Europe cannot rubber stamp the UK’s data laws

The United Kingdom is currently awaiting a decision from Europe on whether it provides adequate standards of data protection. This would mean personal data could flow from Europe to data controllers in the UK without the need for costly administrative burdens. The European Commission has produced a draft decision seeking to grant adequacy to the United Kingdom. However, Open Rights Group and others are currently raising concerns about the standards of protection within the UK across various areas.

The UK’s Immigration Exemption, which derogates from fundamental rights in the General Data Protection Regulation, the structures for redress against decisions, or indecision, by the Information Commissioner’s Office and the UK’s well-known bulk surveillance powers and the oversight regime that accompanies it, should all be hurdles to the granting of adequacy. These are not small technical points, these are areas that sit at odds with cornerstones of European data protection and human rights standards.

The UK needs a proper data adequacy assessment, not a rubber stamp. The EU also needs to ensure that its standards mean something internationally. There is no benefit to establishing a strong internal market system that immediately drops as soon as any data flows out of the market. It puts EU citizens personal data at risk and leaves EU standards hollow.

Open Rights Group would like to see the UK receive a positive adequacy assessment, but only on proper terms and standards. Otherwise it is a false dawn, and likely a  waiting game for the first challenge to the agreement to reach the Court of Justice of the  European Union.

Immigration Exemption Must Go

On the 3 March, Open Rights Group sent a submission to the European Data Protection Board and the European Commission asking them to seek removal of the Immigration Exemption in the Data Protection Act 2018 or to require reforms to ensure the Exemption does not breach the standards required in an adequate third country.

Open Rights Group has been concerned about the Immigration Exemption since it first appeared in the UK’s Data Protection Bill in 2017. The Exemption allows the suspension of key rights for an individual’s access to personal data held about them by any data controller if meeting these rights would “prejudice effective immigration control”. This exemption is not standard in the GDPR, the UK carved it out for themselves with shaky evidence as to its necessity. We have been challenging the Exemption in UK courts since it passed into law.

The UK maintains that the Exemption is only applied on a case by case basis in narrow and limited circumstances. However the rate of application of the Exemption according to internal Home Office statistics state is over 70%. Further, there is no internal statistics available on the number of appeals against the Exemption.

These two facts are key. The standards required of a third country include the need to respect the right of access and rectification, amongst other rights and, demonstrate compliance by data controllers. The fact that we’re seeing the Exemption applied in so many instances raises the question whether these rights are being respected suitably, changes need to be made or the Exemption removed entirely.

A third country, which the UK is now, also needs to be able to demonstrate compliance. The fact that the Home Office has no internal records of the number of appeals against the application of the Exemption should raise real concern with the European institutions that there simply is no proper system to ensure compliance.

The fact this Exemption has been applied at the rate that it has been to residents in the UK from around the world should be a cause of worry and need for action on the part of the UK. Additionally if it isn’t happening already, the Exemption will very shortly be applied to European citizens and the personal data the UK Government, public bodies, and the private contractors involved in immigration processes holds and processes on them.

The adequacy process must seek the removal or drastic reform of the Exemption.

Proper accountability of supervisory authority

Another concern is the accountability processes for challenging ICO decisions. In the UK an emerging position for the courts is that they can only review the timeliness and procedure of the ICO’s decision, and not the substantive decision. The GDPR requires that data subjects must have an effective judicial remedy against a legally binding decision of the Supervisory Authority. The Europea Data Protection Board endorsed Adequacy Referential, which provides guidance to the central question of adequate level of data protection in a third country, requires effective judicial redress available to the individual.

The work ORG have carried out to bring to the ICO’s attention AdTech’s fundamental breach of data protection laws is an example of this concern. Jim Killock and Dr Michael Veale, lodged a complaint in September 2018 regarding the AdTech industry to the ICO. The ICO followed up on the evidence provided in those complaints, issuing a report in 2019 that confirmed the ongoing breach of data protection laws and committed to review the industry in six months’ time. From there, the ICO refused to provide any meaningful updates concerning the progress of the investigation and on September 2020 the ICO communicated to the complainants that their case was closed.

While procedurally the ICO could argue they have followed the rules, substantively this decision the complainants are left wanting.If the only review available for the courts is to assess timeliness it is difficult to see how the remedy can be described as “effective” and to cover fully “a legally binding decision of the Supervisory Authority”. This is an issue that ORG is seeking to remedy with a challenge to the Court. While its focus is on the Adtech complaints, the effect could be much wider. Without it we are concerned about how the accountability would be deemed to meet the necessary standards.

An independent regulator

The UK Parliament has twice questioned the independence of the ICO, drawing attention to the appointment being made by ministers in 2004 and in 2014, latterly recommending that the ICO be made an officer of Parliament, to keep the appointment well away from political interference. We are now seeing the consequences of ignoring this recommendation, as Oliver Dowden and DCMS advertise for a candidate that favours deregulation and lowering burdens on business, while the person specification shows they see no need whatsoever for the candidate to possess experience running an effective regulator. The Adequacy assessment should take a close look at the independence of the appointment mechanism.

Bulk surveillance powers

As a result of becoming a third country, in terms of data flows, the UK’s communications surveillance and national security powers becomes part of the adequacy assessment. There are four European Essential Guarantees

  1. Processing should be based on clear, precise and accessible rules
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated
  3. An independent oversight mechanism should exist
  4. Effective remedies need to be available to the individual

The Snowden disclosures and the UK’s subsequent legislation such as the Investigatory Powers Act and the Data Retention and Investigatory Powers Act all demonstrate how the UK pull on these standards. Snowden showed that bulk surveillance is a practice of the UK’s intelligence agencies, the Investigatory Powers Act put that practice into law, allowing for extraction, in bulk of at least all the metadata of all the communications that flow through selected bearers, carried in fibre-optic undersea cables that land in the United Kingdom.

The UK”s previous oversight regime, RIPA, had been found to violate the European Convention on Human Rights for, among other things, a lack of robust end to end oversight of bulk interception, acquisition, selection and searching processes, and a lack of controls on the use of communication data acquired from bulk interception. The IPA regime has not moved things forward enough. The oversight of the selection of bearers for example is not clearly and expressly provided for in the law.

The well documented practice of bulk collection, the laws allowing for it, and the questionable effectiveness and scope of oversight regimes have lead experts to conclude that for a positive adequacy decision to be granted the UK’s national surveillance laws must be reformed to ensure they meet the Essential Guarantees.

An adequacy decision means a lot for businesses in the United Kingdom to ensure compliance costs are not prohibitive. It also means a lot for Europe. While other countries have received an adequacy approval, the UK is a unique proposition. It is a former member state with much of the GDPR in law but with a long record of overreach in national security communications surveillance laws and their practical implementation of the GDPR clearly raises questions. What is normally a somewhat bureaucratic process for granting adequacy is receiving a lot of press attention and could easily turn into another political football between the EU and the UK.

However what is clearly apparent is that the UK is failing to meet key principles of the adequacy process to uphold fundamental rights. If the EU were to grant adequacy to the UK as it currently stands the principles will be diminished, the next adequacy process will be tainted with the UK process, and the one after that, and so on. It will also set a clock running for the next Schrems-like challenge reaching the Court of Justice of European Union, which has caused a long term policy headache for Europe.

Open Rights Group wants to see the UK granted adequacy, but it must be true adequacy, not a rubber stamp. The draft decision by the European Commission smacks of that rubber stamp. Citizens in the UK need the process to be true including EU nationals, and the EU needs it to ensure that its standards mean something in the long term.

hear the latest

Sign up to learn more about Open Rights Group’s work to protect our digital rights.