Why the UK is unlikely to get an adequacy determination post Brexit

Opinion This article adds two reasons to why I think a post-Brexit UK is very unlikely to offer an adequate level of protection in terms of the General Data Protection Regulation (GDPR).

One reason relates to recent comments made by Prime Minister Theresa May about human rights. The other relates to the non-compliance of the national security agencies with their existing data protection obligations under the Data Protection Act 1998 (DPA).

Mayday! Mayday! Mayday for human rights

According to the Daily Telegraph, Prime Minister May is planning to withdraw from the European Convention of Human Rights (ECHR) in favour of a UK based Human Rights law that gives the Supreme Court the last say in how a human rights regime applies in the UK.

The plans will be headlined in the Conservative manifesto for the next General Election. The consequence of such plans can be illustrated by the case of Marper v UK dealing with the retention of DNA samples by the police.

In Marper, the UK’s highest Court (the House of Lords as it then was) came to a unanimous decision (with a panel of 5 judges) that retention of DNA profiles, on individuals who had been arrested but who had been subsequently acquitted, comprised a lawful interference of private life in terms of Article 8 of the ECHR.

This meant that their DNA profiles could be retained lawfully by the police and profile details could be stored lawfully in the National DNA database.

The same position applied to the retaining of DNA profiles in circumstances where DNA was taken from a person at the point of arrest but where the prosecution was discontinued. Such retention of DNA profiles and related personal data also did not breach Article 8.

By contrast, the European Court ruled unanimously (this time a panel of 17 judges) that retention in the two circumstances identified above was an unlawful interference with private life. This judgment overruled the House of Lords and required the UK to enact new DNA rules which can be found in Chapter 1 of the Protection of Freedoms Act 2012.

In other words, if PM May’s policy were in place at the time of Marper, the UK police could have continued its DNA retention policy, storing records on innocent people (contrary to the practice of other European police forces). See here for why the European Court and the UK Courts differ on data retention.

Why the divergence?

Basically, the House of Lords in Marper expressed the view that to engage Article 8 to any significant degree, there had to be something more than mere retention of DNA profiles.

For example, suppose personal data just sit in a database without any further use or disclosure. Applying the Marper judgment, one would conclude that there is not a significant interference with private life as nothing happens to the personal data; they are just stored passively.  It is a subsequent use or disclosure that activates the stored personal data and which creates any interference with private life.

By contrast, the European Court of Human Rights have always found that the fact of retention of personal data engages the Article 8 right to a significant degree.  From its perspective, no further use or disclosure is required.

This divergence of view is also at the heart of the bulk personal data provisions in the Investigatory Powers Act 2016 (which, no doubt, will be challenged as being inconsistent with Article 8).

Section 199(1) of that Act states that in a bulk personal dataset “the majority of the individuals are not, and are unlikely to become, of interest to the intelligence service in the exercise of its functions”. My emphasis to show there is bulk collection and retention of personal data on individuals who are not of interest to the data controller.

If the ECHR follows previous judgments, it is likely to find such bulk personal dataset retention unacceptable in terms of Article 8. By contrast, the UK Courts might not make such a finding, especially if they do not have to follow previous European Court of Human Rights judgements on this topic (which is, of course, is the objective of Theresa May’s plan).

This means that, over time, divergences between UK and European Courts over Article 8 will occur in other areas (data retention being only one obvious area), and different human-rights based privacy standards will be the inevitable outcome.

That is why I cannot see how a Brexit UK can ever be deemed adequate in data protection terms if it does not abide by data protection judgments (e.g. on data retention), linked to Article 8, which are accepted by the rest of European Union.

Obvious counter-measure

The counter-measure is obvious: the European Commission merely makes any adequacy determination for a post-Brexit UK contingent on the UK implementing judgments of the European Court of Human Rights that relate to data protection (e.g. no Article 8 compliance, then any UK adequacy determination automatically lapses).

For good measure, I think the same argument applies for data protection rulings on the GDPR made by the Court of Justice of the European Union (CJEU). Any adequacy determination could be made contingent on compliance with relevant CJEU judgments and, indeed, majority decisions of the European Data Protection Board on GDPR interpretation.

Finally, even if the Commission does not link any adequacy determination for the UK to Article 8, following the Schrems CJEU judgment, any of Europe’s data protection authorities can do so (see references for more details).

National security agencies breach the DPA?

The second reason which indicates that the UK does not offer an adequate level of protection is that the UK’s national security agencies (MI5, MI6 and GCHQ) have not implemented their minimal data protection obligations for two decades. I suspect they do not know they exist.

At the time of the Data Protection Act 1984, these agencies processed personal data for “national security” purposes (whatever that purpose entailed) and were wholly exempt from that Act.  This broad national security exemption carried over to the 1998 Act.

However, in 1989, the Security Service Act put the MI5 on a statutory footing with the Intelligence Services Act doing the same for MI6 and GCHQ in 1994. This legislation gave all national security agencies additional responsibilities which are not always linked to a national security function.

It is these additional obligations which could result in these agencies being accused of being in breach of their data protection obligations.

