All through the New Labour Surveillance decade (and through to the current Snowdon revelations), Parliament and public have been deliberately kept in the dark as to why the UK’s Data Protection Act (DPA) is not a proper implementation of Directive 95/45/EC. What is wrong with this implementation? It’s an official secret.
However, the MoJ have just told me (see references) that the deficiencies are apparently so great that the European Commission is still thinking of infraction proceedings.
The above, of course, relates to my “Groundhog Day” FOI request to get published details about the deficiencies in the UK’s DPA: my request is grinding slowly on its fourth iteration.
Quite simply, I think the public should know why, since 2004 (the date of the Durant judgment – see references), every Ministerial pronouncement in Parliament about the DPA, and every subsequent Governmental White Paper paragraph that has referred to the DPA, has not contained an important qualification:
“….but the European Commission is of the view that the UK’s DPA is deficient implementation of Directive 95/46/EC”.
My latest FOI request has again been refused because “disclosure would or would be likely to prejudice relations between the UK and an international organisation” (see references). Forget about the prejudice to UK–EU relations that arise from the Conservative led Coalition Government’s derogatory statements about the European Union (e.g. Mr Cameron's reaction to today’s £1.7 billion payment request from the Commission). You must understand that my FOI request about data protection is far more prejudicial!
My latest FOI refusal states that the MoJ contacted the Commission in February and March 2013, again in January 2014 and then, more recently, at the end of September/beginning of October 2014. I was then told:
“On each occasion, the Commission confirmed that the proceedings remain live, that the particular information remains under consideration and therefore should not be released at this time. In their most recent communication, the Commission reiterated the position that the requested documents concern an ongoing infraction procedure against the United Kingdom, and that the correspondence requested (by my FOI request) are part of the investigation and inspection procedure performed by the Commission, and essential documents upon which the Commission will base its final decision on how to proceed…”.
“The Commission has been clear in each of its separate responses (in February 2013, January 2014 and October 2014) to the Ministry of Justice that infraction proceedings in relation to the UK remains a live issue, and subject to ongoing review and consideration…”.
“The Commission has indicated that a decision is going to be taken in relation to the infraction proceedings which will in part be based on the information that you have requested. The proceedings therefore are actively under consideration by the Commission…”.
So there you have it. Believe it or not, infraction proceedings based on information which is nearly a decade old appears to be on the cards.
The MoJ then considered that the public interest arguments are such that 60 million UK data subjects, 400,000 data controllers and the Welsh, Scottish, Northern Irish and Westminster Parliaments should not be informed about the data protection problems that might give rise to infraction proceedings.
Why the public interest is served by publishing these details
If the European Commission has determined that the UK’s Data Protection Act is not a proper implementation of Directive 95/46/EC (see above) then if the UK were to vote to leave the EU following a referendum then it follows that the UK would become a country outside the EEA offering an inadequate level of protection. Transfers of personal data to the UK could be thus prohibited.
It is my view that the public interest is served if any debate about an in-out referendum (e.g. as part of the forthcoming General Election), should take place in full knowledge of the potentially severe economic consequences if such a transfer prohibition were to arise. [In fact all internationally based businesses, especially in the City of London, should assess this risk].
At the Heads of EU States summit meeting in October 2013, Mr. Cameron had a list of European Commission “red-tape” legislation to stop; top of his list was the Data Protection Regulation. It is likely Mr Cameron, if he is re-elected, will have a list the proposals and it is reasonable to assume this list is also likely to contain the Data Protection Regulation. This means that the deficient UK’s DPA could remain as part of any re-negotiated settlement.
It is therefore in the public interest for the public to know that any re-negotiation objectives, which will form part of the next General Election debate, also involves knowledge about the deficiencies in the UK’s DPA.
The Conservative part of the Government also wants to replace the Human Rights Act; this step is likely to peturb the UK’s implementation of the Article 8 right. However, the Article 8 right relates to Council of Europe Convention No 108, thence to the Data Protection Directive 95/46/EC and through into that the UK’s DPA (e.g. the use of the word “necessary” in Schedule 2 for instance or in the 5th DP Principle).
Any forthcoming General Election, any debate about abolishing Article 8 of the HRA should involve the fact the UK Article 8 right might have already been diminished in the UK by the improper implementation of Directive 95/46/EC.
In addition, the public interest would be served as publishing as the information would:
• inform public debate in relation to Ministerial claims that personal data are protected by the DPA when in fact these claims might be misleading as to matters of fact;
• aid the public in understanding the European Commission’s constructive role in protecting the privacy of UK citizens as part of the referendum political debate; and
• encourage informed debate in relation to the proposed Data Protection Regulation and produce greater transparency around infraction proceedings.
Concluding comment
In fact, I think I have already identified the problems in the Data Protection Act (see references) and they are minor, especially since Durant has been reversed. The fact the Information Commissioner has not raised any problem about the UK’s implementation of the Directive 95/46/EC serves to reinforce my view. So, if the diversions are minor, then there is no prejudice to infraction proceedings and the exemption above should fall away.
That is why I think my refusal has little to do with the quality of the Data Protection Act which might have problems at the margin; something else is going on.
If my letter is to be believed the latest infraction threats have been heightened because the European Commission is:
• building a negotiating/legal position with respect to data protection should the UK leave the EU. It could be that the Commission will try to get the UK to adopt the final Regulation in order for it to be deemed to possess an adequate level of protection for countries outside the EEA.
• supporting or colluding with the UK Government because the Commission does not want details of any other infraction proceedings to be published. My FOI request, if successful, might be seen as the first breach of a policy hitherto does not allow the detailed of infraction proceedings to be published or debated in any Parliament in Europe unless the Member State or Commission want them to be debated or published.
Either way, these two reasons increase public interest in knowing the full details of these infraction proceedings.
References:
Durant and Edem: “Roll out the bunting: Durant judgment is good as dead and buried”: http://amberhawk.typepad.com/amberhawk/2014/02/roll-out-the-bunting-durant-judgment-is-good-as-dead-and-buried.html (link to cases at end of blog)
List of UK deficiencies in: “Why does the European Commission think the UK’s Data Protection Act is a deficient implementation of Directive 95/46/EC?” http://amberhawk.typepad.com/amberhawk/2013/02/question-answered-why-does-the-european-commission-think-the-uks-data-protection-act-is-a-deficient-implementation-of.html (note the big one re Durant has gone)
Download the details of the infraction proceedings here: Download Blog MoJ FOI refusal Oct 2014
Is it worth mentioning that the Guernsey and Jersey DP Laws and the IoM’s DPA are all based on the UK’s Act mirror it almost word for word.
The EC considered the adequacy of the Islands’ statutes and deemed them all to be adequate. If the UK is going to have to account for its defective transposition of the Directive where does this leave the adequacy of the Crown Dependencies?
It’s going to be a bit difficult to argue the UK’s legislation is deficient but at the same time deem the Islands mirror copies to be adequate!
CP Comment: this reinforces my view that the UK DPA's problems are at the margin
Posted by: KB | 24/10/2014 at 04:10 PM