No Deal & cross border data flows

No Deal & cross border data flows

I have just written a blog at linkedin on the impact of a No Deal Brexit on cross border personal data flows. Obtaining an adequacy agreement will take time, one would have hoped that the transition period would have been enough, but without one there will be no adequacy decision on Day 1. Large and prepared entities may be OK as they can use the currently legally permitted alternatives. The US privacy shield may not be avaialable n Day 1, since its an EU agreement. If we leave, we i.e. the UK state may no longer avail itself of the Article 23 powers and the Investigatory Powers Act and the DPA “immigration exception” may cause problems in achieving an adequacy decision. …

Crime & Brexit

As I said, earlier this week I attended a session of the House of Commons Home Affairs Committee. This was called to take evidence on the impact of Brexit as it impacted Europol and the European Arrest Warrant.

I have published a link to the video recording of the event but I took some notes and wanted to share them with you. They interviewed Sir Robert Wainright, a former Head of Europol and Claude Moraes MEP, Chair of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) and Camino Mortera-Martinez, Research Fellow and Brussels Representative, Centre for European Reform. If we leave, we are unlikely to get a better agreement than Denmark which has withdrawn from Europol and unless we accept the Court of Justice of the European Union, we will be excluded from the European Arrest Warrant. Moraes made the point that the UK’s Investigatory Powers Act may inhibit a data sharing adequacy finding which may lead to a restrivtion on access to Europol’s databases. …  …

Privacy & compliance, reprised

I have had a look at the changes in Law, and thus the potential changes in data protection strategy since I first wrote about the conflicts between privacy, compliance and law enforcement.

The US courts have been siding with citizens and their privacy rights, the ECJ has been doing the same. Parliament has been going in the opposite direction, although the Supreme Court has declared the Data Retention laws to be contrary to Human Rights Law and should we actually leave the EU we will find obtaining an “Adequacy” agreement harder than we’d hope as the EU Parliament, Commission and the EU Data Protection Supervisory board focus on the rights of privacy from Governments. This will be a significant problem if the ECJ strikes down the model clauses and binding corporate rules.

I briefly touch on the fact that the European Laws are meant to be implementing the globally agreed seven principles of Data Protection, of Notice, Purpose, Consent, Security, Disclosure, Access and Accountability and that in a rights based jurisdiction, these rights must be protected from the Government as well as from Corporates.

 

The language has developed since 1980 but these principles were agree by the OECD in 1980.

I conclude the article by saying,

Today, under EU law, the lawful purpose would seem to be more flexible, cross border transfers are more restricted, and may become more so, and the EU is more concerned about nation state compliance; it’s what you’d expect from a political entity consisting of states and the children of people surviving fascist or Stalinist rule.

This political heritage should be remembered by those that see these laws merely as a business burden, …

On the Chakrabarti Inquiry

I had reason to have another look at the Chakrabarti report, you can imagine why. It saddens me deeply, that a such a well thought out & evidenced response to the allegations of antisemitic behaviour has not become the benchmark by which the Labour Party judges itself.

When I first read this, to me the implied allegation that the disciplinary process was unsafe because of the lack of professional legal time and latterly the exposure of the fact that the NCC (Judges & Jury) received little or no independent legal advice from the prosecution seemed to me to be possible the most important finding. After the last week, I am of the view that the gentle yet robust definition of unacceptable behaviour in terms of racism and the Party’s response is equally if not more important

However, for various reasons[1] the then NEC, decided not to bring the recommendations to conference in 2016. This was recognised as a partial mistake by both sides of the argument i.e. those that wanted harsher rules and those who wanted vanilla Chakrabarti since the rules were changed at Conference 17 to delete the “free speech” defence which would have previously prohibited disciplinary actions against any racists or misogynists. Successful prosecutions will remain difficult as the decisions to “do” Livingstone & Greenstein on “bringing the party into disrepute” and not on antisemitism or use of abusive language in the case of Greenstein prove because, despite having changed its rules at Conference 2017 any decisions are still potentially subject to judicial review.

We i.e. the Labour Party badly need the rest of the Chakrabarti Inquiry recommendations to offer certainty around behavioural acceptability, ensure proportionality in terms of penalty and guarantee a fair trial if things require it. In this, the intra-party sectarian delay, has served it poorly.

