The Information Commissioner’s Office is the UK member of the Article 29 Working Party, the EU body charged with implementing and enforcing data protection across the EU.
The ICO gave significant input into the development of the General Data Protection Regulation which will take effect in May 2018. Since that implementation date was announced, various things have happened which have altered the UK’s position.
The first, of course, is the UK’s referendum decision in June 2016 to leave the EU. The ICO, like the rest of us who comment on these things, emphasises that the GDPR will affect the UK firstly because (on any estimate of the timetable) the UK will continue to be a member of the EU in May 2018 and thus bound to implement GDPR like everybody else, and secondly because we would need to comply with its essential terms in order to be an acceptable conduit for EU data, whether for everyday business purposes or for the eDiscovery which is the primary focus of this blog.
Two further things have happened since then. One is the Investigatory Powers Act, the so-called Snoopers Charter, which requires ISPs to keep traffic and location data and gives the UK government and a ragbag of departments and authorities the powers to access personally identifiable information.
That has been challenged successfully in the European Court of Justice in an action originally brought by David Davis in the days before he became Minister for Exiting the EU. “General and indiscriminate retention” of emails and electronic communications by governments is illegal, and only targeted interception is justified when needed to combat serious crime, including terrorism.
That alone would mean that the UK would be in breach of its GDPR obligations while in the EU, and would relegate it to the status of a “third country” when out of the EU. It remains to be seen what the UK government does in the face of this ruling. My guess is that the UK will ignore it, if only because everyone in government has too many other self-induced problems to deal with, and no-one with official powers outside the ICO understands the implications anyway.
The second development derived from Theresa May’s speech yesterday when it became clear that she was willing to take the UK over the Brexit cliff-edge without any deal if stamping her foot did not achieve an “acceptable” deal (whatever that might mean). Mrs May said that the UK will no longer be bound by the EU Court of Justice and will come out of the European Economic Area. That plays well in the Daily Mail and the Daily Express and with those who, like Mrs May, prefer the short drop to the demanding business of actually thinking Brexit through.
The ICO, quite rightly, doggedly continues its work to encourage compliance with the GDPR. A blog post yesterday called GDPR guidance in 2017 by Jo Pedder, Interim Head of Policy Delivery, introduces a new GDPR update setting out what organisations need to do to be ready for the implementation of the GDPR.
I said when all this first arose that the chief beneficiary was likely to be Ireland, the last remaining EU country with a legal system which is recognisable in the US and an well-educated, English-speaking workforce. Whatever benefits flow from this are unlikely to match the significant drawbacks for Ireland of the UK’s wilful act of self-harm. It will be good news, however, for eDiscovery / eDisclosure providers like NightOwl Discovery and CYFOR who are already established in Ireland, and for law firms who have the depth and breadth to manage the mixed legal and technology aspects of cross-border discovery and other trans-jurisdictional implications.
I recently interviewed Karyn Harty of McCann FitzGerald about the wider Brexit implications for Ireland. That interview is here: