This brief blog is to explain why, “in” or “out”, the UK has to implement the General Data Protection Regulation (GDPR). This is important given that some organisations might think that a “Leave” vote might change matters with respect to the GDPR compliance (especially as the Cabinet Minister responsible for GDPR implementation, John Whittingdale, is a prominent “outer”).
Obviously, if the vote in June is for “Stay” then the UK remains a Member of the European Union (EU) and the GDPR implementation has to be delivered. However, what would the position if the vote is for “Leave”?
The first point to make with a “Leave” vote is that the UK would become a State outside the European Economic Area (EEA) and therefore would have to offer an “adequate level of protection”. As is well known to blog readers (see references), the European Commission sees the UK Data Protection Act as a defective implementation of Directive 95/46/EC and has threatened infraction proceedings to make sure the Data Protection Act 1998 is brought into compliance with Directive standards.
How do I know this? Well consider my latest FOI request for information that explains why the European Commission thinks the UK Act is deficient implementation of Directive 95/46/EC and why the UK Government thinks it isn’t?
The request (which is awaiting a Decision Notice from the ICO – for nine months I hasten to add) was refused because legal action by the Commission concerning the UK DP Act was under active consideration. The Government told me that:
“… the Commission confirmed that the (infraction) proceedings remain live, that the particular information remains under consideration and therefore should not be released at this time.”
“The Commission has been clear in each of its separate responses (in February 2013, January 2014 and October 2014) to the Ministry of Justice that infraction proceedings in relation to the UK remains a live issue, and subject to ongoing review and consideration…”.
“The Commission has indicated that a decision is going to be taken in relation to the infraction proceedings which will in part be based on the information that you have requested. The proceedings therefore are actively under consideration by the Commission…”.
Can we now draw the one obvious conclusion? If the Commission’s infraction proceedings are being threatened because that the Commission is of the opinion that the UK Data Protection Act does not meet the requirements of the Directive, it must then follow the UK Act cannot be viewed as meeting the requirements of the GDPR. The current DP Act is therefore at risk of offering an inadequate level of protection.
Now, I am going to ask you some simple questions. If the UK votes to leave the European Union….
- Would German bankers in Frankfurt wanting supplant the City of London argue that the personal data cannot be transferred to the UK on inadequacy grounds?
- If the consequential Euro-divorce becomes messy, could the European Commission use the fact that the Data Protection Act 1998 is inadequate level of protection as a negotiating tactic?
- Could the European Parliament argue that UK national security access to personal data remains as expansive as that in the USA and therefore the UK is not a safe place to transfer personal data concerning Europeans (see last blog)?
Answer to all questions is, in my opinion, “yes”.
So how does the UK defuse the risk and offer an “adequate level of protection”? Why it implements the essential parts of the GDPR, even if the UK votes to leave the European Union. To do otherwise, could threaten the transfers of personal data into the UK from the EU
Of course, the Government might argue that the Data Protection Act 1998 is perfectly sound or the Commission might be not telling the truth in respect to its "active consideration" of infraction proceedings. However, that would be wholly inconsistent with the reasons they gave to me for not releasing the infraction information that is the subject of my FOI request.
The UK Government and European Commission cannot both be telling me porkies? Surely not?
We also have a BCS DP Practitioner Qualification (starting in London on April 12 and in Edinburgh on April 25). BCS DP Foundation Certificate (starting in London on March 15-17). The day long PIA and Audit Courses are held on Feb 29 and March in London.
We hold GDPR Regulation Workshops in London (March 2), Edinburgh (May 20) and Douglas (IoM; May 5); details of all our DP/FOI/CISMP courses in Leeds, London and Edinburgh are accessible by clicking the relevant buttons on the Amberhawk home page: www.amberhawk.com.
Blog of 24/10/2014: “European Commission raises infraction threat to UK on failing to implement Directive 95/46/EC properly via the Data Protection Act”; https://amberhawk.typepad.com/amberhawk/2014/10/european-commission-raises-infraction-threat-to-uk-on-failing-to-implement-directive-9546ec-properly.html
List of UK deficiencies in: “Why does the European Commission think the UK’s Data Protection Act is a deficient implementation of Directive 95/46/EC?” https://amberhawk.typepad.com/amberhawk/2013/02/question-answered-why-does-the-european-commission-think-the-uks-data-protection-act-is-a-deficient-implementation-of.html