This blog is a report of yesterday’s meeting in the House of Lords with the Minister (Baroness Neville-Rolfe), three ICO officials, four DCMS civil servants and thirty other stakeholders representing primarily the interests of data controllers. It concerned the Government’s implementation of the General Data Protection Regulation (GDPR).
First of all, it appears that the negotiated GDPR text has been accepted by the UK Government; the Minister referred to the remaining EU processes as being “formalities”. She said that there would be a Council of Ministers (Justice and Home Affairs) meeting in March and that a final nod of approval is expected then (if not earlier).
Given that EU lawyers will then have to crawl over the published text so the new law means the same in all EU jurisdictions, I expect the GDPR to appear in the Official Journal in June/July this year. The subsequent two-year implementation period means that commencement is in the second half of 2018.
The countdown clock is definitely ticking.
Minimising the burdens on data controllers
However, the devil for implementation is in the detail as Member States have flexibility to adapt more than 50 GDPR provisions. Thus, until these exceptions are expressed by UK national law, the precise GDPR implementation in the UK is up in the air. The Minister said that with respect to such flexibility, the UK would take advantage of “all possible legislative discretion” in order to minimise the burden on business.
Warming to this theme, the Minister stated that the UK Government had managed to remove several prescriptive elements from the draft Regulation text.
These included: a small business exception from the need to have a Data Protection Officer; the imposition of disproportionate financial penalties for transgressions; excessive personal data loss reporting to the ICO; the requirement for “explicit consent” of the data subject (it is now “unambiguous consent”) and parental consent being required for under 16 year olds (it is now left to Member States to decide the age of “data protection consent”).
However, there were a few Ministerial moans re provisions that were judged as still being burdensome; these included the so called “Right to be forgotten” and the prospect of lengthy “one stop shop” shenanigans.
Another problem relates to the Recitals which are intended to guide the European Court of Justice when the law is interpreted. Reading the GDPR, it is clear that a great deal of controversial stuff has been dumped into the Recitals by the negotiators.
For instance, subject access can be inferred to be free in Article 15(1b) but is explicitly free in Recital 47. So at the meeting I asked the simple question: “will the UK national law and ICO take account of the Recital 47 in the drafting? Will Subject Access be free?”.
No-one knew the definitive answer; but definitive answer there has to be. I am convinced that the European Data Protection Board (EDPB), whose job is to have a Euro-wide consistent interpretation of the GDPR, will say “free access”. In general, I suspect the deliberate placement of difficult issues into the Recitals is a device to boot difficulties into the long grass.
This is not an academic point. For instance, Recital 26 of Directive 95/46/EC states that if identification of an individual by a third party is fairly straightforward, then the data controller is processing personal data even if the data controller does not have the information that leads to identification of the data subject. This interpretation does not feature in the definition of "personal data" in the Data Protection Act 1988 nor in ICO Guidance on "personal data".
This is the same for the GDPR. The relevant Article 4 definitions say nothing about this third party identification point, but Recital 23 clearly does. In other words, it will be interesting to see whether the ICO Guidance and the UK Government law will reflect the Recitals or not.
If it is the latter, I suspect the EDPB will be making a number of judgments about the UK law. UK Politicians in future can then blame any subsequent hiatus on an unelected Euro body – which is par for the course with the current political discourse.
The ICO representatives at the meeting stressed that the GDPR implementation was now their “top priority” and that the ICO is aiming to start producing implementation documentation. The first document is to be published in time for the ICO’s Annual Conference Bash in Manchester on March 15th; this will be a “key issues” document. One key issue is that the ICO is expecting a 10 fold increase in data loss reports to it.
However, the ICO is keen to manage expectations as many guidance issues will be taken out of its hands (eventually). For example, if one looks a decade into the future and assume a functioning EDPB which is operating its consistency mechanism, then the ICO’s general guidance could easily be the EDPB euro-wide advice, translated into English.
With that in mind, the ICO reported that the Article 29 Working Party is morphing into a shadow EDPB ready to activate once the GDPR is commenced in 2018. This in turn means it will be prudent therefore to have regard for future WP29 reports, especially if the text relates to the interpretation of the Regulation.
Given that many large organisations need to make budgetary commitments to implement the GDPR in the year before commencement in 2018 (i.e. in the FY 2017/2018 at the latest), I expect the pressure will be on the ICO to have detailed GDPR guidance completed by the end of 2016. This is a very tight deadline given that we have no idea of the precise form of the legislation in the UK (e.g. which exemptions are going to apply).
There was a lot of discussion on implementation and it is clear that the Minister would prefer secondary legislation which would minimise Parliamentary Scrutiny. My own preference is for a draft Bill procedure that will minimise errors as it guarantees maximum involvement from data subjects as well as data controllers.
In addition, I don’t think it is proper to enact wide ranging national UK exemptions that impact on 60 million UK data subjects in secondary legislation where debate is minimal.
Such a new Data Protection Act could also include the new Data Protection Directive in the field of law enforcement and unify UK legislation in one place. This step would also be inclusive as all stakeholders have a chance to engage with the democratic process.
Darth Vader returns
I was quite surprised to learn that the Home Office is leading the implementation of the Data Protection Directive in the field of law enforcement. This is a backward step and returns to the dark ages of 1984 when the Home Office was responsible for data protection policy, and parked the subject in odds and ends units such as the “Home Office Liquor, Gambling and Data Protection Unit”.
My objection to the Home Office involvement is simple to express. The Department of State that is responsible for the agencies of the state that need to invade privacy as part of the day-job (e.g. Police, MI5 and Immigration) should not be deciding the level of legislative protection for data subjects from such invasion.
In short, putting the Home Office in charge is like putting Count Dracula in charge of legislation to determine who can access NHS blood banks. Where on earth is the Ministry of Justice on this?
Safe Harbor hopes
Finally, there were comments on Safe Harbor 2. The Civil Servants close to the negotiations were “hopeful” that agreement would be reached but the UK was powerless to do anything (other than to “encourage” agreement) as it was the European Commission who were doing the negotiating with the USA Administration.
The Minister stated that these negotiations “always go up to the wire” and pessimistic press briefings were par for the course. She also said that it was in the interest of both parties (the EU and USA) to come to agreement and that a “no agreement” result benefitted no one. That explained why she was “hopeful”.
Anyway if you want more, I am holding half day DP Regulation workshops in London on Jan 25th and March 2nd. See you there, perhaps?
We have a BCS DP Practitioner Qualification (starting in London on Jan 26 and April 12, and in Edinburgh on April 25). BCS DP Foundation Certificate (starting in London on March 15-17). Details of all our DP/FOI/CISMP courses in Leeds, London and Edinburgh are accessible by clicking the relevant buttons on the Amberhawk home page: www.amberhawk.com.