed successfully against the Commissioner's decision to the General Regulatory Tribunal.  The Tribunal held that s.41 did not apply because the withheld information had not been obtained by the local authority (see Driver v Information Commissioner and another [2017] UKFTT 2017_0040 (GRC)).  The Information Commissioner appealed to the Upper Tribunal which allowed the appeal and remitted the case to a differently constituted first instance tribunal (see Information Commissioner v Driver and another [2020] UKUT 333 (AAC)). The Upper Tribunal directed the new tribunal to proceed on the basis that the threshold condition in s.41 (1) (a) of the Act had been satisfied.  That is to say, the claimants’ names constituted information obtained by the public authority from another person.

In the remitted proceedings the tribunal took as its starting point the following passage from the judgment of Mr Justice Megarry (as he then was) in Coco v A N Clark (Engineers) Ltd [1968] FSR 415:

"In my judgment, three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First, the information itself, in the words of Lord Greene, M.R. in the Saltman case on page 215, must “have the necessary quality of confidence about it”. Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it. I must briefly examine each of these requirements in turn."

The tribunal was satisfied that the information in question was passed to the local authority in the course of negotiations for compensation. The object of those negotiations was to achieve an out of court settlement.  At para [33] of its decision it said:

"There are good reasons of public policy why such negotiations are conducted with an expectation of confidentiality, not least of which is to encourage parties to settle disputes without the need to go to court. These negotiations were, we accept, carried out on a without prejudice basis. That, in turn, prevents the parties from revealing later what was discussed. The corollary of that is to impose a duty of confidentiality as, otherwise, the basis of without prejudice communications would be undermined. We find that is so irrespective of the fact that there was no express agreement to keep matters confidential; that was not necessary given the nature of the negotiations."

The resident had submitted that the information was not confidential because the identities of the claimants were well known.  They may have been witnesses in previous litigation.  Their names, photographs and videos had been circulated over the internet. That was true but what that evidence did not do was "identify with any certainty any entity, real or corporate, as having been in receipt of compensation or, importantly, the amount paid to each."  Accordingly, the confidential nature of the information had been retained and the obligation of confidence had not been waived.  The tribunal was satisfied that the information had "the necessary quality of confidence about it" and had been "transmitted in circumstances importing an obligation of confidence."

Turning to the question of detriment, the tribunal said at [42]:

"We consider that there is a detriment in the disclosure of withheld material in that the material was supplied on the basis that it was to be kept confidential. The parties clearly proceeded on that basis. The fact that they had done so, and had suffered loss, is something that they wished not to be known."

The tribunal reminded itself that its role was to consider only if it was more likely than not that a court would find a breach of confidence. Given the particular circumstances in which the information had been imparted and the relationship of trust that that would have been created, the disclosure of the information to the resident would have met the detriment requirement.

The tribunal acknowledged that there are circumstances in which the public interest outeights the obligation of confidence.  In this case, there was a significant weight to be attached to the public interest in keeping confidential negotiations undertaken on a without prejudice basis. All the parties who had entered into those negotiations did so on the assumption that they would be kept confidential. It was an assumption they were rightly entitled to hold.  The tribunal accepted that the public was entitled to know how its money was spent and to whom, but the amount of the settlement and the reason for entering it was already in the public domain.  There was no need to disclose more.  The tribunal concluded at [51] that the withheld material was exempted information by operation of s.41.

Anyone wishing to discuss this article may call me on 020 7404 5252 or send me a message through my contact form.

Sunday, 12 September 2021

Consultation on Changing the Data Protection Laws


 








Jane Lambert

In his press release of 26 Aug 2021 which I discussed in Dowden's Data Protection Plans on 27 Aug 2021, Oliver Dowden MP, Secretary of State for Digital, Culture, Media and Sport, announced a consultation on changes to the UK's data protection laws.  That consultation was launched on 10 Sept 2021 with the publication of the consultation document, Data: a New DirectionResponses must be submitted by 19 Nov 2021.

The consultation document is 146 pages long and is divided into an introduction, 5 chapters. a page on whom the Department for Digital, Culture. Media and Sport ("DCMA")  is seeking to consult, how to respond and what happens next and a privacy notice.  DCMS states that it is keen to hear from "a representative cross section of society, ensuring diversity and inclusion", It believes that the consultation will have particular relevance to 

  • Individuals 
  • Start-ups and small businesses 
  • Technology companies and data-driven or data-rich companies 
  • Investors in technology and data-driven or data-rich companies 
  • Civil society organisations focused on consumer rights, digital rights, privacy and data protection 
  • Academics, and research and policy organisations with a particular interest in the role of data in the economy and society, or as data controllers in their own right 
  • Organizations involved in international data standards, regulation, and governance 
  • Law firms and other professional business services.
Respondents are urged to use the DCMS's online survey platform but responses can also be submitted by email or post.  The DCMS will publish its response in due course.

