Last Monday, some
prominent European data protection commentators, each with links deep within European
Commission institutions, predicted that we would see fewer EU officials
travelling to the UK to discuss and negotiate EU positions in future.
Why?
Because,
increasingly, the UK is judged as “a lost cause”.
Monday’s
workshop on the Data Retention and investigatory Powers Act, held at the Free
Word Centre in Central London, with proceedings conducted (mostly) under
Chatham House rules, was attended by a fair smattering of the UK’s data
protection finest academics, practitioners and campaigners, together with some
of the greatest of the good of the land.
While the
focus of the meeting was on what ought to happen next in light of the speedy
passage of DRIP through Parliament, and what preparations needed to be made to
facilitate a more fundamental review of the Regulation of Investigatory Powers
Act, 2000, a number of key observations were made which illustrate just how significantly
the tectonic plates which frame the relationship between the UK and the
European Union are shifting.
From a data
protection perspective, this shift has some key implications.
Most
importantly, the debate within the UK as to whether the new legal instrument
setting out new data protection rules should be cast as a Regulation or a
Directive becomes less significant.
Why?
Because by
the time the deadline arrives for the new legal instrument to be implemented by
EU Member States, the UK needs to plan for the possibility that it won’t be an EU
Member State any more. In light of the “in-out EU referendum”, whenever that is
held, some very smart minds now need to plan for the contingency that the UK
will have cast itself away from the EU, and will therefore expect to be treated
as a non-EU country with “adequate” data protection safeguards. Just like
Andorra, Argentina, Guernsey, the Faroe Islands, the Isle of Man, Israel,
Jersey, Uruguay and Israel – to mention but a few.
In this
scenario, the UK’s revisions to the current 1988 Data Protection Act need not
be as radical and as dogmatic as the changes that might be imposed on the data
controllers situated elsewhere in the EU. The UK could even keep its DPA
registration fee – which might well come as a relief to the MoJ bods currently
struggling with the task of inventing a scheme similar to (but not called the
same as) the current ICO funding process. This will allow data controllers,
rather than public funds, to continue to meet the lion’s share of the ICO’s
budget.
In this
scenario, the UK won’t need to adopt all of the provisions in a Regulation to
be accepted as having “adequate” data protection arrangements. Remember, after
all, what the Article 29 Working Party had to say about the Faroe Islands back
in 2007:
“While
Faeroese law may not meet every requirement imposed upon the Member States by
the Data Protection Directive, the Working Party is aware that adequacy does
not mean complete equivalence with the level of protection set by the
Directive. Thus, on the basis of the above mentioned findings, and the
additional information given by the Faroe Islands, the Working Party concludes
that the Faroe Islands ensure an adequate level of protection within the
meaning of Article 25(6) of Directive 95/46/EC of the European Parliament and
of the Council of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data.”
Another
really significant insight from the workshop came from someone who suggested
that a huge amount of the blame for the UK needing to pass its emergency DRIP
legislation actually lay at the door of the Irish Government.
Why?
Because had
the Irish Government not have so spectacularly delayed the proceedings (it
really not have needed to have taken some 7 years for the relevant cases to
have been heard by the European Court of Justice), the legal arguments would
have been assessed by judges in a “pre-Snowden” climate, where public
“interest” (and press “outrage”) at the alleged activities of various national
security agencies would have registered at a much lower level.
The Irish
Government originally opposed the data retention proposals as it wanted
communications data to be retained for 3 years, rather than the maximum of 2
years that was eventually agreed. So, it
is ironic that much of the credit for striking down the Data Retention Directive
has been taken by an Irish digital rights organisation.
The topic of
drafting fresh EU-wide communications data retention legislation for law
enforcement purposes seems currently far too toxic for the policymakers of EU
Member States and for EU officials to want to visit again.
Before they
do, they will need to possess more credible sets of cojones.
Source:
Image
credit:
.
Posts
