Posted by Josh Townsend on May 23, 2016.
In October of last year, the EU’s longstanding Safe Harbor agreement with the US was overturned, ultimately thanks to the activism of Maximillian Schrems, an Austrian law student. Known as the Schrems Ruling or Schrems Decision, the European Court of Justice ruled that the Safe Harbor agreement with the US was unconstitutional, and in fact was never legal. The agreement was, in essence, a set of guidelines that allowed personal data to be exported from the EU to certain US companies and organisations which met the criteria to handle that data safely.
This changed the landscape of privacy in the EU almost overnight, leaving a huge gap in the regulations. Although not directly relevant to the EU’s General Data Protection Regulation (GDPR), the Schrems ruling, as we shall see, is likely to have a major effect on the way the European data protection laws are interpreted by courts in the future.
On 4 May 2016, the final text of the GDPR was published in the EU Official Journal. It will come into effect on Tuesday, 24th of May 2016, and be effective within all member states by 24th of May 2018, two years later. The GDPR was originally an attempt to unify data protection law throughout Europe. In its current state, it’s unlikely to achieve that objective.
The text itself by no means comes across as a piece of authoritative legislation. The word ‘may’ occurs more than 200 times, giving an almost indecisive impression, as if privacy ‘may’ be a good thing. In the following example, the word ‘may’ is actually used to offer member states the option of implementing – or not – a particular clause. Recital 27 states: “This Regulation does not apply to the personal data of deceased persons. Member states may provide for rules regarding the processing of personal data of deceased persons”.
For clarification, Recitals are not part of the formal regulation, but provide additional information designed to help in the interpretation of the law. They appear in the same document, preceding the full, formal regulation. One part of the GDPR that really stands out is Recital 142. It starts:
“Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to mandate a not-for-profit body, organisation or association which is constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest and is active in the field of the protection of personal data to lodge a complaint on his or her behalf with a supervisory authority, exercise the right to a judicial remedy on behalf of data subjects or, if provided for in Member State law, exercise the right to receive compensation on behalf of data subjects…”
This means that if one’s privacy rights have been violated, anyone has the right to ask an organisation like Privacy International for help. In turn, Privacy international has the right to take up that case and act on an individual’s behalf. This is great news, and provides citizens with some recourse if their personal data is abused. The second half gets even better:
“A Member State may provide for such a body, organisation or association to have the right to lodge a complaint in that Member State, independently of a data subject’s mandate, and the right to an effective judicial remedy where it has reasons to consider that the rights of a data subject have been infringed as a result of the processing of personal data which infringes this Regulation. That body, organisation or association may not be allowed to claim compensation on a data subject’s behalf independently of the data subject’s mandate.”
In short, Recital 142 allows for non-governmental organisations to take action against breaches of privacy without needing to be asked. They still cannot claim compensation without the wronged citizen’s mandate, but this still functions as an invitation for legitimate privacy NGOs to help enforce the GDPR through the courts. It is a very clear indication that the EU is taking the personal privacy of its citizens very much to heart.
But, once again, this is a Recital, not the formal regulation, and a spanner is thrown in the works by that single word, ‘may’. “A Member state may provide…”. What a member state may do, it equally may not do. So what about our particular member state? To try and get a better idea of the UK’s policy on the GDPR and Recital 142, itsecurity.co.uk contacted the Information Commissioner’s office on the 19th of April, with two questions:
“Can you tell me whether the UK intends to implement this aspect of GDPR, or whether it is one of the areas of flexibility that will be omitted?”
“Could you also tell me whether it is the ICO’s position that this recital should or should not be implemented, and what effect the ICO thinks its inclusion or omission would have on business?”
The ICO responded very quickly:
“[…]you are going to have to go to the DCMS [Department for Culture, Media and Sport] to get a response on this one. At this stage in the proceedings it’s a matter for the Government not the regulator,
It’s counter-intuitive to say the least for the Information Commissioner’s Office to redirect a query on personal privacy to the Department for Culture, Media and Sport. Nonetheless, the ICO doesn’t know the government’s plans with regards to the GDPR, which is fair enough. An adequate answer.
What’s far from adequate is the response to our second question. The ICO will be part of the GDPR’s new Data Protection Board, the replacement for the Article 29 Working Party. One of the Board’s main duties, as specified in the GDPR, is to help ensure consistent application of the GDPR across Europe (Article 70). In doing this, it must act as an independent body, outside the influence of any existing power (Article 69: “…the Board shall, in the performance of its tasks or the exercise of its powers, neither seek nor take instructions from anybody”). To do this properly, the ICO should have a view on all aspects of the GDPR, independent of the UK or any other government. Having his own view on the recital in question is virtually part of the job description.