The 5 chapters are as follows:
  • Chapter 1- Reducing barriers to responsible innovation
  • Chapter 2 - Reducing burdens on businesses and delivering better outcomes for people
  • Chapter 3 - Boosting trade and reducing barriers to data flows
  • Chapter 4 - Delivering better public services, and 
  • Chapter 5 - Reform of the Information Commissioner's Office.
The reason for reducing barriers to responsible innovation are set out in para 30:

"The government has heard from stakeholders that elements of the law can create barriers to responsible innovation. Some definitions are unclear and lack explanatory case law or regulatory guidance that could take years to develop; organisations may choose not to use data as fully as they could owing to unfounded concerns about legality. For example, the rules for some organisations to use and to re-use personal data for research are difficult to navigate, despite the public being generally in favour of their personal data being used for scientific research that can deliver real benefits to society.5 The government has also heard evidence that uncertainty about when different lawful grounds for processing personal data should be used has led to an overreliance on seeking consent from individuals. This creates an unnecessary burden for consumers as well as for organisations. Finally, the increasing adoption and potential of new data-driven technologies is dependent on clear and consistent rules about the use of personal data."

The criticism of the present system is contained in para 139:

"The current legislation is based on a model that prescribes a series of activities and controls that organisations must adopt in order to be considered compliant. Although a key goal of the EU's GDPR was to create a regime that focussed on the accountability of organisations, the current model, in practice, tends towards a ‘box-ticking’ compliance regime, rather than one which encourages a proactive and systemic approach, and risks undermining the intentions of the principle of accountability."

One of those burdens is said to be subject access requests.  It is said that organizations have difficulty in processing such requests and with the threshold for making requests.  One of the solutions canvassed by the DCMS is the reintroduction of a fee for subject access requests and that is one of the proposals on which the Department is consulting. 

On "Boosting trade and reducing barriers to data flows" the DCMS explains at 240:

"Recent legal developments, including the Schrems II judgment, have made it more difficult for UK data exporters to transfer personal data overseas (see explanatory box below). The invalidation of the Privacy Shield by this judgment was particularly disruptive given the volume of trade it supported and the very many small and medium-sized businesses that were relying on it. Outside of the European Union, the UK has an opportunity to consider both the impact of this judgment on its transfers regime and how best to support international data flows in the future."

Data protection law became horrendously complex with the adoption of the General Data Protection Regulation and the implementation of the Law Enforcement Directive by the Data Protection Act 2018 on 25 May 2018.  Brexit has greatly exacerbated that complexity.   A snapshot of the current law since the expiry of the transition or implementation period on 31 Dec 2020 is set out in The Data Protection Legislation which I published on 28 Aug 2021.

Anyone wishing to discuss this article or any of its contents can call me on 020 7404 5252 during normal office hours or send me a message through my contact form at other times.

Friday, 27 August 2021

Dowden's Data Protection Plans


Jane Lambert

In the last few months, this government has made one ambitious promise after another. In his foreword to Global Britain in a competitive age, the Prime Minister wrote that his government's aim is for the UK to become a science and tech superpower by 2030 (see NIPC Brexit 19 March 2021). In his foreword to the UK Innovation Strategy Leading the future by creating it Kwasi Kwarteng, Secretary of State for Business, said that the UK would in science and technology what it is in finance (see UK Innovation Strategy, NIPC Inventors Club 12 Aug 2021). With similar hyperbole, Oliver Dowden, Secretary of State for Culture, Media and Sport has announced "a world-leading data regime" by "forging new global partnerships and designing our own common sense data laws" (see UK unveils post-Brexit global data plans to boost growth, increase trade and improve healthcare DCMS press release 26 Aug 2021).

The Press Release

Mr Dowden's press release makes three announcements:
  • an intention to negotiate "data adequacy partnerships" with Australia, Colombia, the Dubai International Financial Centre, Singapore, South Korea and the USA;
  • the appointment of John Edwards, the New Zealand Privacy Commissioner, as the next Information Commissioner; and 
  • a consultation on changes to the UK's data protection laws "to break down barriers to innovative and responsible uses of data so it can boost growth, especially for startups and small firms, speed up scientific discoveries and improve public services."
Data Protection Legislation 

On 25 May 2018, the General Data Protection Regulation ("GDPR") came into force across the European Union including the UK.  Art 94 of the GDPR repealed Directive 95/46/EC which had been implemented in the UK by the Data Protection Act 1998.  As it was a regulation of the European Council and Parliament, the GDPR took effect automatically.  The UK Parliament enacted the Data Protection Act 2018 which repealed the Data Protection Act 1998, supplemented the GDPR and applied a broadly equivalent regime to certain types of processing to which the GDPR did not apply.  

