European Commission rejects Government’s approach for personal data transfers as ICO doubts the UK will obtain an adequacy decision

The Government’s Brexit policy assumes that the Data Protection Act 2018 is good enough to obtain an adequacy determination and envisages the ICO playing a full part in the European Data Protection Board; this is to protect the free flow of personal data to the UK.  This policy was brutally murdered last Friday by the EU’s lead Brexit negotiator who stated that the UK would have to seek an adequacy determination.

Sadly, in March, the Information Commissioner told Parliament that there were significant doubts as to whether the UK would gain that prized adequacy status.

In our Data Protection Act 2018 courses, I advise delegates to identify transfers from the EU to the UK as these transfers are at risk on hard Brexit. I add that around October/November they should consider Plan B to protect transfers should there be no adequacy decision. Of course, I usually add, sweetness and light can still illuminate a Brexit UK flowing with milk and honey; however, I would not bank on it.

This blog suggests that Controllers should prepare plan B to safeguard transfers from the European Union to the UK s before the summer break. So how have I come to this view?

Prime Minister proposes

On 17 Feb 2018, the Prime Minister said that:

“The UK’s Data Protection Bill will ensure that we are aligned with the EU framework. But we want to go further and seek a bespoke arrangement to reflect the UK’s exceptionally high standards of data protection. And we envisage an ongoing role for the UK’s Information Commissioner’s Office, which would be beneficial in providing stability and confidence for EU and UK individuals and businesses alike”.

I must add that the phrase “the UK’s exceptionally high standards of data protection” borders on the delusional; for example, the European Commission told me in March last year that the 1998 Act was a defective implementation of Directive 95/46/EC in twenty places and that they were concerned that four serious defects would carry over into the UK’s implementation of the GDPR (see references).

European Commission disposes

Michel Barnier, speaking at the 28th Congress of the International Federation for European Law (24 May) rejected the UK’s bespoke data protection deal. He said that the problem was that “It is the United Kingdom that is leaving the European Union. It cannot, on leaving, ask us to change who we are and how we work”.

Warming to his theme he cited the General Data Protection Regulation and said:

“According to the United Kingdom's position first presented – and published – this week on data protection:

• The United Kingdom would like its supervisor to remain on the European Data Protection Board, created by the GDPR.

• It wants to remain in the one-stop-shop.

• It believes that this is in the interest of EU businesses”.

Barnier continued that UK's proposals posed real problems for the EU. For instance, given that the UK was outside the European Court of Justice:

• “Who would launch an infringement against the United Kingdom in the case of misapplication of GDPR?”

• “Who would ensure that the United Kingdom would update its data legislation every time the EU updates GDPR?”

• “How can we ensure the uniform interpretation of the rules on data protection on both sides of the Channel?”.

He concluded that “the UK must understand that the only possibility for the EU to protect personal data is through an adequacy decision”. (my emphasis on only).

Information Commissioner doubts adequacy

It is therefore slightly worrying to learn that the ICO thinks the UK could fail to obtain an adequacy decision. Giving evidence to the DCMS Select Committee exploring “Fake News”, there was a revealing exchange between a Scottish National Party politician who asked the Information Commissioner, with Paxman-like tenacity, the same question six times.

Eventually, the Commissioner revealed that the she had doubts that the UK would get an adequacy decision. The exchange was as follows;  

Q916       Brendan O'Hara: What about the derogation against the backdrop of achieving adequacy? Is that something that you have considered and could that be problematic?

Elizabeth Denham: I don’t see anything in the derogations in the Data Protection Bill that would compromise an adequacy assessment. I don’t see anything directly in the derogations. We have to remember that, if there is going to be an adequacy assessment, it will be done in the round and it will be done comprehensively by the European Commission, where the Commission will be looking at our intelligence gathering, the bulk collection of data and whether there is proper oversight and transparency for the collection of data by the intelligence agencies. That is one thing. They will look at our laws in the round, and I don’t have specific issues about the derogations

Q917       Brendan O'Hara: So you have no concerns, when the Data Protection Bill is finally passed, that the form in which it is passed could compromise an adequacy agreement?

Elizabeth Denham: Not the derogations—

…..

Q919       Brendan O'Hara: So you’ve no concerns about adequacy?

Elizabeth Denham: I have no concerns about the derogations and the impact on adequacy.

Q920       Brendan O'Hara: But have you no concerns about achieving adequacy?

Elizabeth Denham: I think if the Government decide to go down that route to get an assessment of adequacy, that is the right way to go. There will be some challenges, especially related to our national security agencies and bulk collection and retention of data.

