Saturday 26 August 2017

HMG's Exchange and Protection of Personal Data Position Paper














Jane Lambert

Even though it has absolutely nothing to do with the rights of the citizens of the remaining member states in the UK or those of British citizens rights in the remaining member states, the Irish border or our residual financial commitments to the EU budget that are the subject of the present art 50 negotiations. our government has published a position paper entitled  The exchange and protection of personal data. The paper discusses how the UK could continue to cooperate with the Commission and the supervisory authorities of the other member states on data protection if and when it leaves the EU in March 2019.

The government's thinking is not hard to discern.  Despite attempts by the Coalition and Conservative Governments to rebalance the British economy since 2010, it remains overwhelmingly services orientated. Financial services are particularly important to the United Kingdom and these depend on the free flow of personal data.  If and when we leave the European Union, the General Purpose Data Protection Regulation will cease to apply to us and we shall become a "third country" for the purposes of the Regulation.

Art 44 of the Regulation would then apply:
"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."
In other words, the unrestricted flow of personal data between financial institutions in the UK and their customers, suppliers and partners in the remaining EU member states, which is the lifeblood of the banking, insurance, fintech and so many other industries, ceases unless and insofar as the provisions of Chapter V of the Regulation can be met.

The position paper seems to be a response to art 44 of the Regulation. Paragraph 4 of the paper states:
"After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal."
Paragraph 6 emphasizes the UK's vulnerability in this regard:
"Estimates suggest that around 43 per cent of all large EU digital companies are started in the UK, and that 75 per cent of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries, and has an economy dominated by service sectors in which data and data flows are increasingly vital. The UK accounted for 11.5 per cent of global cross-border data flows in 2015, compared with 3.9 per cent of global GDP and 0.9 per cent of global population, but the value of data flows to the whole economy and the whole of society are greater still."
As the next paragraph notes, any disruption of cross-channel data flows would harm both the UK and the remaining member states but it would harm the UK more because financial services are so important to this country. Moreover, disruption of data flows between London and the rest of the EU might be the ill wind that diverts business and investment from London to continental financial centres and Dublin.

The paper is very short - some 15 pages including the covers.  The first 4 paragraphs are an executive summary.  The next 5 are an introduction which stresses the importance of transborder data flows for financial services and security cooperation. The following 3 headed "Context" explain why states need data protection laws. The paper traces the UK's commitment to data protection back to Younger though it omits to mention that a major incentive to implement our own data protection legislation was the refusal of the Swedish data protection authority on 12 April 1974 to allow a Swedish local authority to transmit health and social security records to a British company that had contracted to supply plastic identity tags. The next four paragraphs summarize the General Data Protection Regulation and the Data Protection Directive and the UK's plan to continue the protection afforded by that legislation with a new Data Protection Bill (see my article What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit). Other international arrangements for data protection such as the Council of Europe Convention and the OECD Guidelines on Transborder Data Flows are discussed in paragraphs 17 and 18.

The really interesting bits of the paper are paragraphs 19 and 22 which outline the UK's objectives. Paragraph 21 states that it is the UK’s ambition to remain a global leader on data protection, by promoting both the flow of data internationally and appropriate high levels of data protection rules and paragraph 22 explains why:
"as the UK and the EU build a new, deep and special partnership, it is essential that we agree a UK-EU model for exchanging and protecting personal data, that:
  • maintains the free flow of personal data between the UK and the EU; 
  • offers sufficient stability and confidence for businesses, public authorities and individuals; 
  • provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection; 
  • continues to protect the privacy of individuals; 
  • respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection; 
  • does not impose unnecessary additional costs to business; and 
  • is based on objective consideration of evidence."
The remainder of the paper discusses the close cooperation between the Information Commissioner and her opposite numbers elsewhere and the undoubted advantages of maintaining that cooperation. Realistically, the paper also includes an annexe on how businesses can comply with Chapter V of the Regulation if there is no UK-EU model but observes that that would be much more burdensome for business than somehow finding a way to continue the existing arrangements.

The paper shows that a UK-EU model for exchanging and protecting personal data is something that the British need badly from the art 50 negotiations. It is not yet on the formal agenda and if I were advising Michel Barnier and his team I would not be in a hurry to put it on the agenda unless and until we see some movement on the rights of citizens at least equivalent to those of investors in bilateral investment treaties and maybe a little bit more money into the divorce settlement.

Should anyone wish to discuss this article or data protection law generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Friday 11 August 2017

Welcome to NIPC Data Protection

Jane Lambert











On 25 May 2018 the General Data Protection Regulation ("the GDPR") takes effect in every member state of the European Union including the United Kingdom. The position has been complicated in this country by last year's referendum on EU membership which means that the Regulation will cease to apply to the UK on the 29 March 2019 when we leave the EU unless there is evidence of a sufficient change of heart on the part of the public to persuade the government to change tack.

A fair size industry of consultants, publishers and conference organizers has grown up to prepare businesses for the introduction of this legislation. As Elizabeth Denham, our Information Commissioner has pointed out in GDPR – sorting the fact from the fiction 9 Aug 2017, there have been a lot of scare stories about the GDPR and not a little misinformation. There will be some changes as a result of the GDPR.  Data subjects will get new rights on 25 May 2018 and there will be increased sanctions for non-compliance. Those changes, however, are evolutionary rather than revolutionary. It should not be too difficult to prepare for them or to manage them.

Because it is a regulation rather than a directive, the GDPR does not require any implementing legislation.  However, there will be a new data protection statute for the United Kingdom for three reasons. The first is to transpose the Data Protection Law Enforcement Directive into the laws of the United Kingdom. The second is to confer rights on data subjects that are not provided by the GDPR such as the right to require social media platforms to delete information held on them at age 18. The third reason for the new Act is to preserve the provisions of the GDPR after Brexit day as I noted in
What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit.

Like the Data Protection Directive which it replaces, the policy of the GDPR is to give effect to the Council of Europe Data Protection Convention and the OECD Guidelines on Transborder Data Flow having regard to changing technology and applying the experience of the operation of the Data Protection Directive. As before, the objectives are to facilitate transborder data flow while protecting the privacy and other interests of individuals

The Data Protection Law Enforcement Directive is new. It seeks to harmonize the use of information technology by law enforcement agencies throughout the member states. However, that legislation also traces its wellspring the Council of Europe's Data Protection Convention which itself applies the European Convention on Human Rights to data processing. Art 63 (1) of the Law Enforcement Directive requires member states to transpose it into national law by 6 May 2018.

Over the next few weeks I shall write about various aspects of the Law Enforcement Directive and the GDRP as the 6 and 25 May 2018 draw closer. I shall also write about the Data Protection Bill as it makes its way through Parliament. I have started with a glossary as the terminology used in the GDPR is different from that of the Data Protection Directive. In that endeavour, I hope to remove some of the hot air and panic about the new legislation.

Should anyone wish to discuss this article or data protection generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.