The New Data Protection Environment: Regulatory Agencies
Andrew Charlesworth – Reader in IT Law, University of Bristol
With the time to prepare for the GDPR shortening, as 25 May 2018 approaches, data controllers and data processors will be considering their coming responsibilities. At the same time, they, and sectoral representative organisations, will be looking for guidance, and for the most effective place in the regulatory process to raise their questions, register their concerns, and ensure their obligations are balanced against business practicalities.
DP regulation, at both UK and EU levels, has never been solely about the application of legal principles contained in legislation. The UK courts do bring a degree of clarification and precision to the interpretation of national DP legislation: e.g. the definition of ‘personal data’ under the DPA 1998, in Durant (2003); the meaning of ‘processing’ in Johnson (2007); that compensation can be awarded for distress caused by contravention of the Act, in Vidal-Hall (2015), and how the quantum of damages for such distress should be determined, in TLT (2016); and the scope of the domestic purposes exemption for CCTV, in Woolley (2017). Equally, the Court of Justice of the European Union (CJEU) provides interpretation of the EU legislation: e.g. on the definition of ‘personal data,’ in Breyer (2016) and Nowak (2017), which differs from that in Durant, and on the requirements to demonstrate ‘adequacy’ for data transfers to countries outside the EEA, in Schrems (2015).
However, in practical terms, judicial decisions are the tip of the iceberg. Litigation is expensive, time-consuming, and usually an option of last resort. Most interpretations of DP law do not derive from, and have not been tested in, the courts. So where do those interpretations arise? In the main, they are the product of administrative decision-making and guidance by national independent supervisory authorities (ISAs), whose role and influence is largely dependent upon the powers granted by their national legislation.
The UK ISA, the Information Commissioner (ICO) currently derives its powers primarily from the DPA 1998, s.51-62. These powers, beyond the headline power to impose monetary penalties, include the ability to issue assessment notices to allow the ICO to audit government departments and public authorities for compliance; information notices to require data controllers to provide information about their processing activities; and enforcement notices to require data controllers to take, or refrain from taking, certain actions to ensure compliance. The ICO may also assess data controller compliance if requested by a data subject. These powers clearly have practical and normative effects on data controllers – their exercise effectively determines what it means to be compliant. Unless challenged in the courts, these administrative determinations tend to become ‘custom and practice’ generally, or sectorally. Once widely established, they are likely to be perceived by courts and legislators as reflecting an appropriate standard of compliance.
The ICO obtained its key powers relatively recently: monetary penalties (2008) and assessment notices (2009). This meant that, for a decade after the DPA 1998, a major element of the ICO’s strategy was based on provision of advice and guidance, and the development of codes of practice, e.g. the Employment and CCTV Codes of Practice. Whilst at the time this was seen by some as a weakness, in hindsight it may be regarded as serendipitous, for it meant that the ICO, unlike some of its European contemporaries, was required to establish a co-regulatory relationship with data controllers to develop compliance strategies, without the option of imposing a strategy, on pain of penalty. The downside to this relationship was its tended to divorce regulator and regulated from public scrutiny and engagement, leaving them open to charges of having produced regulatory practices and codes of practice which prioritised data controller interests without reference to data subject concerns and needs.
The GDPR lays out the future role of ISAs (Recitals 117-135, Articles 51-59), and the new UK Data Protection Bill provides for the ICO and the required powers (s.114-164 and Schedules 12-16).* It is clear from both EU and UK legislation that the ICO’s position will be strengthened, e.g. as breach notification moves from a voluntary to mandatory process, and penalty levels are significantly increased. As such, the ICO is less likely to engage in ‘regulatory arbitrage’ with sectoral regulators e.g. in past financial service data breaches, where the ICO tended to defer to the FSA, due to the latter’s ability to levy greater penalties for failing to protect customers’ confidential information. The GDPR’s emphasis on accountability and increased involvement of data subjects, in combination with the removal of charges for subject access requests, also has the potential to provide the ICO with greater direct and indirect input from the public. This is likely to be reflected in the ICO’s role in overseeing the development of new and revised sectoral Codes of Practice. Data controllers who incorporate Privacy by Design into their business development and utilise Data Protection Impact Assessments to obtain effective stakeholder input, will be best placed to provide informed and credible input to the development and assessment of such Codes of Practice.
However, the ISAs do not just affect DP policy practice in an individual capacity, but also as a group, through the Article 29 Working Party, established under Article 29 DPD 1995, and comprising members from each national ISA, the European Data Protection Supervisor and the European Commission. While the Art.29 WP is an advisory body, providing advice and guidance on the application of the DPD 1995, it wields significant influence through its published opinions and guidelines. Its work influences EU legislation and international policy, and it is frequently cited (although not always approvingly) in national and CJEU judgements. Its recent guidelines on elements of the GDPR, e.g. DPIAs, data portability, data protection officers, consent, transparency, and breach notification are thus critical to an understanding of how the GDPR is likely to be interpreted by ISAs.
The GDPR provides for a replacement for the Art.29 WP, the European Data Protection Board (EDPB), and it seems likely that the EDPB will continue to play a significant role in determining EU DP policy direction and scope. Post-Brexit, however, the ICO will lose its place on the EDPB, despite the Government’s stated desire to be “fully involved in future EU regulatory dialogue”. This means that the UK will be effectively bound by EU DP policy and regulatory interpretation, if it wishes to demonstrate an ‘adequate’ level of data protection for cross-border transfers with the EU, yet will have no formal representation on the key advisory body proposing DP policy and influencing legislative interpretation. The ICO’s capacity to demonstrate that it can represent effectively the interests of data subjects, data controllers and data processors, outside the EDPB, will thus be crucial to the ability of UK industry to navigate the future international data protection environment.
* Data Protection Bill at time of writing.
Durant v Financial Services Authority  EWCA Civ 1746.
Johnson v Medical Defence Union Ltd  EWCA Civ 262.
Vidal-Hall v Google Inc  EWCA Civ 311.
TLT v Secretary of State for the Home Department  EWHC 2217 (QB) (under appeal)
Woolley v Akram 2017 S.L.T. (Sh Ct) 17.
Breyer v Germany (C-582/14) CJEU (Second Chamber) EU:C:2016:779.
Nowak v Data Protection Commissioner (C-434/16) CJEU EU:C:2017:994.
Schrems v Data Protection Commissioner (C-362/14) CJEU (Grand Chamber) EU:C:2015:650
EU Article 29 Working Party Newsroom
UK Department for Exiting the European Union, The exchange and protection of personal data - a future partnership paper, 24 August 2017.