NIPC Data Protection

NIPC Data Protection

Tuesday, 17 October 2017

Data Protection Bill: Second Reading

Author HM Government
Licence Open Government Licence v.3
Source Gov.UK website
















Jane Lambert

Lord Ashton, the Parliamentary Under-Secretary of State, Department for Digital, Culture, Media and Sport, presented the Data Protection Bill for its second reading in the House of Lords on 10 Oct 2017. Twelve peers spoke in the debate: three Conservative, two Labour, two Liberal Democrat, one bishop and four cross-benchers. The debate is reported in Hansard (see 15:34 and 18:52 on 10 Oct 2017).

The most interesting speeches were Lord Ashton's who outlined the legislation and the reasons for introducing the legislation and Lord Pannick's who explored the relationship of the Bill to the General Data Protection Regulation. The Bill was given a fair wind by the opposition parties but concern was expressed on the new burdens it might impose on small local authorities and the protection it afforded to children and other vulnerable persons.

The Bill will now be scrutinized by a committee of the whole House at the end of this month.

Should anyone wish to discuss this article, the Bill, the General Data Protection Regulation or data protection generally, he or she should call me on 020 7404 5252 or send me a message through my contact form.

Saturday, 16 September 2017

Introduction to The Data Protection Bill


Standard YouTube Licence


Jane Lambert

On 14 Sept 2017, the Government introduced The Data Protection Bill into the House of Lords. The purpose of the Bill is to
"Make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of conduct; and for connected purposes."
The Bill is needed to implement Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA which comes into force on the 5 May 2018 and to maintain in force the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) ("the GDPR") after we leave the EU.

The need to continue the provisions of the GDPR was spelt out in the Commission's Position Paper on the Use of Data and Protection of Information Obtained or Processed before the Withdrawal Date which I discussed in Commission Position Paper on Data Protection and Protection of Information obtained or processed before the Withdrawal Date 15 Sep 2017 NIPC Brexit:
"It is recalled that the United Kingdom's access to networks, information systems and databases established by Union law is, as a general rule, terminated on the date of withdrawal.
The United Kingdom or entities in the United Kingdom may keep and continue to use data or information received/processed in the United Kingdom before the withdrawal date and referred to below only if the conditions set out in this paper are fulfilled. Otherwise such data or information (including any copies thereof) should be erased or destroyed.
The principles set out in this paper should also apply, mutatis mutandis, to personal data, data or information which was received /processed by the United Kingdom or entities in the United Kingdom after the withdrawal date pursuant to the Withdrawal Agreement."
The conditions set out in the Position Paper will be implemented by the GDPR and continued by the Bill when it comes into law.

The Bill consists of 194 clauses and 18 Schedules. Clause 1 contains an overview:
"1  Overview (1) This Act makes provision about the processing of personal data.
(2) Most processing of personal data is subject to the GDPR.
(3) Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
(4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
(5) Part 4 makes provision about the processing of personal data by the intelligence services.
(6) Part 5 makes provision about the Information Commissioner.
(7) Part 6 makes provision about the enforcement of the data protection legislation.
(8) Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament."
 The Department of Culture, Media and Sport has published the press release Data laws to be made fit for digital age and fact sheets containing an Overview of the Bill, General Data Processing, Law Enforcement Data Processing, National Security Data Processing and The Information Commissioner and Enforcement. There are also Explanatory Notes.

The Bill has already had its first reading in the House of Lords and will have its second on the 10 Oct 2017. I will follow the Bill as it makes its way through Parliament and analyse its provisions. I will also analyse the GDPR and the Directive as the day for their implementation approaches.

Should anyone wish to discuss the Bill or the GDPR and Directive, he or she should call me during office hours on +44 (0)20 7404 5252 or send me a message through my contact form. 