There is a joke version of the three laws of thermodynamics much beloved by classical physicists. This version goes as follows:

• First law of thermodynamics: you can never win, one can only break even
• Second law: you can only break even at absolute zero
• Third law: you can never reach absolute zero.

Now there is a data protection equivalent:

• The UK Government can have unfettered personal data flows if it obtains an adequacy assessment from the Commission.
• The Commission will examine all UK privacy laws and consider the ICO’s views
• The ICO thinks the UK is not adequate.

Hence the need for Plan B is urgent

Courses

I am running a Data Protection Workshop (1 day) on Friday July 13 covering how the Act interacts with the Applied GDPR; for details email info@amberhawk.com

There are still places on the Data Protection Act 2018 Practitioner and Foundation qualification courses (BCS syllabus); details on www.amberhawk.com.

References:

PM speech at https://www.gov.uk/government/speeches/pm-speech-at-munich-security-conference-17-february-2018

Barnier speech: http://europa.eu/rapid/press-release_SPEECH-18-3962_en.htm

ICO Oral Evidence to the DCMS committee exploring “Fake News” (6th March 2018), HC 363 http://data.parliament.uk/writtenevidence/committeeevidence.svc/evidencedocument/digital-culture-media-and-sport-committee/fake-news/oral/79824.html

My blog: UK’s GDPR law will not be judged “adequate” if it contains provisions that made the DPA inadequate; http://amberhawk.typepad.com/amberhawk/2017/03/uks-gdpr-law-will-not-be-judged-adequate-if-it-contains-provisions-that-made-the-dpa-inadequate.html

 

Confidential employment reference exemption in DPBill drafted so that references are no longer available to employees

The Data Protection Bill (engaged in Parliamentary ping-pong) contains an exemption that allows confidential employment references to be kept secret in all circumstances; this exemption has not been discussed, debated or challenged.

The exemption thus raises the spectre that an employer will be able to give a confidential reference about an employee where the employee is ignorant of the reference and has no right of access to check the accuracy of the reference.

The exemption exists in a non-virulent form in the current Act at Schedule 7, paragraph 1 under the heading “Confidential references given by the data controller”. (my emphasis). This states that:

“Personal data are exempt from section 7 if they consist of a reference given or to be given in confidence by the data controller for the purposes of—

(a)the education, training or employment, or prospective education, training or employment, of the data subject,

(b)the appointment, or prospective appointment, of the data subject to any office, or

(c)the provision, or prospective provision, by the data subject of any service”.

So do you agree with the following?

• the “confidential reference “given by the data controller” exemption does not apply to the controller who receives the reference?
• the exemption does not exclude the fairness requirements of the First Principle, so the data subject should know the reference exists?

Now compare the above exemption with the 2018 Bill equivalent which is found under the heading “Confidential references” (where the phrase “given by the data controller” is absent).  In further detail, Schedule 2, paragraph 24 of the Bill states:

The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—

(a) the education, training or employment (or prospective education, training or employment) of the data subject,

(b) the placement (or prospective placement) of the data subject as a volunteer,

(c) the appointment (or prospective appointment) of the data subject to any office, or

(d) the provision (or prospective provision) by the data subject of any service.

For completeness, the “listed GDPR provisions” are listed in paragraph 18 of Schedule 2; the exemption therefore is from:  the right to be informed in Article 13 & 14; the right of access to personal data in Article 15; and all Principles that correspond to these two right (e.g. the First Principle and the requirement that the processing of personal data has to be transparent).

Do you agree that, unlike the equivalent 1998 exemption, that the DPBill’s confidential reference exemption….

• now applies to the controller who receives the confidential reference as well as the giver of that reference. As the receiving controller can now argue that he has been “given a confidential reference”, the reference in the receiving controller’s hands is exempt from subject access.
• now applies to the right to be informed so the data subject can be left ignorant of the fact that a reference about him has been given or received.
• the exemption is broadened to include “volunteering”.

Under the GDPR, all exemptions have to be justified in terms of Article 23; this one is justified under the heading of “other important objectives of general public interest” where the Government has not explained what that  “general public interest” is.

Additionally, the Government has drafted an exemption which is broad in scope (e.g. the exemption is not limited to cases where there is prejudice to some activity where the public interest requires protection) nor has the Government provided a safeguard (e.g. a mechanism that allows the data subject to dispute a confidential reference).

Indeed, the only thing the Government has said about the exemption is in the DP Bill’s “Explanatory Memorandum” which explains nothing of substance. It states (paragraph 667):

“Paragraph 22 restricts the application of the listed GDPR provisions to personal data consisting of a reference given (or to be given) in confidence, for example for education or employment purposes. This replicates and extends the exemption in paragraph 1 of Schedule 7 to the 1998 Act.”

