On Adequacy after Brexit

I attended the Home Affairs Committee on Europol and the European Arrest Warrant yesterday. Don’t say I don’t know how to have a good time. One of the members, suggested that since we have passed a new Data Protection Law, we will be compliant from Day 1, or Day 0 as we engineers call it. I think  not and here’s why. In short, the Government say they’ve implemented the GDPR into British Law, but once we’re a third country, it’s the Commission that has the last word, and they have questions we need to answer. …

Firstly, I don’t think the Commission would act that quickly and they’d need to issue an adequacy decision and there are four questions of substance that the Commission would need to consider.

  1. The European Data Protection Supervisory Board’s predecessor, the Article 29 Working Party and the Commission had outstanding issues with the UK’s implementation of 95 Directive, to the extent that it seems the Commission had started infraction proceedings. (I find it very hard to get explicit data on this, and much of what is available reads like conspiracy theories, but the most vocal campaigner published his views in the Register, here. The author argues that the infraction process proposes to carry forward to the 2018 DPA. ) The author checkpointed his findings in a 2011 blog article, called “European Commission explains why UK’s Data Protection Act is deficient”, he also points to an Out-law Article, “Europe claims UK botched one third of Data Protection Directive” 17 Sep 2007.
  2. The House of Lords Committee on Data Protection found that as a 3rd Country we may be required to meet a higher standard than as a member state. (This is because we will lose the powers granted to member states under Article 23 Restrictions of the GDPR. These powers relate to the exemption of national security organisations and the courts (and others) from some aspects of the GDPR). This is why there is concern with the Investigatory Powers Act, already declared deficient by the UK Courts and the DPA immigration service exception will jeopardise any attempt to obtain an adequacy finding. i.e. a member state might be able to have these laws but a 3rd country may not.
  3. The loss of member state status and privilege means that our intelligence sharing arrangements with the US, a country which still has the death penalty, and operates under a different military legal doctrine may be deemed to be a critical problem in granting adequacy. (We should note that Tom Watson MP, obtained a barrister’s opinion on the legality of sharing intelligence and wrote to the Prime Minister at the time on the legality of this activity; it was taken up by Rights Watch who are pursuing this through the courts.)
  4. Depending on the withdrawal agreement, and it seems that no-one is thinking about this, we may cease to be covered by the US Privacy Shield agreement, and thus will be prohibited from transferring EU citizens personal data to the USA, and they to us. (Actually prohibited is a bit strong, participants in cross border data transfer would need to be covered by model clauses, or binding corporate rules and both of these are under judicial review (Schrems II) and create a barrier to entry because of cost to SMEs).

It should be noted that the ECJ has required the US Safe Harbour agreement to be re-negotiated; its successor allows US corporate self assessment, but also requires EU citizen access to the US Court system. The important thing here is that the Commission consider protections of EU citizens’ personal data, and the establishment of rights against the State’s intelligence, security and police services to be part of an adequacy findings and since the EU is not frightened of a row with the US; it wont be with us. …

Adequacy

I am looking at the GDPR, and considering the issue that post-Brexit, the UK will probably have to seek an “adequacy ruling” to allow IT services trade and trade dependent on cross border IT between the UK & the EU to continue. If we adopt the GDPR as part of the so-called “Great Repeal Bill”, then there should be no problem. In the unlikely event that the fUK-EW legislates for greater data subject privacy then the EU may object because it breaks their single market rules; all jurisdictions must treat entities and citizens of the EU equally, whereas if we were to weaken the privacy provisions then the Commission would deny us an adequacy ruling. Today’s insight is that it works both ways. …

More Brexit missed or almost missed deadlines

More Brexit missed or almost missed deadlines

This article, or one very similar to it first appeared on AEIP's Brexitspotlight. The 3rd deadline of the post Brexit Future relationship passed on the 30th June. The deadlines were on the issues of cross border data adequacy, northern Irish meat product movement, the end of equivalence for share depositaries and the end of the grace period to allow EU citizens resident in the UK to apply to stay. It looks like the security depository equivalence was sorted in Sept. 2020 and the EU have granted a three month extension on moving chilled meat from Great Britain to Northern Ireland as required by the treaty’s Northern Ireland protocol[1]. The Commission flagged the agreement of a data adequacy ruling earlier in the year and finally agreed it with two days to go. The parliament is more sanguine. The EDPB is also more cautious, and we expect the CJEU to be so too. Whenever the CJEU has ruled, it has ruled in favour of citizens, whereas the ECtHR gives nation states significant leeway. For more see here, or read more ....