When the UK left the EU on 31 Jan 2020, the GDPR remained in force in the UK during the transition or implementation period that ended on 31 Dec 2020 pursuant to art 127 of the withdrawal agreement.  At the end of the transition period, the GDPR was incorporated into English, Welsh, Scots and Northern Irish law by s.3 (1) of the European Union  (Withdrawal) Act 2018.  Reg 3 and Sched. 1 of The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019 No 418) amended the provisions of the GDPR that have been incorporated into domestic law.   Reg 4 and Sched 2 of those regulations amended the Data Protection Act 2018.  

Transfer of Data Abroad

A fundamental principle of all data protection laws is that personal data should not be transferred abroad without adequate safeguards for its protection.  Art 44 of the GDPR provides:
"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation."

One of the conditions on which personal data may be transferred overseas is set out in art 45 (1):

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."

The decision of whether a third country provides adequate protection depends on a number of elements set out in art 45 (2).   The Commission has already made an adequacy decision in favour of the UK by its Decision of  26 June 2021 which I discussed in Commission Adequacy Decisions on 29 June 2021.  

Amendments to Art 45

Para 38 (2) of  Sched 1 of  The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 changed art 45 (1) of the GDPR to:
"A transfer of personal data to a third country or an international organisation may take place where it is based on adequacy regulations (see section 17A of the 2018 Act) ”. Such a transfer shall not require any specific authorisation."

Para 38 (3) of that Sched deleted most o the rest of the article.  Para 23 of Sched 2 inserted new sections 17A, 17B and 17C into the Data Protection Act 2018.  Those new sections contain new provisions for determining the adequacy of other countries' protection of personal data.  These include the power to make regulations.    

Para 42  of Sched 2 inserted new sections 74A and 74B into the Data Protection Act 2018,   These provide for the transfer abroad of data not covered by the GDPR in accordance with the above-mentioned regulations.   S.74A (4) of the Act is in substantially the same terms as art 45 (2) of the GDPR.

"Adequacy Partnerships"

The pairing of the noun "partnership" with the adjective "adequacy" suggests that adequacy decisions could depend on reciprocity and commercial advantage rather than the criteria in art 45 (1).   The press release reinforces that impression:
"The government believes it can unlock more trade and innovation by reducing unnecessary barriers and burdens on international data transfers, thereby opening up global markets to UK businesses. In turn this will help give UK customers faster, cheaper and more reliable products and services from around the world."

 Those concerns are at least partially allayed by the "Test for Adequacy" section of the guidance note International data transfers: building trust, delivering growth and firing up innovation published on 26 Aug 2021.  On paper, at least, the test for adequacy is objective and not dissimilar to the test in art 45 (2) of the GDPR. 

Risk of Losing the European Commission Adequacy Finding

A problem of seeking adequacy partnerships with countries operating very different regimes for protecting personal data is that the Commission could revoke its decision on the adequacy of protection in the UK under art 3 (4). That paragraph provides:

"Where the Commission has indications that an adequate level of protection is no longer ensured, the Commission shall inform the competent United Kingdom authorities and may suspend, repeal or amend this Decision."
Such a situation could arise if data were to flow without restriction from the EU to the UK and then from the UK to the USA but not directly from the EU to the  USA.   It would be unfortunate if the UK jeopardized its status in the European Economic Area in a quest for more distant and generally smaller markets overseas. 

Consultation

There is as yet no green paper or consultation on changing the law.   The only indication of what the government has in mind at this stage is that it believes improved data sharing could help deliver more agile, effective and efficient public services and help make the UK a science and technology superpower.   

Further Information

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.

Tuesday, 29 June 2021

Commission Adequacy Decision

European Commission
Author EmDee Licence CC BY-SA 4.0  Source Wikipedia Commons

 









Jane Lambert

The uninterrupted exchange of personal data across borders is vital for the financial and other service industries. As I noted in Another Data Protection Act! "You're joking! Not another one!" - A Short History of Data Protection Legislation in the UK 23 Sept 2017 NIPC Law, it was restrictions on the transfer of personal data from countries that had enacted data protection legislation rather than the Younger and Lindop reports that prompted Parliament to enact the first Data Protection Act in 1984. Until 23:00 on 31 Dec 2020 businesses in the UK could rely on art 1 (3) of the General Data Protection Regulation (Regulation (EU) 2016/679 which provides that the free movement of personal data within the European Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data. That was because EU law continued to apply to the UK between 23:00 on 31 Jan and 23:00 on 31 Dec 2020 pursuant to art 127 (1) of the agreement by which the UK withdrew from the EU.

