Freedom of Information

UK’s “world class” data protection regime had 20 faults

Since the Brexit Vote in 2016, the Government has described the UK’s data protection regime (e.g. the DPA1998) as “world class”.  This description has stuck in my craw because, since 2005,  I have unsuccessfully tried to “liberate” official information, held by Government, concerning several deficiencies in this “world class” regime.

Nearly two decades of Freedom of Information (FOI) requests later, last month (March 31st), I “ZOOMed” into another “Groundhog Day” FOI Tribunal to make the latest round of arguments.  This blog updates readers as to what transpired.

The FOI request under discussion was made on the day after the commencement of the Data Protection Act 2018/GDPR in the UK (i.e. at the end of May 2018).  I asked for details of the infraction proceedings relating to the repealed DPA1998 (which was the UK’s implementation of the repealed Directive 95/46/EC);  note my emphasis on “repealed”; I naively thought there would not be a problem.

However,  this time I also decided to make an identical FOI request for the same information to the European Commission via Regulation 1049/2001.  So did the same request, for the same information, made at the same time under different FOI regimes, result in the same outcome?  Of course not  - and thereby hangs a tale.

The UK Government, supported by the Information Commissioner (Decision Notice FS50812647) opposed disclosure of the requested information on the grounds that the European Commission vehemently opposed disclosure.  The European Commission told the UK Government that releasing any of the requested information to me would be so damaging that it could undermine adequacy negotiations between the UK Government and Commission.  The UK Government took this prospect seriously so it refused to provide the information; the ICO following in agreement.

By contrast, the European Ombudsman decided that since all but one of the problem areas associated with the DPA1998 were resolved, the European Commission could provide access to the requested information without any detriment to anything (apart from one issue that was unresolved).  The Commission refused to countenance the Ombudsman’s recommendation to disclose, with the result that the Ombudsman made an official finding of maladministration against the Commission (reference 1632/2018/THH).

This divergence of view between European Ombudsman and ICO about the same FOI request has allowed me to draw two general conclusions:

  • since 2005, various Information Commissioners have repeatedly made significant errors of judgement by maintaining absolute silence about the defects in the DPA1998; and
  • the Freedom of Information regime that applies to the European Commission (Regulation 1049/2001) is not fit for purpose.

In this blog, I will briefly substantiate each of these conclusions.

Before going further, it would be helpful to outline the totality of what I know about the problems with the “world class” DPA1998.   There were 20 issues of concern identified by the Commission before 2010; these covered 15 Articles (or nearly half of Directive 95/46/EC).  Issues identified included: definitions (personal data and relevant filing systems), data subject consent, enforcement powers of ICO, the treatment of criminal offence personal data, subject access rights, transfers outside the EEA, exemptions from rights, and judicial remedies for data subjects.

Can we agree that this is not a trivial list of problems.

Why the ICO has made errors of judgment?

Can you cast your mind back to the surveillance society debates that surrounded the voluntary Identity (ID) Card in 2006?

There was to be a comprehensive National Identity Register that recorded privacy-intrusive details on every ID card transaction (e.g. the Register captured personal data as to when and where each individual produced their ID Card for inspection in order to obtain a particular public or private sector service).

Additionally, personal data stored on the Register could be shared to improve the efficiency of public service delivery and initially, individuals would consent voluntarily into showing their ID Card. The DPA1998 was touted by Home Office Ministers as offering sufficient privacy protection for data subjects.

So, should all the Parliamentary Committees scrutinising ID Cards and related surveillance issues surrounding the Register, have been informed that the European Commission thought the definition of “personal data” used in the DPA1998 was defective?  Should they also have known that the UK’s concept of “consent”, as defined in Directive 96/46/EC, was also considered by the Commission to be defective?

Indeed, should all these Committees have access to the detail surrounding all of the 20 or so defects in the DPA1998, in order to assess their relevance to the surveillance issues before each Committee?  I think the answer is “yes”.

Move forward a decade to the adequacy arrangements themselves post Brexit. Should all the Parliamentary Committees considering post-Brexit data transfers with the European Union have known that the European Commission had concluded that the DPA1998 transfer arrangements were defective?

Should these Committees also have known that the Commission was concerned that the 20 or so defects might resurface in the UK_GDPR or DPA2018 and that this could impact on the UK’s adequacy determination? (The European Commission made this point before the European Ombudsman and ICO).

There again my answer is “yes”.

Hence, my conclusion that each of the various Information Commissioners made a serious error of judgement when each failed to make public the alleged defects in the DPA1998.