Wiggle room on human rights law

Wiggle room on human rights law

I made a linkedin blog on the ECtHR’s margin of appreciation. I was reading up on the UK’s post Brexit data sharing arrangements with the EU, and under the terms of the GDPR. I was diverted by the ECHR’s doctrine of a “margin of appreciation”.

Broadly speaking it refers to the room for manoeuvre the Strasbourg institutions are prepared to accord national authorities in fulfilling their obligations under the European Convention on Human Rights.

Steven Greer Reader in Law, University of Bristol,United Kingdom

Human Rights law is designed to constrain governments but will always require interpretation. The doctrine means that the rights of interpretation are shared between the ECtHR and the signatory states, who themselves will divide this between their courts and executive branch.  

This seems sensible, as I observed, when the British courts were busy interfering with the CPSA in the ‘80’s and undermines the argument of foreign interference because where there is a benefit of doubt, the ECtHR can allow the otherwise infringing government that benefit.

With respect to the cross border transfer regulation, this might make it easier to comply with the law, but there are several outstanding problems. With respect to international data sharing, the most relevant to the doctrine of appreciation and this article is that, the UK is now an ex-member-state and while the Commission argues this means that the UK’s data protection regime is suitable, the fact it is now a 3rd country means that the UK has less legal privileges to exercise its “margin of appreciation” as the powers granted to member states to vary/diminish the protections in Article 23, no longer apply. This was observed and commented on by the House of Lords Select Committee report on Brexit in 2017. See also,

I was reading this article, which makes it much clearer, that the ECtHR looks to defer to national institutions, where it can,

According to the classical position of the ECtHR State authorities “are in principle in a better position than the international judge to give an opinion” on the “necessity” and “proportionality” of a derogation or restriction authorized by human rights law. As a consequence, international courts “should grant national authorities an important degree of deference and respect their discretion” with regard to the implementation of exceptions. Thus, without precluding judicial review of a State’s action in this field, the doctrine intends to “limit the scope of this review” and to impose some degree of judicial self-restraint where an assessment of the attitude of national authorities is concerned.

Theodre Christakis

 …

Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

cabinetoffice.gov.uk

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …

Brexit, the next trade deadlines

Brexit, the next trade deadlines

Brexit is not yet done, this, from the Institute of Govt., shows the upcoming deadlines for further agreement. most importantly in the short term, financial services equivalence and data adequacy. Slightly later in the year, is the new definition for food safety documentation required to export British food to the EU and Northern Ireland.

I might say more when I have studied it, but I have written recently about financial services, and extensively on the need for & likelihood of a data adequacy agreement. …

Labour and antisemitism, some thoughts

Labour and antisemitism, some thoughts

I have now read the EHRC Report, Investigation into antisemitism in the Labour Party, and this is what I think needs to be done. I have published some thoughts already and I believe that it is necessary that the Labour rectify its rules and culture to make it a place where discrimination is both absent and shunned, where perpetrators have the opportunity for contrition and that suspensions and expulsions are a last resort applied only after a fair trial. I am particularly incensed to find there has been no policy nor procedures to guide the investigation nor the determination of discrimination complaints because it’s so basic. However, before I look at the specific recommendations, I want to look at some context. The first is Human Rights law, and the second is that the failings are so basic that anyone of good faith will insist that any remedy is applied to all complaints and disciplinary processes and affairs because the failings are systemic, not specific to handling antisemitism complaints. The article then looks at what a fair and independent process might look like and asks that it take account of the ECHR’s Article 6 and 11, the right to a fair trial and freedom of association. It calls for the retention of the NCC and the provision of legal advice to ensure its independence from the Leader and the NEC. It recognises that the Party must be considered institutionally racist and that attempts to fix the problems have been dogged by factionalism. It calls for the adoption of the Nolan Principles. It recognises that things were worse under McNicol until Formby was appointed. It reaffirms that Labour’s policy and rules are made by Conference and not announcements by the Leadership. These issues are explored in greater detail overleaf …