Upon the expiry of that period, the United Kingdom became a "third country" for the purposes of art 44 of the GDPR.  That article provides:

"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."

Art 45 (1), however, provides:

"A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation."
The rest of that article sets out the criteria by which the Commission can make such a decision and the procedure for reaching it.

By a decision dated 28 June 2021 (Commission Implementing Decision of 28.6.2021 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4800 final)), the Commission has decided that for the purposes of art 45 of the GDPR the UK ensures an adequate level of protection for personal data transferred within the scope of the GDPR from the EU to the UK. The decision consists of 93 pages almost all of which are recitals setting out the Commission's reasons.  The decision on adequacy is contained in art 1 (1).  Art 3 (1) of the Decision requires the Commission to "monitor the application of the legal framework upon which this Decision is based, including the conditions under which onward transfers are carried out, individual rights are exercised and United Kingdom public authorities have access to data transferred on the basis of this Decision, with a view to assessing whether the United Kingdom continues to ensure an adequate level of protection within the meaning of Article 1." The Commission has power under art 3 (4) to suspend, repeal or amend the decision where it has indications that an adequate level of protection is no longer ensured.  It can also suspend, repeal or amend the decision under art 3 (5) if a lack of cooperation of the UK government prevents the Commission from determining whether the finding in art 1 (1) is affected.   The decision shall expire on 27 June 2025, unless extended in accordance with art 93 (2) of the GDPR.

Art 1 (2) of the decision makes clear that it does not cover personal data that is transferred for purposes of UK immigration control or that otherwise falls within the scope of the exemption from certain data subject rights for purposes of the maintenance of effective immigration control pursuant to para 4 (1) of Sched. 2 to the Data Protection Act 2018.  Art 2 (2) (d) of the GDPR states that the regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.   Such processing is regulated by the Law Enforcement Directive (Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA). 

Art 35 (1) of the directive imposes the following obligation upon EU member states:

"Member States shall provide for any transfer by competent authorities of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation including for onward transfers to another third country or international organisation to take place, subject to compliance with the national provisions adopted pursuant to other provisions of this Directive, only where the conditions laid down in this Chapter are met, namely:
(a) the transfer is necessary for the purposes set out in Article 1 (1);
(b) the personal data are transferred to a controller in a third country or international organisation that is an authority competent for the purposes referred to in Article 1 (1);
(c) where personal data are transmitted or made available from another Member State, that Member State has given its prior authorisation to the transfer in accordance with its national law;
(d) the Commission has adopted an adequacy decision pursuant to Article 36, or, in the absence of such a decision, appropriate safeguards have been provided or exist pursuant to Article 37, or, in the absence of an adequacy decision pursuant to Article 36 and of appropriate safeguards in accordance with Article 37, derogations for specific situations apply pursuant to Article 38; and
(e)  in the case of an onward transfer to another third country or international organisation, the competent authority that carried out the original transfer or another competent authority of the same Member State authorises the onward transfer, after taking into due account all relevant factors, including the seriousness of the criminal offence, the purpose for which the personal data was originally transferred and the level of personal data protection in the third country or an international organisation to which personal data are onward transferred."
Art 36 of the Law Enforcement Directive is very similar to art 45 of the GDPR.  By Commission Implementing Decision of 28.6.2021 pursuant to Directive (EU), 2016/680 of the European Parliament and of the Council on the adequate protection of personal data by the United Kingdom (C(2021) 4801 final) the Commission found that the UK ensures an adequate level of protection for personal data transferred from the EU to UK public authorities responsible for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties for the purposes of art 36. The decision requires the Commission to monitor the UK government's compliance with the legal framework and enables the Commission to suspend, repeal or amend the decision in the event of non-compliance or non-cooperation.  Subject to that provision, the decision also remains in force until 27 June 2025.

In an ICO statement in response to the EU Commission’s announcement on the approval of the UK’s adequacy, the Information Commissioner said:
“This is a positive result for UK businesses and organisations.
Approved adequacy means that businesses can continue to receive data from the EU without having to ake any changes to their data protection practices.
Adequacy is the best outcome as it means organisations can carry on with data protection as usual. And people will continue to enjoy the protections that their data will be used fairly, lawfully and transparently.
The result is also a testament to the strength of the UK’s data protection regime.”

Anyone wishing to discuss this article or data protection generally my call me on 020 7404 5252 during office hours or send me a message through my contact form.