Monthly Archives: February 2019

Data Protection and Brexit: Changes to UK law (Part 1)

This is the first in a series of blog posts that I intend on doing over the next period which look at some of the changes to the GDPR and the Data Protection Act 2018 that will be brought about by the withdrawal of the United Kingdom from the European Union. In my 2018 information law review, published in January, I noted that the UK Government had published The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (Draft). These regulations, made pursuant to the powers conferred upon the Government in terms of the European Union (Withdrawal) Act 2018, make significant changes to the GDPR and the Data Protection Act 2018 in order to ensure that they both still work and make sense once the UK has withdrawn from the European Union. They will not enter into force until “exit day”.

Representatives
Currently any controller or processor (excluding those who fall within limited exceptions) established outside of the EU require to appoint a representative within the EU as a point of contact for data subjects and the supervisory authorities. The draft 2019 Regulations will amend this requirement so that any controller or processor not established in the United Kingdom will be required to appoint such a representative within the United Kingdom. This will apply to controllers and processors based in EU and EEA states after “exit day”. Therefore it is important that EU and EEA businesses who are not established with the UK, but collect personal data of data subjects in the UK, turn their minds to appointing such a representative within the UK in time for exit day.

Equally, it should be noted that UK businesses currently do not need to appoint such representatives within the EU/EEA because the UK is an EU member. When the UK leaves the European Union it will be necessary for UK businesses to comply with Article 27 of the EU GDPR; therefore, a representative within one of the 27 EU member states will need to be appointed.

Adequacy decisions
Under the GDPR the European Commission has the power to make adequacy decisions. These are decisions which allow the flow of personal data to a territory (or a part of a territory or sector within a territory) outside of the EU. The draft 2019 Regulations will insert new provisions (sections 17A and 17B) into the Data Protection Act 2018 establishing a very similar regime which will allow the Secretary of State to make “adequacy regulations” these will function in much a similar way. It is probably quite likely that one of the first adequacy regulations to be made will specify that the EU and EEA states have an adequate level of personal data protection.

The UK, upon exit day, will fall outside of the European Commission agreements and adequacy decisions (such as the EU-US “safe harbour” agreement). Similar agreements will need to be agreed with the UK. Controllers who currently rely on adequacy decisions of the Commission will need to think about how they will comply with UK data protection law in respect of international transfers of personal data, post-brexit.

Standard data protection clauses
Under the GDPR the European Commission has the power to adopt standard data protection clauses which, if used, will give an adequate level of protection for personal data when that personal data is transferred to a non-EU member state.

The draft 2019 Regulations will insert a section 17C into the Data Protection Act 2018, which will give the Secretary of State the power to make regulations specifying “standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR.”  In essence, the power of the Commission will transfer to the Secretary of State on exit day.

Administrative Fines
The power of the Information Commissioner to issue administrative fines (or, in the language of the Data Protection Act 2018, ‘Penalty Notices’) will continue to exist when the UK leaves the European Union. The maximum amounts of those penalties are currently expressed in Euros (although the Data Protection Act 2018 requires the Information Commissioner to issue the penalties in pounds sterling). The draft 2019 Regulations will amend the maximum amounts to convert them into pounds sterling as opposed to Euros. The €10,000,000 figure will change to £8,700,000; while the €20,000,000 figure will become £17,500,000. These figures are roughly what the euro figures convert to using the current exchange rates.

These are just some of the many changes that will be made by the draft 2019 Regulations. I hope to be able to do some more blog posts looking at some of the other changes contained within the draft 2019 regulations as we approach the 29th March 2019 (the date on which the UK is scheduled to leave the European Union).

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.