Things improved under Formby

judges gavel

It is clear from reading the EHRC report, Investigation into antisemitism in the Labour Party that things improved when Jenny Formby became General Secretary in 2018, but the EHRC’s sample data looked back to 2011. The EHRC report states several times that the failure to act on the Royall & Chakrabarti Inquiries is a failing and evidence of Labour’s complicity in the inadequacy of its processes. Much of the failure needs to be placed at the door of the then incumbent General Secretary, Iain McNicol, Formby’s predecessor, and the NEC members that allowed him to act with impunity. Additionally it should be noted, to give an idea of the scale of McNicol and Harman’s ambitions, that over 10,000 complaints were lodged over the summer of 2015, leading to over 5,000 suspension and nearly 4000 investigations, all of them with no policy to guide the investigators and the NEC members making judgement. To expedite the process the NEC set up a wonderfully named Procedures Committee to supervise this purge/examination of eligibility, it consisted of Harriet Harman MP, Margaret Beckett MP, the then general secretary Iain McNicol, Jon Ashworth MP, Keith Birch (Unison), Paddy Lillis (USDAW), Jim Kennedy (Unite), Diana Holland (Unite) and Ann Black (CLP). It’s interesting how some of the names are still around and even more powerful today; the Guardian story exposes how the committee rejected legal advice on using the canvassing records as reasons for exclusion. Canvassing records should only be used for the purpose for which Labour holds them, electoral campaigning, anything else is a likely breach of the electoral secrecy laws. I was advised that I must not use the canvassing records as a source of information when recommending people to be rejected as members or registered supporters during this period.

timeline rules leaders and general secretaries

The Labour Party in an attempt to improve the antisemitism complaints handling process has  changed its rules three times (Conference 2017, 2018 & 2019), the 2017 amendment removed/weakened the free speech defence, the 2018 amendment made breach of codes of conduct disciplinary offences and gave the General Secretary powers to delegate their authority to people other than staff, and 2019 introduced ‘fast track’ process where the NEC and not the NCC heard cases related to discrimination without hearings. These developments show that the Labour Party took the problem seriously but focused on end stages of the process and in doing so, ignored the investigation stage and decision to prosecute which the EHRC has excoriated. The Party also in making these changes created a special class of complaint, that of discriminatory behaviour, which is treated differently to bullying, slander, thuggery and breaches of the rules for factional advantage.

In the LRB review of Jones’ “This Land” and Pogrund & McGuire’s “Left Out”, the James Butler, says, that

His [Jones’s] account is an improvement on the defensive response that the public’s perception of the problem with antisemitism in Labour was distorted, or that positive changes were made to disciplinary procedures after they were taken out of the hands of anti-Corbyn party staff.

James Butler – LRB

This article is not an attempt to say that Labour solved its disciplinary problems under Formby, it clearly didn’t but she inherited a system far distant from what was needed. Its crap etherealness and its then and current inability to address corruption within the bureaucracy are further reasons why the EHRC recommendations should be pursued.  …

Google, the GDPR and Brexit

Google, the GDPR and Brexit

Google are going to move their UK users data from Ireland to the USA. I wrote a little note on my linkedin blog. I headline it as

Google are moving UK data from Ireland to the US … what does this say about UK/EU/US dataflows and ompliance with the GDPR and the world’s data protection laws.

I also point out the need for robust legal redress to comply with the GDPR, which the UK and USA may not meet and that the UK will lose access to the US Privacy Shield arrangements. I note that the UK will lose its member state privileges and powers under the GDPR when the transition period ends and that RIPA 2016 and the immigration exception of the DPA 2018 may cause the Commission some problems with respect to “Adequacy”.

I note that model clauses and binding corporate rules will remain in place and I wonder if this is a business opportunity for a European based phone operating system author as people choose to withdraw from Android? Nokia? Canonical? …