GCHQ and the Data Protection Act 1998

I present the argument for GCHQ but it applies to the other national security agencies.

Section 3(2) of the Intelligence Services Act 1994 states that GCHQ can interfere with private life (e.g. collect a bulk personal dataset):

• (a) “in the interests of national security, with particular reference to the defence and foreign policies of Her Majesty’s Government in the United Kingdom; or

• (b) in the interests of the economic well-being of the United Kingdom in relation to the actions or intentions of persons outside the British Islands; or

• (c) in support of the prevention or detection of serious crime”.

Note that Parliament, through the use of the word “or”, has distinguished para(a) which relates to the national security function:

• from para(b) which relates to the machinations of those who threaten the UK’s economic well-being; and
• from para(c) which relates to serious crime.

“National security” is still an undefined term whilst “serious crime” is a defined term in many Acts.  For example, in the Investigatory Powers Act 2016, it is defined as a crime, committed by an adult, that “involves the use of violence, results in substantial financial gain or is conducted by a large number of persons in pursuit of a common purpose”.

It can be seen from the definition that although some serious crimes (e.g. terrorism) impact on national security, not all serious crimes do. Similarly, some interests that impact on the economic well-being of the UK might not raise national security concerns (nor even a serious crime issue).

The point being made is that the Intelligence Services Act 1994 defines three distinct functions. This means any processing of personal data for the purposes associated with para(b) and para(c) do not always overlap with the processing of personal data for a national security purpose as identified in para(a).

Which DPA exemption applies?

Now consider Section 28 of the Data Protection Act. It introduces an exemption from all the main data protection obligations if an exemption “is required for the purpose of safeguarding national security”. It follows that this broad Section 28 exemption only applies for processing of personal data falling within para(a) above.

Therefore, it follows that the correct exemption for GCHQ to apply for much of its processing of personal data for serious crime purposes is the exemption in Section 29 dealing with prevention and detection of crime etc and not the Section 28 exemption dealing with national security.

The Section 29 exemption (relating to all aspects of crime) is limited to an exemption from the fairness and lawfulness requirements of the First Principle (i.e. a Schedule 2 & 3 justification is needed) and the right of access; additionally, the exemption is subject to a test of prejudice.  All the other data protection obligations apply.

It follows that the Information Commissioner can, if need be, enforce the rest of the Data Protection Act with respect to GCHQ for personal data processed purely for serious crime and economic well-being where there is no national security overlap.

It also follows that the statutory Data Sharing Code of Practice should apply to and sharing of a personal data collected via Investigatory Powers Act 2016 powers with respect to serious crime and economic well-being (and indeed any onward data sharing purpose not linked to national security).

Omissions from the Home Office Code

Section 7 of the draft Home Office Code of Practice on Bulk Personal Datasets, which deals with data sharing does not mention data protection requirements (e.g. Principles, compliance with the statutory data sharing Code or Practice).

Paragraph 11.9 of that Code states that the Data Protection Principles apply (except where an exemption is needed under Section 28) which as the reader now knows only applies to its functions with respect to national security (and not the other two functions). There is no mention of Section 29 exemption in the Code.

This explains why I suspect the Home Office and GCHQ are completely unaware that the DPA applies.

Evidence of GCHQ non-compliance is in the public domain

It is well known that data controllers have to notify their processing purposes with the Information Commissioner. GCHQ do not have to notify the national security purpose; however, GCHQ has also not notified the serious crime purposes, nor has it notified the economic well-being purpose with the Commissioner. See the current notification of the Security Services which exclude crime prevention purposes here and GCHQ’s incomplete notification here.

As there is an obligation to notify these purposes (as only para(a) is exempt), perhaps the Commissioner could invite GCHQ to update its notification? This change would require GCHQ to accept, publicly, that it is subject to the ICO’s remit for its functions that do not engage national security function.

Also, as most readers know, it is an offence for a data controller not to keep its notification up to date, which clearly in the case of GCHQ it isn’t. No further comment is required.

Assuming my analysis is correct, if GCHQ does not change its notification or if the Home Office does not change its Code of Practice on disclosures from bulk personal datasets, it will be providing public evidence of its continuing disregard for the Data Protection Act 1998.

Such evidence could be then used to enhance the arguments against a post-Brexit adequacy determination for the UK.

Finally, I have to repeat this for the record. This problem would have been avoided if data protection considerations formed part of the warrant seeking procedures associated with, for example, the bulk personal dataset acquisition powers in the Investigatory Powers Act 2016.  

This step was recommended by the Parliamentary Committee that looked at the Investigatory Powers Bill (see references for details). The Government ignored this recommendation.

The UK failing to obtain an adequacy determination could well be a likely consequence.

References

S and Marper v. the UK.

Current notification of the Security Services which exclude crime prevention purpose: here and here

Current Home Office draft code of practice (PDF)

Government advised by Parliament to make the national security agencies apply Data Protection Principles.

My evidence to relevant Parliamentary Committees on this subject is here and here (pdf).

Striking firefighters and miners are “terrorists” and are therefore legitimate national security targets - see here

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.