FOI in Scotland: Registered Social Landlords

Last week the Scottish Ministers laid The Freedom of Information (Scotland) Act 2002 (Designation of Persons as Scottish Public Authorities) Order 2019 (Draft) before the Scottish Parliament for the approval of the Parliament, as they are required to do in terms of the Freedom of Information (Scotland) Act 2002 (“FOISA”). This order is a long anticipated order to bring Registered Social Landlords (“RSLs”) within the scope of FOISA by designating them as Scottish public authorities. If approved (and there is nothing to suggest that the Order will not be approved by the Scottish Parliament), it will mean that RSLs (and their subsidiaries) will be designated as Scottish public authorities from 11 November 2019. Some had been hoping that they would have been designated from April this year, while others had been hoping that it would be April 2020. The Scottish Ministers appear to have split the difference and given RSLs a period of around 9 months to prepare for becoming Scottish public authorities.

RSLs have been, following a number of decisions of the Scottish Information Commissioner (which have never been appealed to the Court of Session), Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004 for a number of years. There is, however, some debate about whether they remain so, following some changes to the regulatory landscape pertaining to RSLs. It has not yet, to my knowledge, been tested whether they still are Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004. Whether the changes to the regulatory landscape of RSLs has had the effect of them no longer being Scottish public authorities, for the purposes of the Environmental Information (Scotland) Regulations 2004, is somewhat immaterial; designation as a Scottish public authority for the purposes of FOISA also means that they will be Scottish public authorities for the purposes of the Environmental Information (Scotland) Regulations 2004.

It should be noted that the draft order has been drafted in such a way so as to make RSLs Scottish public authorities for limited purposes only. They will be Scottish public authorities in respect of the following functions:

  1. providing housing accommodation and related services and includes anything done, or required to be done, in relation to:- (a) the prevention and alleviation of homelessness; (b) the management of housing accommodation (limited to the management of housing accommodation for which a registered social landlord has, under the Housing (Scotland) Act 2001, granted a Scottish secure tenancy as defined in section 11 or a short Scottish secure tenancy as defined in section 34 of that Act); (c) the provision and management of sites for gypsies and travellers, whatever their race or origin; and
  2. the supply of information to the Scottish Housing Regulator by a registered social landlord or a connected body in relation to its financial well-being and standards of governance.

A register of social landlords can be found on the website for the Scottish Housing Regulator.

Alistair Sloan

We are able to provide advice and assistance to public authorities and requesters in connection with matters concerning Freedom of Information laws; if you would like advice and assistance in connection with these matters, or any other information law matter, please contact Alistair Sloan on 0141 299 0880 or by E-mail. You can also follow our dedicated Information Law Twitter account.

Developing the Information Expressway

The Upper Tribunal has recently considered the meaning and scope of the exception in Regulation 12(4)(d) of the Environmental Information Regulations 2004 (“the EIRs”). This exception allows a public authority to withhold environmental information in response to a request where “the request relates to material which is still in the course of completion, to unfinished documents or to incomplete data”.

Highways England Company Limited v Information Commissioner and Henry Manisty [2018] UKUT 432 (AAC) concerned a request made to Highways England by Mr Manisty in December 2016. Mr Manisty request related to the possible route of the Expressway between oxford and Cambridge being investigated by Highways England. His request was refused by Highways England and the Information Commissioner did not uphold Mr Manisty’s subsequent complaint to her office. Mr Manisty appealed to the First-Tier Tribunal who allowed his appeal, deciding that the exception in Regulation 12(4)(d) did not apply. Highways England sought, and was granted, permission to appeal to the Upper Tribunal.

Upper Tribunal Judge Jacobs reminds us that as the EIRs implement an EU Directive they must (for now) be interpreted in a way that accords with the normal principles that apply to EU law. Judge Jacobs reminds us that one of those principles is that the exceptions must be interpreted restrictively. Judge Jacobs points out that this is a separate consideration from the presumption in favour of disclosure enshrined within the EIRs; that presumption simply allocates the burden of proof while the restrictive approach defines the scope of the exception.

Judge Jacobs also addresses the Aarhus Convention and the Implementation Guide. The EU Directive, which the EIRs implements, implements the Aarhus Convention into EU law and so regard has to be had to the convention when interpreting the EIRs and the Directive. Judge Jacobs, in paragraph 19, reviews some of the relevant case law and concludes that the Implementation Guide “can be used to aid interpretation, but it is not binding and cannot override what the Convention provides.”

