26 July 2017

UK Plans Data Future… EU not happy with Canada, and Judges notes are accessible data

The Government announced on June 21st 2017 that a Data Protection Bill would be used to implement the General Data Protection Regulation (GDPR).

“A new law will ensure that the United Kingdom retains its world-class regime protecting personal data”

This is a curious announcement as a bill is not required to implement the GDPR and the Data Protection Act already is largely in line with the upcoming legislation so changes that are required could have been implemented via secondary legislation.  We explore here the upcoming changes, both those highlighted by the Government, and others which may have a greater impact than is currently being said.  

The Intended Purpose And Benefits 

The Government claims the Bill will move the UK’s data protection framework into the digital age, giving data subject better control of their data.

Benefits will include: 

  • Requiring social media platforms to delete information held about data subjects at the age of 18
  • Allow police and judicial authorities to continue exchanging information quickly and easily with international partners in the battle against serious crime, including terrorism
  • Meeting the UK’s obligations while it remains an EU member state and helping to put the UK in the best position to maintain ability to share data with other EU member states and internationally after Brexit. 

The Main Elements Of The Bill

  • Establishing a new data protection regime for non-law enforcement data processing, replacing the Data Protection Act 1998.
  • A right to be forgotten when individuals no longer want their data to be processed, provided that there are no legitimate grounds for retaining it.
  • Modernising and updating the regime for data processing by law enforcement agencies. The regime will cover domestic processing as well as cross-border transfers of personal data.
  • Updating the powers and sanctions available to the Information Commissioner.

So What?

If the foregoing sounds familiar that is because most of the issues highlighted on June 21st have already been addressed by the UK’s data protection regime which has us asking why we need a bill?  We are told the Bill will allow modifications to enable the GDPR to function relating mainly to exemptions for national security and law enforcement.  This suggests that rather than strengthening the rights of data subjects, the Government is looking to allow derogations from the data protection regime. 

The Economic Need for Change…?

One of the items on the Government’s agenda is positioning the UK as a global hub for innovation and a key area (indeed sometimes called the Fourth Industrial Revolution) is the establishment of big data, information automation and artificial intelligence (AI).  It is seen as critical that the UK becomes a centre for this sector, and a £4.7 billion increase in R&D funding by 2020 has been announced that is targeted at AI. 

AI requires data, and an appropriate legal regime governing its use of data.  It has already been noted in academic circles that the current framework covering automation and data use will not keep up with technological advances.  

For example, driverless cars may need access to the road camera network, which is currently accessible only to law enforcement.  However, an exemption could be created for data collection and processing if the data is necessary for national infrastructure. 
The current Bill may therefore be a step forward in allowing the development of new technology.  


Many businesses are only recently aware that there are changes coming to the data protection regime.  This is cause for concern as one of the major changes is large fines for non-compliance of €20million or 4% of global turnover.  We have previously highlighted the fines and other enforcement action issued by the UK ICO and other data protection authorities for data breaches. 

Cyber-crime is growing everyday both in the number of attacks and their sophistication.  If your business holds personal data, whether it is customers or personnel, that data is at risk; and if proper, compliant procedures haven’t been put in place, your business is at risk of a fine. 

As a starting point businesses should be conducting an audit focussing on:

  • What data they hold;
  • How is that data being used;
  • What policies are in place regulating how data is used.

Things to look out for include employees storing data on personal devices or cloud networks, where such devices and networks are insecure. 

Furthermore, many businesses share data with third parties in their supply chain, such as sub-contractors.  These arrangements need to be secure and the contracts governing them need to be compliant with the new requirements in the GDPR.

Guidance on these changes and how to ensure your business is compliant can be found in our updates on the GDPR Parts 1 and 2. 

CJEU has issues with EU-Canada Data Transfer Agreement 

On July 26th 2017, the CJEU declared that the planned EU-Canada agreement on the transfer of Passenger Name Records (PNR Agreement) is incompatible with EU law.  They say it interferes with the fundamental right to respect for private life and the right to the protection of personal data.  

The Court was concerned sensitive data may be transferred to Canada and said it requires a solid justification based on grounds other than the protection of public security.   The Court was also concerned with the 5 year right of Canada to keep the data, and this was also not sufficiently justified.  

The Court has given some guidance on what might be acceptable and that should include the databases used being limited to use in the fight against terrorism and serious transnational crime.

Judge’s handwritten notes released under UK data laws for first time 

A troubling development for those engaged in producing judicial decisions.  After a 4 year battle the Ministry of Justice has accepted a decision of the Information Commissioner and has handed over confidential judicial notes in order to give understanding to a judgment.  

A husband and wife brought the request after disagreeing with the decision of an Employment Tribunal from 2013 rejecting a constructive dismissal claim.  The Ministry of Justice argument that judicial notes should be exempt from subject access requests (SARs) being overruled by the Information Commissioner’s Office (ICO).  

The case arose from the employee claiming that he whistle blew over health and safety issues at a car dealership, and then he was not treated fairly when he asked for a change of role due to his wife suffering cancer and needing extra care.  

The tribunal found unanimously that the employee had resigned, and this was not a case of being ‘constructively unfairly dismissed.’  Instead of a more usual attempt at appeal the man sought the notes of the panel, and the ICO last summer agreed that handwritten notes ‘in the court files’ will be personal data for the purposes of the Data Protection Act.  This reference to in/on the court file appears key because if notes are not on the file they may not be disclosable.  This development will be closely watched.

Brexit and Data for law enforcement 

The Lords EU Committee recently published a report into Brexit and the EU data protection package, mainly looking at exchange of data for law enforcement. Whilst supportive of the Government’s stated aim to ‘seek to maintain the stability of data transfers between the EU, Member States and the UK,’  the report highlights concerns about the ‘lack of detail on how the Government plans to deliver this outcome.’ 

For future third country arrangements allowing for the UK to exchange data with the EU, the report suggests that an ‘adequacy decision’ from the European Commission under Article 45 of the General Data Protection Regulation (GDPR) and Article 36 of the Police and Criminal Justice Directive (PCJ) would be preferable to other legal mechanisms. The Committee urged Government to negotiate for transition arrangements to cover the ‘interim period,’ and highlights the importance not just for law enforcement but also the commercial sector. 

On data sharing for commercial purposes in particular, the report puts forward the approach taken by Switzerland, which it notes has secured both an adequacy decision from the EU.   Of course there is no issue with data sharing post Brexit because the UK will be GDPR compliment, but an adequacy decision will give added comfort to those who have concerns as to the EU’s longer term attitudes. Interestingly the committee did also urge Government seek to secure a continuing role for the Information Commissioner’s Office on the European Data Protection Board. 

In addition, the report proposes that Government consider how to replace existing institutional structures and platforms in order to retain UK influence ‘as far as possible’ in data law development and procedure.  In the longer term, the report envisages that an international treaty on data protection could emerge as ‘the end product of greater coordination between data protection authorities in the world’s largest markets.’