By keeping silent, each Commissioner facilitated a lack of Parliamentary scrutiny. Without Parliament knowing the detail (or relevance) of the European Commission’s concerns, I cannot see how any Parliamentary scrutiny of legislation that relied on the processing of personal data can be regarded as being complete.

Indeed, there is little point having an independent Regulator (or even a single corporate mission statement about protecting data subject rights), if the relevant corporate body keeps stum for a decade and a half, about 20 potentially serious defects in the Data Protection regime which has impacted on 60,000,000 UK citizens.

Regulation 1049/2001 is not fit for purpose

Continuing this theme, there is little point of having an FOI regime that cannot be enforced if the Regulator’s decision goes against the public authority.  Equally there is little point having an independent regulator if that regulator’s decisions can be ignored by the public body that holds the requested information.

This was the position I found myself with the Ombudsman’s decision in my favour; it is unrealistic to expect citizens in my position to commence legal proceedings against the European Commission before the CJEU.

In my case, the Ombudsman proposed that “in the interests of transparency and accountability, the Commission should reconsider granting access to those documents that related to the issues already resolved in the (formally still ongoing) infringement procedure. The Commission refused to do so”.

The Ombudsman added that the Commission’s “approach clearly places unnecessary obstacles in the path of citizens wishing to exercise their fundamental right of public access to documents. Similarly, it undermines the trust of citizens in the work of the EU institutions.”

At the Tribunal hearing, I added that I thought “the Commission had scored an own goal”.  For “if the Commission had released limited information or engaged with the British Public concerning some of the deficiencies in the UK’s Data Protection Regime between 2004 and 2018,  it would have been seen as a protector of UK data subjects”.

“Perhaps then, fewer UK data subjects would have voted to leave the EU”.

Independent FOI regulators?

In relation to my FOI request, the evidence shows that the Information Commissioner initially followed the “reasonable” suggestion of the European Ombudsman and moved in the direction of only withholding information pertaining to the one outstanding issue identified by the Ombudsman.  The ICO then wanted to know what the relevant Government Department (DCMS) thought of this idea.

The DCMS contacted the European Commission which came back with an abrupt two line instruction on the lines of:  “The European Commission has maintained its requirement that the UK continues to treat the material or information as confidential”.

Whilst this bold assertion did not work on the European Ombudsman (who rejected the Commission’s use of any exemption from its FOI regime), it did work on the DCMS who applied an exemption in the FOI regime (S.27 of FOIA).  The ICO sadly reversed her view mentioned in the previous paragraph and obediently fell into line.

In summary, what was prejudicial to international relations in the UK (the exemption used by DCMS), was not prejudicial to international relations on the other side of the English Channel (even though the exemption appears in A.4(1) of the Regulation). So what was going on?

First, the adequacy agreement would assist an estimated £120 billions of trade per year.  Is it credible to believe that this adequacy arrangement would be put in jeopardy by the release of information, nearly two decade olds,  relating to repealed legislation, and concerning data protection issues that have been resolved?  I don’t think so.

Secondly, could the ICO be sacrificing her FOI independence in favour of a quiet life with her funding Department for FOI purposes?  Well, I am sure many might consider this as a plausible explanation but there is no evidence that this is the position.  However,  it is clear that the Government is moving towards installing a more “understanding” Commissioner (see references) for data protection reasons.

In conclusion, I think the refusal is all about maintaining secrecy.  The two protagonists are setting the scene just in case there is disagreement concerning the adequacy agreement itself.  If there is a disagreement, then another set of infraction provisions will kick in and nobody external to the European Commission or UK Government will be any the wiser.

Like the defects in the DPA1998, the whole area of dispute will be smothered in a protective blanket of perfect darkness.

However, my duplicate FOI request has drawn attention to two important questions: “is the UK ICO truly independent as an FOI regulator?” and “has the European Ombudsman got sufficient powers to enforce its FOI regime”.  My experience shows that it is difficult to answer “YES” to both.


Ombudsman reference 1632/2018/THH:

ICO Decision Notice reference FS50812647  (Google the Decision Notice)

An amiable ICO? see

I don’t want to repeat the ins and outs of a saga that started in 2004. However, the following blog reference gives the grim detail (at the end of the blog) with references to all the relevant material, extracted with pain, from a reluctant European Commission:

Upcoming Data Protection Courses

All courses lead to the relevant BCS qualification:

  • Data Protection Foundation: London, Starts April 27-29 (3 days)
  • Data Protection Practitioner: London, Starts May 11 (6 days)
  • Data Protection Upgrade Practitioner: London, May 25-26 (2 days)<LAST ONE

Full details on of by emailing in[email protected]











All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.