The Parliamentary record (see references) shows that this exemption was amended by Government, yet the Minister in charge failed explain anything exceptional about this exemption. Indeed, the House of Lords permitted the Government’s change without any debate.  Would there have been a debate if the Government were transparent about what was happening? You bet.

Hence my conclusion that a significant change has been made to the protection of data subjects especially in the important area of employment, without proper debate, without explanation, without reason and without safeguards.

I note this exemption has been drafted by a Government that often touts its intent to strengthen workers’ rights after Brexit. Indeed, this is the second time I have reported that the Data Protection Bill has been drafted in a way that reduces employee’s rights. Perhaps there is a pattern of behaviour here.

Article 8 and the ECHR judgment in Gaskin v UK

In addition, the exemption could very well mean that the UK is in breach of Article 8 of the European Convention of Human Rights as the facts surrounding the use of this exemption mirrors those in the case of Gaskin v UK (1989).

In Gaskin, the context was social work and the right of access, by a data subject, to the confidential comments made by third parties about him (e.g. made by health professionals etc). The Court recognised the importance for receiving objective and reliable information and that confidentiality can also be necessary for the protection of third persons but stated there needed to be a counterbalance.

In Gaskin, the Court then stated (at paragraph 49):

The Court considers, however, that under such a system the interests of the individual seeking access to records relating to his private and family life must be secured when a contributor to the records either is not available or improperly refuses consent. Such a system is only in conformity with the principle of proportionality if it provides that an independent authority finally decides whether access has to be granted in cases where a contributor fails to answer or withholds consent. No such procedure was available to the applicant in the present case.

The Courts objections in Gaskin are very similar to what could happen with this exemption.  As in Gaskin, the content of an unfair confidential employment reference can impact on private and family life severely.  Indeed, the ability to send a secret confidential reference can effectively damage an individual’s career and can have the same effect as if an employee were black-listed.

There is no independent authority to counterbalance the exemption who can decide whether or not access can be provided to confidential references. This is because the exemption is absolute and applies to both giver and recipient of the reference; it is either a confidential reference or it is not.

This is not the case under the 1998 Act as the exemption only applies to the giver of a reference and NOT the recipient and the counterbalance is the ICO.

Under the 1998 Act, the ICO’s website has a wonderful comment: “We explained that organisations are generally required to release references they have received about individuals, even if they are marked as confidential”.   Not any longer.

Concluding comment

This DP Bill started life at 200 pages and will be finally around 400 pages; it is complex and impenetrable and controversial and largely unscrutinised by Parliament. Yes there have been set pieces over Leveson, immigration or national security but I think there has been very little attention to the detail.  When you get to the detail of this small exemption, it is an understatement to state that “some unpleasantry creeps out of the wording”.

So how many exemptions will be like the confidential reference exemption do you think? Well we only find out when the DP Bill becomes an Act and the ICO is powerless to defend data subjects.

 Data Protection Courses (London)

• BCS Data Protection Bill/GDPR Foundation Qualification: London starts  5,6,7 June
• BCS Data Protection Bill/GDPR Conversion Practitioner Qualification: London on June 26/27
• BCS Data Protection Bill/GDPR Practitioner Qualification: London starts  July 16, 17, 18 …

Details of all courses from: http://www.amberhawk.com/dp.asp

References:

Gaskin v. UK, Application no. 10454/83); 7 July 1989: https://hudoc.echr.coe.int/eng#{"dmdocnumber":["695368"],"itemid":["001-57491"]}

The other reduction in employee rights? See under the heading “Consequences of this approach for rights of access” in “How the Data Protection Bill reduces data subject rights and, in particular, workers’ rights” http://amberhawk.typepad.com/amberhawk/2018/03/how-the-data-protection-bill-reduces-data-subject-rights-and-in-particular-workers-rights.html

Many Data Protection Bill exemptions are expanded, unexplained and some permit unlawful processing. http://amberhawk.typepad.com/amberhawk/2018/02/many-data-protection-bill-exemptions-are-expanded-unexplained-and-some-permit-unlawful-processing.html

The Government modified the confidential reference exemption (amendment 87)l without identifying the extensions of the exemption (See Lords Hansard, 13 November 2017, Volume 785 Committee (3rd Day) (Continued), Column 1917).

Wonderful ICO comment on confidential employment references: https://ico.org.uk/action-weve-taken/case-stories/case-story-1/