My colleagues, partners Adam Rose and Ashley Winton, discuss the new European Commission Standard Contractual Clauses announced on 4 June 2021. I honestly can’t think of two better people to discuss what they mean.
Initial Reactions: New Standard Contractual Clauses (mishcon.com)
Filed under adequacy, Brexit, consistency, Data Protection, data sharing, EDPB, Europe, GDPR, international transfers, Schrems II
A tale of two Member States, and two supervisory authorities.
First, the Belgium Data Protection Authority is reported to have fined a controller €50,000 for, among other infringements, appointing its director of audit, risk and compliance as its Data Protection Officer (DPO). This was – the DPA appears to have said – a conflict of interest, and therefore an infringement of Article 38(6) of the General Data Protection Regulation (GDPR).
Second (and bearing in mind that all cases turn on their specific facts), one notes that, in the UK, the Data Protection Officer for the Information Commissioner’s Office (ICO), is its Head of Risk and Governance.
Let’s speculate –
Are the tasks of a Head of Risk and Governance likely to be similar to those of a director of audit, risk and compliance?
Would the Belgium DPA take the view that its UK equivalent is infringing GDPR, by appointing as DPO someone in circumstances which create a conflict of interest? (ICO notably says “[In respect of the combined roles of] DPO and Head of Risk and Governance, the tasks and focus of each role complement each other, and do not conflict. Neither responsibility is focused on determining the purposes and means of processing personal data but are both focused on providing advice about the risks, mitigations, safeguards and solutions required to ensure our processing is compliant and supported by our business decisions“).
What view would the European Data Protection Board take, if asked to consider the matter under the GDPR consistency mechanism (for instance on receipt of a request for an Opinion, under Article 64(2))?
Does it matter, given Brexit?
And if doesn’t matter immediately, might the status and position of the ICO’s DPO be one of the factors the European Commission might subsequently take into account, when deciding whether post-Brexit UK has an adequate level of protection, as a third country?
No answers folks, just questions.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under adequacy, Brexit, consistency, Data Protection, Europe, GDPR, Information Commissioner
News emerges of a potential judicial review attempt to force disclosure of government Brexit papers not under FOI but under common law and human rights to information
More than three years ago the Supreme Court handed down judgment in a long-running piece of litigation under the Freedom of Information Act 2000 (FOIA). Journalist Dominic Kennedy had attempted to get disclosure from the Charity Commission of information relating to inquiries into George Galloway’s “Mariam Appeal”. The Commission said, in effect, that the absolute exemption to disclosure at section 32(2) of FOIA was the end of the story, while Kennedy argued that Article 10 of the European Convention on Human Rights imposed a positive obligation of disclosure on public authorities, particularly when the requester was a “public watchdog” like the press, and that s32(2) should be read down accordingly to require disclosure in the circumstances (I paraphrase). In his leading opinion Lord Mance gave this stirring introduction:
Information is the key to sound decision-making, to accountability and development; it underpins democracy and assists in combatting poverty, oppression, corruption, prejudice and inefficiency. Administrators, judges, arbitrators, and persons conducting inquiries and investigations depend upon it; likewise the press, NGOs and individuals concerned to report on issues of public interest. Unwillingness to disclose information may arise through habits of secrecy or reasons of self-protection. But information can be genuinely private, confidential or sensitive, and these interests merit respect in their own right and, in the case of those who depend on information to fulfil their functions, because this may not otherwise be forthcoming. These competing considerations, and the balance between them, lie behind the issues on this appeal.
What was most interesting about the judgment in Kennedy, and, again, I disrespectfully heavily paraphrase, was that the Supreme Court basically said (as it has been wont to do in recent years) – “why harp on about your rights at European law, don’t you realise that our dear old domestic friend the common law gives you similar rights?”
the route by which [Mr Kennedy] may, after an appropriate balancing exercise, be entitled to disclosure, is not under or by virtue of some process of remodelling of section 32, but is under the Charities Act construed in the light of common law principles and/or in the light of article 10 of the Human Rights Convention, if and so far as that article may be engaged
This greatly excited those in the information rights field at the time, but since then, there has been little of prominence to advance the proposition that FOIA rights are not the only route [Ed. there’s a great/awful pun in there somewhere] but it did get a positive airing in R (Privacy International) v HMRC [2014] EWHC 1475 (Admin) (on which see Panopticon post here).
Yesterday (12 October) barrister Jolyon Maugham announced that his Good Law Project was seeking donors towards a judicial review application if the government refused to publish information and reports comparing the predicted economic harm of Brexit with the predicted economic benefits of alternative free trade agreements. Keen followers of information rights litigation will note that Tim Pitt-Payne and Robin Hopkins are instructed: the potential respondents should quake in their boots.
Well worth watching this, and well worth – in my opinion – donating towards the cause.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Brexit, Freedom of Information, human rights, Open Justice
[This post was updated on 01.08.16 to include a comment from the ICO]
The mysterious case of the vanishing ICO post-Brexit statement
On 24 June, as 48% of the UK was holding its head in its hands and wondering what the hell the other 52% had done, the Information Commissioner’s Office (ICO) issued a statement. It said
If the UK is not part of the EU, then upcoming EU reforms to data protection law would not apply directly to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.
I have a screenshot of the statement:
Why a screenshot? Well, because if you follow the url for the page in question (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/06/referendum-result-response/) it now redirects to a different page, containing an “updated” statement from former Commissioner Chris Graham:
Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.
With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.
Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.
One notes that references to adequacy, and equivalence with the General Data Protection Regulation, have disappeared. And one wonders why – does the ICO now think that a post-Brexit UK would not need to have equivalent standards to the GDPR? If so, that would certainly represent a bold position. In a response to a request for a comment an ICO spokesperson informed me that
We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position
I’m grateful to them for this, and it is in itself very interesting. Privacy Laws and Business recently informed their news feed subscribers that the government is keen to hear from stakeholders their views on the future of the UK data protection regime, so maybe everything is up for grabs.
But a fundamental point remains: if the EU (and indeed the CJEU – see Schrems et al) currently has exacting data protection standards for external states to meet to secure trading rights, realistically could the UK adopt a GDPR-lite regime? It strikes me as a huge risk if we did. But then again, voting for Brexit struck me as a huge (and pointless) risk, and look what happened there.
Ultimately, I’m surprised and disappointed the ICO have resiled from their initial clear and sensible statement. I would have preferred that, rather than “noting the debates” about post-Brexit data protection, they actually directed and informed those debates.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
Filed under Brexit, GDPR, Information Commissioner
informationrightsandwrongs 