Yesterday, the Secretary of State for Business was caught out misleading the public and Parliament concerning Brexit. He evidently authorised a secret, multi-million pound bung to Nissan so that it maintained car production at its current level in Sunderland, post Brexit. Sad to say, such secrecy by Ministers is rather commonplace with respect to Brexit and data protection.
The evidence for this assertion comes from my latest FOI request to the European Commission (see references).
For instance, consider the Prime Minister’s important Mansion House speech (March 2018; see refences); she asserted that “The UK has exceptionally high standards of data protection….That is why we will be seeking more than just an adequacy arrangement”.
I can now show that this statement was made at a time the Government knew the European Commission was insisting that infringement proceedings with respect of the DPA1998 were still ongoing and active, and that they impacted on the UK’s GDPR implementation. Evidently, the PM’s claims for “high standards of data protection” is not shared at the European Commission.
A similar misleading assertion was forced on her Majesty, in the Queen’s Speech (June 2017; see references). She said that a “new (data protection) law will ensure that the United Kingdom retains its world-class regime protecting personal data”. At the time this statement was made, the Government knew that the European Commission had serious doubts as to whether UK actually offered “European-class” data protection (let alone “world-class”).
In summary, soon after the DPA1998 and Directive 95/46/EC were repealed, I repeated my FOI requests for details of those infraction proceedings (i.e. why the DPA1998 was a defective implementation of Directive 95/46/EC and why the UK though the Commission was wrong).
These requests have been refused, appealed, refused again and are currently before the ICO for a Decision Notice or the European Ombudsman to enforce the European Commission’s FOI rules. For me, this is fourth time round with the same request (since 1st Jan 2005); a real example of FOI Groundhog Day.
The European Ombudsman
The following extracts from minutes of a meeting between the Ombudsman and the Commission relating to my FOI request. They answer the important Watergate questions: what civil servants and their Minister knew, and when they knew it. They state that a Data Protection Expert Group (made up of civil servants from Member States) met between 2016-2018 and discussed “…legal principles such as lawfulness, transparency and data subject rights, including issues that are also related to ongoing infringement procedure.”(my emphasis)
The Minutes then state:
“The Commission stated that most of the ten areas of concern originally raised were resolved, some of them recently in the context of the application of the GDPR. However, the infringement procedure is still open since one of the issues remains unresolved and also constitutes a concern under the GDPR”. (my emphasis)
Clearly, the Commission think that the “unresolved issues” that arose with respect to the UK’s DPA1998 could also give rise to infraction proceedings concerning the UK’s implementation of the GDPR, and that this was known, probably during 2016. Translating this position into a post Brexit world, I cannot see the UK being determined as being “adequate”, if the Commission were thinking of infraction proceedings if the UK would have remained a Member State of the European Union.
This raises the question as to why Ministers, Parliament and the public were not informed of these issues, especially as an “adequacy determination” from the Commission was at the centre of Government policy concerning the GDPR and Brexit.
For instance, should the risk of infraction proceedings formed part of:
- the discussions of the Data Protection Bill when it was before Parliament (e.g. could Ministers have made reassuring statements and commitments concerning the GDPR implementation to meet concerns raised at civil servant level at the Data Protection Expert Group?).
- public policy information about Brexit and data protection (e.g. when transferring personal data as in the “The exchange and protection of personal data” published by the Government in 2017)?
- the evidence given by the Secretary of State to the Select House of Lords Committee considering Brexit and data protection (as in its Report “Brexit: the EU Data Protection Package”)?
Well, the answer from Government is a resounding “NO”?
I have always thought that UK’s implementation of the GDPR will not be judged as adequate if it contains the provisions that made the DPA1998 an inadequate implementation of Directive 95/46/EC. The fact seven “heavies” (sorry, I mean “delegates”) came from the European Commission to a meeting with the Ombudsman, where they argued against my little FOI request, seems to indicate that either “summat’s up” (as they say in God’s county) or an attempt to influence the Ombudsman’s decision.
The policy of secrecy surrounding these infraction proceedings is keeping every controller in the UK in the dark, and hinders planning if there were to be a “no adequacy” determination from the Commission. Keeping data subjects in the dark means that they cannot be sure of the level of protection afforded to them. Keeping Parliament in the dark, means they cannot scrutinise proposed data protection law effectively.
If there is something structurally risky with UK DP law, we should know what those risks are. If there is no risk, then my FOI request can be met. It is as simple as that.
References used in the blog:
Minutes from the European Ombudsman: download here Download OMBUDSMAN REPORT
I don’t want to repeat the ins and outs of a saga that started in 2004. However, the following blog reference gives the grim detail of the infraction position and (at the end of the blog) references to all the relevant material, extracted with pain, from the Commission: https://amberhawk.typepad.com/amberhawk/2017/03/uks-gdpr-law-will-not-be-judged-adequate-if-it-contains-provisions-that-made-the-dpa-inadequate.html
Mrs May’s Mansion House Speech (2 March 2018): https://www.bbc.co.uk/news/uk-politics-43256183
Queen’s Speech (21 June 2017) https://www.gov.uk/government/speeches/queens-speech-2017
Press coverage of the secret Nissan deal: https://www.bbc.co.uk/news/blogs-the-papers-47125402
Update Conference
The next conference is on 4th March in London. It includes two sessions on Auditing GDPR compliance, a session on Marketing under the GDPR, the new UK GDPR Regulations and Brexit, the recent actions of Privacy International. We round up with problems with the GDPR/FOI interface and a review of relevant GDPR documentation. The draft agenda is on: http://www.amberhawk.com/bookevents.asp
Upcoming Data Protection/FOI qualification courses
BCS Data Protection Practitioner Upgrade/Conversion (2 days; London, March 19 & 20)
Day on the DPA2018 (1 day; London, April 1)
BCS Data Protection Foundation (3 days; London, April 30-May 2)
Because of demand, the next BCS Data Protection Practitioner, London course that can be booked is (6 days, starts June 11)
BCS FOI Practitioner course; London (6 days, starts 4 June)
Details on www.amberhawk.com or by emailing [email protected]