Saturday, 26 August 2017

HMG's Exchange and Protection of Personal Data Position Paper














Jane Lambert

Even though it has absolutely nothing to do with the rights of the citizens of the remaining member states in the UK or those of British citizens rights in the remaining member states, the Irish border or our residual financial commitments to the EU budget that are the subject of the present art 50 negotiations. our government has published a position paper entitled  The exchange and protection of personal data. The paper discusses how the UK could continue to cooperate with the Commission and the supervisory authorities of the other member states on data protection if and when it leaves the EU in March 2019.

The government's thinking is not hard to discern.  Despite attempts by the Coalition and Conservative Governments to rebalance the British economy since 2010, it remains overwhelmingly services orientated. Financial services are particularly important to the United Kingdom and these depend on the free flow of personal data.  If and when we leave the European Union, the General Purpose Data Protection Regulation will cease to apply to us and we shall become a "third country" for the purposes of the Regulation.

Art 44 of the Regulation would then apply:
"Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."
In other words, the unrestricted flow of personal data between financial institutions in the UK and their customers, suppliers and partners in the remaining EU member states, which is the lifeblood of the banking, insurance, fintech and so many other industries, ceases unless and insofar as the provisions of Chapter V of the Regulation can be met.

The position paper seems to be a response to art 44 of the Regulation. Paragraph 4 of the paper states:
"After the UK leaves the EU, new arrangements to govern the continued free flow of personal data between the EU and the UK will be needed, as part of the new, deep and special partnership. The UK starts from an unprecedented point of alignment with the EU. In recognition of this, the UK wants to explore a UK-EU model for exchanging and protecting personal data, which could build on the existing adequacy model, by providing sufficient stability for businesses, public authorities and individuals, and enabling the UK’s Information Commissioner’s Office (ICO) and partner EU regulators to maintain effective regulatory cooperation and dialogue for the benefit of those living and working in the UK and the EU after the UK’s withdrawal."
Paragraph 6 emphasizes the UK's vulnerability in this regard:
"Estimates suggest that around 43 per cent of all large EU digital companies are started in the UK, and that 75 per cent of the UK’s cross-border data flows are with EU countries. Analysis indicates that the UK has the largest internet economy as a percentage of GDP of all the G20 countries, and has an economy dominated by service sectors in which data and data flows are increasingly vital. The UK accounted for 11.5 per cent of global cross-border data flows in 2015, compared with 3.9 per cent of global GDP and 0.9 per cent of global population, but the value of data flows to the whole economy and the whole of society are greater still."
As the next paragraph notes, any disruption of cross-channel data flows would harm both the UK and the remaining member states but it would harm the UK more because financial services are so important to this country. Moreover, disruption of data flows between London and the rest of the EU might be the ill wind that diverts business and investment from London to continental financial centres and Dublin.

The paper is very short - some 15 pages including the covers.  The first 4 paragraphs are an executive summary.  The next 5 are an introduction which stresses the importance of transborder data flows for financial services and security cooperation. The following 3 headed "Context" explain why states need data protection laws. The paper traces the UK's commitment to data protection back to Younger though it omits to mention that a major incentive to implement our own data protection legislation was the refusal of the Swedish data protection authority on 12 April 1974 to allow a Swedish local authority to transmit health and social security records to a British company that had contracted to supply plastic identity tags. The next four paragraphs summarize the General Data Protection Regulation and the Data Protection Directive and the UK's plan to continue the protection afforded by that legislation with a new Data Protection Bill (see my article What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit). Other international arrangements for data protection such as the Council of Europe Convention and the OECD Guidelines on Transborder Data Flows are discussed in paragraphs 17 and 18.