Judge Jacobs includes two helpful paragraphs setting out what the exception does not mean. When deciding the scope of the exception it is not permissible to take into account any adverse consequences that disclosure might have. This is relevant for the purposes of determining where the public interest lies and also, perhaps, deciding whether the exception is engaged. Judge Jacobs states that “[a]dverse consequences must not be made a threshold test for regulation 12(4)(d).” [para 21]

Judge Jacobs considers what “material” and “relates to” means within the exception. In respect of “material”, he considers that the word material “is not apt to describe something incorporeal, like a project, an exercise or a process.” The material in question may form part of a project or process etc.; however, the material in question must itself be in the course of completion. We are not necessarily concerned with whether the project is in the course of completion. [para 23] Judge Jacobs also holds that “[m]aterial includes information that is not held in documents and is not data: things like photographs, film, or audio recordings.” [para 24]

Having already looked at what the exception does not mean, Judge Jacob eventually gets around to deciding what the exception does mean. He notes, in paragraph 28, that the language in the exception is “deliberately imprecise.” That being said, Judge Jacobs, in paragraph 30, returns to the principle that the exception should be applied restrictively. The imprecise language does not mean the exception can be applied “so widely as to be incompatible with the restrictive approach required by EU law.” At the same time it cannot be applied so narrowly that its purpose is defeated. In paragraph 31 of the decision, Judge Jacobs, identifies yet another deliberately vague expression within the exception: ‘piece of work’. The judge identifies some factors that may be of some assistance in applying the exception. For example, if there has been a natural break in the public authority’s private thinking; or, perhaps, the public authority is at a stage where publicity around its progress so far is taking place. The continuing nature of the project, process or exercise might also be a relevant feature. However, public authorities shouldn’t get too excited: this is not, by any means, a checklist. Judge Jacobs makes it clear that each case will turn on its own circumstances.

Public authorities should also be aware that their own internal labels will not be determinative of matters; it is not possible to, in the words of Judge Jacobs “label [your] way out of [your] duty to disclose.” Labels such as “draft or preliminary thoughts may, or may not, reflect the reality.” [para 32]

Counsel for Highways England is recorded as having emphasised legal certainty and its importance. Judge Jacobs accepts that his decision will not produced legal certainty in the way that was possibly envisaged by Counsel for Highways England. Judge Jacobs notes that its application will not be easy; however, issues of judgement are involved and that limits what can be achieved.

In deciding that the First-Tier Tribunal had not erred in law, Judge Jacobs took the view that, when reading the First-Tier Tribunal’s reasoning as a whole; its approached accorded with his analysis of the operation of the exception. The First-Tier Tribunal “understood that it was exercising a judgment on whether the information requested could now properly be considered as independent from the continuing work on the Expressway.”

So, what have we learned? Judge Jacobs has certainly gone through the exception carefully and produced what he considers to be the best that can be achieved in terms of defining the scope of the exception in Regulation 12(4)(d). Its scope is narrow, but not so narrow as to defeat the policy intention of providing a space for public authorities to think in private; however, its imprecise nature should not be taken as giving public authorities cart blanche. Each and every case will turn on its own circumstances and a degree of judgement is involved in determining whether the exception will apply or not.

There are also some useful reminders (for now) about the need to utilise EU law principles when interpreting the EIRs. There is also a useful reminder, in paragraph 6, about the approach that the Upper Tribunal adopts when considering an appeal. It is unlike the First-Tier Tribunal; it is not conducting a re-hearing of the case. The Appellant has to show that the First-Tier Tribunal erred in law. We are also reminded that the nature of the language of the provision has to be taken into account when considering legal certainty; it is therefore not always possible to give a precise exposition of the scope of a provision – sometimes, it really does just come down to a matter of judgement.

Alistair Sloan

We are able to provide advice in connection with a wide range of information law matters, including Freedom of Information Act/Environmental Information Regulations appeals. If you would like advice and assistance on any of these matters then please contact Alistair Sloan on 0141 229 0880 or by E-mail. You can also follow our dedicated information law account on Twitter.