So we approached the DCMS with the same query, and eventually received a reply on the 18th of May. Most pertinent to our query was this part of the response:
“The Government’s overall aim throughout the negotiations on the new EU GDPR has been to achieve workable and proportionate EU data protection rules that support the protection of personal data while creating the right conditions for innovation and economic growth in the UK.”
Not as clear-cut an answer as it might be, but one which demonstrates a few things about the UK’s position. It shows that the government is aware that there is a balance to be struck between being attractive to business and protecting its citizens – or at least, is aware that cutting out too much of the GDPR could result in repercussions from Europe. What it doesn’t tell us is exactly where the UK is likely to find that balance. In order to find out, we need to glean information from other Government comments on the GDPR.
Some countries, such as France, Germany and Finland are likely to implement the optional clauses to take the regulation to its maximum force. The UK, on the other hand, is showing every sign that it will try to implement the GDPR as minimally as possible. In January, HawkTalk commented on a statement made by Baroness Neville-Rolfe, minister for intellectual property:
“However, the devil for implementation is in the detail as Member States have flexibility to adapt more than 50 GDPR provisions. Thus, until these exceptions are expressed by UK national law, the precise GDPR implementation in the UK is up in the air. The Minister [Baroness Neville-Rolfe] said that with respect to such flexibility, the UK would take advantage of “all possible legislative discretion” in order to minimise the burden on business.”
More than that, an official government statement on Article 43a of the GDPR states:
“As a result of concerns relating to the integrity of the UK legal system, the UK will not exercise the opt-in to the parts of Article 43a which trigger the Protocol 21.”
The “integrity of the UK legal system” is a vaguely-worded excuse for opting out of this article. The real reason is more likely related to the fact that 43a would directly inhibit the ability of another body from demanding European data. In a hypothetical situation, the US government could demand a UK citizen’s personal data stored on Microsoft servers in London, with no more authority than FISA – the Foreign Intelligence Surveillance Act, an exclusively US law. Article 43a would prevent this data being shared unless it was via a separate treaty, such as the UK/US Mutual Legal Assistance Treaty.
The UK government wants Britain to be a good place to do business. Extensive privacy laws can be onerous on businesses, especially those who benefitted from the old Safe Harbour agreement. But in sacrificing so much of the privacy regulations, the UK will cross the line from supporting business to abandoning its people.
The Schrems ruling gives the UK government another line to worry about crossing, should it choose to do so. Paragraph 66 states:
“…a decision adopted pursuant to that provision, such as Decision 2000/520, by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.”
HawkTalk interprets this to mean that data protection authorities can act independently of their own national governments where the GDPR is concerned:
“I would argue that Schrems allows a Supervisory Authority to assess, for instance, the lawfulness of the processing by a Member State. To paraphrase the judgement: ‘…the fact that a Member State enacts a law does not prevent a supervisory authority from examining the law in force in a Member State to ensure the processing is lawful…’.”
The UK’s track record with privacy in the EU is already bad, having had an infraction case brought against it in 2010 and another threatened in 2014. Should the government choose to go for ‘GDPR Lite’ and implement as little privacy protection as possible, the UK could still run afoul of a supervisory body if it fails to protect its citizens’ data.
Whether or not the UK implements Recital 142 will give a pretty clear-cut indication of which is more valuable; citizens’ privacy or business’ profits. There is very little set in stone, but we can read the signs. The UK already has an outstanding infringement notice from the EU Commission for failure to implement the original data protection directive adequately. Baroness Neville-Rolfe has already implied that the government will exercise maximum flexibility to minimize the impact of the new regulations. As for Recital 142 itself, both the ICO and DCMS have declined to confirm any intention to implement it.
The General Data Protection Regulation leaves almost as much scope for opting out of its own regulations as it does for protecting privacy in the EU. The Regulation’s unfolding over the next two years will show whether the UK cares more for business’ profits or the privacy of its citizens. As much as GDPR has the potential to secure and maintain privacy, the immense flexibility afforded by the Recitals and that word ‘may’ far from guarantees real personal data protection in all member states. But for now, it seems at least some governments are finally acknowledging that privacy may be a good idea.Submitted in: Expert Views, Josh Townsend, News |