The benchmark by which we i.e. Labour judge ourselves should be the Chakrabarti report, not the IHRA definition.

ooOOOoo

In this case, there is more to read ….. …

Investigatory Powers revisited

Investigatory Powers revisited

In December, the CJEU stated that the British and Swedish investigatory powers laws were in contravention to the EU’s Charter of Fundamental Rights. This was in the case of the UK partly based on the litigation started by Tom Watson MP, initially with David Davies MP. This was reported in the Register, here, and the Guardian here.  The Open Rights Group have asked for people to engage in the Home Office consultation; they propose to put a judicial warrant requirement on investigation requests for suspect internet data. This blog discusses my contribution. If you want to follow me, you’ll have to be quick the consultation closes tomorrow. …

The Data Flow implications of Brexit

The Data Flow implications of Brexit

Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries.  This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation. …

Privacy Law

Here’s an interesting review of the UK’s DP Act and the likely implications of the GDPR/Brexit. The author identifies that the Commission has launched an infraction investigation into the UK’s implementation of the Data Protection Directive, they identify some of the weaknesses and report that despite issuing several freedom of information requests, that the infractions identified by the Commission are secret.

It is suggested that the UK Government will use the Restrictions Article powers to reduce the impact of the GDPR and in doing so may jeopardise the UK’s attempts to obtain an adequacy ruling. I think they’re a bit excitable since UK firms and foreign owned multi-nationals will be able to use model clauses and binding corporate commitments to trade with the EU even without an adequacy ruling, although some firms may choose to relocate, most easily to Dublin.

The article also talks about two court cases which have expanded citizen protection under the DPA using reference to the Directive and the CJEU rulings. After Brexit, the opinions of the CJEU are likely to be irrelevant, …

Why you should be bothered about the Snoopers Charter

Why you should be bothered about the Snoopers Charter

Late last year, the UK Parliament passed the Investigatory Powers Act 2016. This law builds on the Regulation of Investigatory Powers Acts and the Data Retention Laws. This law allows the Government to store all our electronic communications traffic, read the content and meta data and co-opt the product and service vendors to help them. I describe this in more detail below.

The Law was written in the aftermath of Court of Justice of the European Union’s (CJEU) ruling in the Schrems vs. Facebook case that the EU’s Data Retention Directive and hence the member state implementations were in contradiction to the EU’s human rights law, the Charter of Fundamental Rights. Parliament had considered aspects of these proposals twice before under the two previous administrations and rejected them.

This article looks at the new Law, criticises it on Human Rights grounds in that it jeopardises the right to privacy, the right to organise, the right to a fair trial and rights to free speech and on IT Security grounds in that the new regulation of encryption products jeopardises access to electronic trust and privacy. It also examines the likely impact of the recent CJEU ruling on the legality of its predecessor law, and in passing, likely conflicts with last year’s passage of the General Data Protection Regulation (GDPR) by the European Union.  …

Oi!, You! No snooping on my emails and chat!

Oi!, You! No snooping on my emails and chat!

Earlier this week, the Court of Justice of the European Union delivered its judgement on the legality of the UK & Swedish data retention and surveillance laws. They confirmed their ruling from 2015 that general monitoring is illegal, that retention must be specific and is only allowed to combat serious crimes, that access to surveillance records must be authorised by independent authorities and that EU data subjects must be have access to legal remediation if their rights to privacy are breached. The Guardian report on it here, the Independent here ,the Register here and even  the Daily Mash comments here. The UK’s Investigatory Powers Act also gives the government the right to mandate backdoors in UK operated communications products; these powers may also fall foul of the prohibition on general monitoring and the need for independent review. While the ruling is specific to the UK’s DRIPA law, which has now been replaced by the Investigatory Powers Act, it poses a clear challenge to the legality of the new Law. …

Who watches the Watchmen?

Who watches the Watchmen?

In the continuing story of the NSA and their five eyes attempts to do to the world what the GDR’s Stasi did to East Germany, someone finally asks how did we let GCHQ capture and process the internet traffic of the British people, those using the transatlantic internet cables and using the decryption technology to spy on allies and diplomats engaged in economic talks and treaties. On the 31st October, Julian Huppert MP with cross bench support from Tom Watson MP and Dominic Rabb MP managed to get time in the Westminster Hall committee room to debate Parliament’s oversight of the Intelligence agencies, specifically GCHQ, but let’s not forget our old friends, the burglars at MI5.  The debate was broadcast on Parliament TV, and transcribed in Hansard here. Both the Video and Hansard report the debate verbatim, and so if you want to hear what the MPs said, then you’ll have to use those resources. The rest of this article is a personal comment on the meeting. …