The really interesting bits of the paper are paragraphs 19 and 22 which outline the UK's objectives. Paragraph 21 states that it is the UK’s ambition to remain a global leader on data protection, by promoting both the flow of data internationally and appropriate high levels of data protection rules and paragraph 22 explains why:
"as the UK and the EU build a new, deep and special partnership, it is essential that we agree a UK-EU model for exchanging and protecting personal data, that:
  • maintains the free flow of personal data between the UK and the EU; 
  • offers sufficient stability and confidence for businesses, public authorities and individuals; 
  • provides for ongoing regulatory cooperation between the EU and the UK on current and future data protection issues, building on the positive opportunity of a partnership between global leaders on data protection; 
  • continues to protect the privacy of individuals; 
  • respects UK sovereignty, including the UK’s ability to protect the security of its citizens and its ability to maintain and develop its position as a leader in data protection; 
  • does not impose unnecessary additional costs to business; and 
  • is based on objective consideration of evidence."
The remainder of the paper discusses the close cooperation between the Information Commissioner and her opposite numbers elsewhere and the undoubted advantages of maintaining that cooperation. Realistically, the paper also includes an annexe on how businesses can comply with Chapter V of the Regulation if there is no UK-EU model but observes that that would be much more burdensome for business than somehow finding a way to continue the existing arrangements.

The paper shows that a UK-EU model for exchanging and protecting personal data is something that the British need badly from the art 50 negotiations. It is not yet on the formal agenda and if I were advising Michel Barnier and his team I would not be in a hurry to put it on the agenda unless and until we see some movement on the rights of citizens at least equivalent to those of investors in bilateral investment treaties and maybe a little bit more money into the divorce settlement.

Should anyone wish to discuss this article or data protection law generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.

Friday, 11 August 2017

Welcome to NIPC Data Protection

Jane Lambert











On 25 May 2018 the General Data Protection Regulation ("the GDPR") takes effect in every member state of the European Union including the United Kingdom. The position has been complicated in this country by last year's referendum on EU membership which means that the Regulation will cease to apply to the UK on the 29 March 2019 when we leave the EU unless there is evidence of a sufficient change of heart on the part of the public to persuade the government to change tack.

A fair size industry of consultants, publishers and conference organizers has grown up to prepare businesses for the introduction of this legislation. As Elizabeth Denham, our Information Commissioner has pointed out in GDPR – sorting the fact from the fiction 9 Aug 2017, there have been a lot of scare stories about the GDPR and not a little misinformation. There will be some changes as a result of the GDPR.  Data subjects will get new rights on 25 May 2018 and there will be increased sanctions for non-compliance. Those changes, however, are evolutionary rather than revolutionary. It should not be too difficult to prepare for them or to manage them.

Because it is a regulation rather than a directive, the GDPR does not require any implementing legislation.  However, there will be a new data protection statute for the United Kingdom for three reasons. The first is to transpose the Data Protection Law Enforcement Directive into the laws of the United Kingdom. The second is to confer rights on data subjects that are not provided by the GDPR such as the right to require social media platforms to delete information held on them at age 18. The third reason for the new Act is to preserve the provisions of the GDPR after Brexit day as I noted in
What will happen to the GDPR in the United Kingdom after Brexit? 10 Aug 2017 NIPC Brexit.

Like the Data Protection Directive which it replaces, the policy of the GDPR is to give effect to the Council of Europe Data Protection Convention and the OECD Guidelines on Transborder Data Flow having regard to changing technology and applying the experience of the operation of the Data Protection Directive. As before, the objectives are to facilitate transborder data flow while protecting the privacy and other interests of individuals

The Data Protection Law Enforcement Directive is new. It seeks to harmonize the use of information technology by law enforcement agencies throughout the member states. However, that legislation also traces its wellspring the Council of Europe's Data Protection Convention which itself applies the European Convention on Human Rights to data processing. Art 63 (1) of the Law Enforcement Directive requires member states to transpose it into national law by 6 May 2018.

Over the next few weeks I shall write about various aspects of the Law Enforcement Directive and the GDRP as the 6 and 25 May 2018 draw closer. I shall also write about the Data Protection Bill as it makes its way through Parliament. I have started with a glossary as the terminology used in the GDPR is different from that of the Data Protection Directive. In that endeavour, I hope to remove some of the hot air and panic about the new legislation.

Should anyone wish to discuss this article or data protection generally, he or she should call me on +44 (0)20 7404 5252 during office hours or send me a message through my contact form.