The political kerfuffle over the Government’s Brexit machinations makes it timely to point out that the European Commission’s negotiating document on Brexit states that the UK’s implementation of the GDPR is an issue of importance in any negotiations.
Indeed, the Commission’s document states that the content of the UK’s Data Protection Bill (“DPBill”), now before the House of Commons, is unfinished business from the first phase of these negotiations. I had mistakenly assumed that stage one of these Brexit talks had finished with Mrs May’s agreement to “cough-up” the £40 billion divorce settlement, but clearly this is not the case.
In particular, the negotiating document states that:
“…, it is necessary to complete the work on all withdrawal issues, including those not yet addressed in the first phase. These include the…. protection of personal data and use of information obtained or processed before the withdrawal date” (my emphasis; paragraph 8).
So what finer way of improving the UK’s chance of obtaining an adequacy determination from the Commission than allowing the DPBill to create several new exemptions; some permit unlawful processing and others which have increased in scope. All this without providing any justification contrary to Article 23(2) of the GDPR.
Exemptions galore
The UK’s approach to some new exemptions (or “restrictions” in GDPR speak) will no doubt be justified by the Government in terms of Article 23(1)(e) of the GDPR. However, it is only when you see the difference between the GDPR approach to restrictions and the Directive 95/46/EC’s approach does the extent for providing new or broader exemptions emerge.
For example, compare the range of restrictions/exemptions that becomes permitted (my emphasis):
- Article 13(e) of Directive 95/46/EC permits Member States to legislate for restrictions based on “an important economic or financial interest of a Member State or of the European Union, including monetary, budgetary and taxation matters”. Comment: restrictions under this heading are limited to “economic or financial interests”.
- Article 23(1)(e) of GDPR permits Member States to legislate for restrictions `based on “other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation a matters, public health and social security”. Comment: restrictions are unlimited and can be introduced for unspecified “general public interests” that are not “economic of financial interests”.
For the record, I explored what “public interest” means in a blog before Xmas; I think it means the “interest of the Government of the day” (see references).
It must be understood that restrictions pertinent to “objectives of general public interest” do not overlap with any other restriction. In other words, a restriction in the “general public interest” category has nothing to do with national security, crime, taxation, public health, social security, or an economic of financial interest etc etc as these restrictions are expressly identified elsewhere in Article 23(1).
So, what are these catch-all “general public interests” restrictions that have nothing to do with public security, finance, crime, tax, judiciary, public health etc etc? Should they be identified, debated and justified before they implemented? Well I think so.
For example, the monitoring officer of a local authority has survived 9 years under the DPA 1984 and 20 years under the DPA 1998 without the need for a restriction on subject access. Now one is urgently needed for some reason.
Curious, is it not? How have monitoring officers survived for so long in this data protection abyss? Are there examples of personal data that have been released when they should not have been? Should evidence of the need for an exemption be published?
That is why Article 23(2) exists. It is a provision that requires any legislation (e.g. the DPBill) introducing a restriction “shall contain specific provisions at least, where relevant, as to:
a) the purposes of the processing or categories of processing;
b) the categories of personal data;
c) the scope of the restrictions introduced;
d) the safeguards to prevent abuse or unlawful access or transfer;
e) the specification of the controller or categories of controllers;
f) the storage periods and the applicable safeguards taking into account the nature, scope and purposes of the processing or categories of processing;
g) the risks to the rights and freedoms of data subjects; and
h) the right of data subjects to be informed about the restriction, unless that may be prejudicial to the purpose of the restriction”.
So, has Article 23(2) been activated in any form with respect to providing any information about the restrictions in the DPBill (especially those introduced under the “general public interest” heading). Of course not.
Exemption from lawful processing
Many exemptions in Part 1 of Schedule 2 relate to investigations by official bodies (e.g. crime, tax assessment, disclosures required by law, immigration). These have the potential for exemptions from “Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6” (Article 6 is the equivalent of Schedule 2 grounds for processing).
This means the principle in Article 5 that, in part, requires the processing of personal data to be lawful in general is exempt; the restriction thus permits processing that does not need to be lawful in any form whatsoever. So, why and when should controllers who are “processing” for crime and tax purposes and immigration etc etc be allowed to exempt themselves from the requirement to process personal data “lawfully”? Do you think a soupçon of explanation would help here?
I should add that the national security agencies also have the potential for an exemption from the requirement to process personal data lawfully; useful if these agencies were accused of acting unlawfully (which of course they never are).
A restriction/exemption exists legitimately to protect a specific public interest (e.g. crime prevention) being jeopardised from action which prejudices that interest (e.g. tipping off). However, I have some difficulty in seeing how exempting every form of lawful processing protects that public interest.
In summary, the prime impact of this restriction could easily be to protect a controller who has processed personal data unlawfully from the enforcement powers of the Commissioner and from the penalties in the GDPR. Rather shocking when you think about it.
Other exemptions have issues
The provisions that concern the release of personal data that relates to another individual on subject access (i.e. Section 7(4) to 7(6) and Section 8(7) of the DPA 1998) is now an exemption in Schedule 2, Part 3, paragraph 14. However, the restriction adds “the type of information that would be disclosed” to the considerations the controller should consider when withholding information that relates to another individual.
Logically, “the type of information” about the other individual that is not released on subject access will not be information that is withheld from the data subject under other existing criteria. For example, “the type of information” justification will be a different ground for withholding information from that information withheld because it is subject to an obligation of confidence or withheld because it comprises information that could harm, identify or jeopardise the other individual in any way.
So, can someone describe a “type of information” about another individual that should not now be released on subject access which is: (a) not harmful in any way to the other individual and (b) not confidential?. I am clueless.
Why does the restriction made available for benefit fraud data matching purpose fully exclude the transparency arrangements in the DPBill but not in the current Act? For 20 years there has been no need for such a restriction - until now that is.
I note that the Information Commissioner has now got an unexplained restriction when the ICO did not have one before? From 1984 to 2018 (a third of a century) the ICO has managed without an exemption - until now that is.
Could the ICO’s legislative gift be a “sucker punch”? After all, it is difficult for the ICO to moan and groan about the restrictions granted to others in the DPBill, when she has been given a sparkling new one all for herself.
Concluding comment
I could go on and on about these exemptions/restrictions, but by now I think the case concerning the lack of justification and transparency has been made.
Quite simply, I think a round-robin billet-doux has been sent around Government which more or less says: “Pssst! We can now widen or introduce restrictions that protects your personal data from your data subjects. Get in touch - no explanation will be given to the public?”.
Without such explanation, how can data subjects know that they are not disadvantaged when compared with the DPA 1998? Answer is: "they can't".
Data Protection Courses (London)
Details on www.amberhawk.com
For those with the BCS Data Protection Act Practitioner Qualification there is a special 2 day UPGRADE course that starts 28 February
BCS Data Protection Bill/GDPR Foundation Qualification: starts 7 March
BCS Data Protection Bill/GDPR Practitioner Qualification starts 13 March
Data Protection Bill/GDPR all day Workshop: London on 16 March http://www.amberhawk.com/bookevents3.asp
References
Supplementary directives for the negotiation of an agreement with the United Kingdom of Great Britain and Northern Ireland setting out the arrangements for its withdrawal from the European Union. http://www.consilium.europa.eu//media/32504/xt21004-ad01re02en18.pdf
What does “public interest” mean? Explored in http://amberhawk.typepad.com/amberhawk/2017/12/under-the-gdpr-does-processing-personal-data-in-the-public-interest-include-function-creep.html