A tangled web of access to information: reflections on R (on the application of Evans) and another v Her Majesty's Attorney General

The Freedom of Information Act 2000 (‘FOIA’) came into force on 1 January 2005. It created, for the first time, a statutory right of access to information held by a wide range of public authorities. The right of access extends to all information held, regardless of how old the information is and the format in which it is held, unless one of the absolute exemptions listed in the Act is applicable, or the public interest test for disclosure is not satisfied in respect of a qualified exemption. Significantly, the Act also contains a power of ministerial veto, the effect of which is that orders to disclose information under the Act are rendered ineffective if a minister certifies that they have “reasonable grounds” for having formed the opinion that non-disclosure would not be unlawful. Prior to R (on the application of Evans) and another v Attorney General, there was a lack of certainty regarding what constituted ‘reasonable grounds’ for the issuance of a ministerial certificate. As well as clarifying the threshold for reasonable grounds for issuing a veto, this judgment also engages in a discussion of the relationship between three fundamental constitutional principles: the rule of law, separation of powers and parliamentary sovereignty to determine the extent to which it is legally and constitutionally legitimate for a court exercising powers of judicial review to strike down a Government Minister’s decision made under powers granted by Parliament to overturn an independent judicial tribunal’s judgment. Thus, the decision is of interest to those seeking to assess its potential contribution to discourse on common law constitutionalism

Cross-border data protection: Applicable law and territorial powers of national data protection supervisors

An analysis of the European Court of Justice preliminary ruling in Case C-230/14 Weltimmo s.r.o. v Nemzeti Adatvédelmi és Információszabadság Hatóság, on the interpretation of two important aspects of Directive 95/46/EC, namely, the applicable law, and territorial reach of national data protection authorities. The Court ruled that the data protection legislation of a member state may be applied by the national data protection authority to a foreign registered company which exercises, through stable arrangements, real and effective (albeit minimal) activity in that member state; a ruling that potentially increases compliance costs for entities operating across multiple European jurisdictions pending the introduction of the proposed General Data Protection Regulation

Response to Department of Media, Culture & Sports DCMS Call for views on the General Data Protection Regulation derogations

The response addresses three of the themes in the consultation in that it responds to the call for views in Theme 10 on Processing of Children’s Personal Data by Online Services, and it responds to Themes 5 & 11 through the lens of how changes in the GDPR will impact on the ability of UK based university researchers to process personal data for research purposes. Dr Karen Mc Cullagh, a Lecturer in IT, IP, Media & Public law, at the University of East Anglia, has prepared this response on behalf of and with the support of a group of academics based in the UK with expertise in Information technology law and related areas who collectively approved the submission under the auspices of the British & Irish Legal Education & Technology Association (BILETA)

Response to the call by DCMS for views on the potential implications of Brexit for Data Protection stakeholders: Brexit: Potential Implications for Digital and ‘Fintech’ Industries

Following the outcome of the historic ‘Brexit’ referendum on 23rd June 2016 in which a majority of eligible voters in the UK voted to ‘Leave,’[1] the United Kingdom is potentially on course to leave the European Union,[2] but to ensure continued economic success it will seek to maintain a favourable trading relationship with the EU. This article identifies and critically evaluates the various types of trade deals the UK might negotiate upon exit with a particular focus on trade in services since financial and digital services are key components of the UK economy. Also, as personal data processing underpins these service industries, particular attention will be paid to the data protection implications that would flow from such agreements. Specifically, it will be of assistance to Mr Matt Hancock, MP as it responds to his predecessor, Baroness Neville-Rolfe’s, call to ‘consider carefully what might be done either to replace it [Regulation (EU) 2016/679] if and when it ceases to have effect or, instead, if in the event it never comes into force. … the future might take several different forms and we need to identify as quickly as possible how to best react to whatever path is eventually chosen.’[3] This report offers both pre and post exit guidance on the data protection permutations of each type of trade deal. This timely analysis will be of use to policy makers, trade negotiators and businesses as they prepare for a trade and data protection legal landscape outside the European Union; one in which personal data will remain a key economic asset that will continue to be collected, processed and transferred across UK and EU borders. [1] Eligible voters in the UK voted to leave the EU by 52% to 48%. Leave won the majority of votes in England and Wales, whereas Remain won the majority of votes in Northern Ireland and Scotland; [2] Leading constitutional scholars and legal practitioners share the view that the referendum result is merely ‘advisory’ that is, the UK government would need to take further steps to formally notify the EU of its ‘decision’ to invoke Article 50 of the Treaty on European Union, and commence negotiations on a withdrawal agreement from the European Union with the European Council – a process that could take two (or more) further years to finalise. [3] DCMS, Speech by Baroness Neville-Rolfe DBE CMG, Parliamentary Under-Secretary of State for the Department for Business, Innovation and Skills and Minister for Intellectual Property, ‘The EU Data Protection Package: the UK Government’s perspective,’ at the Privacy Laws & Business Annual Conference on Data Protection (4th July 2016),

The General Data Protection Regulation:A Partial Success for Children on Social Network Sites?

Almost 20 years ago, the first social networking site (“SNS”) was launched in the U.S. Whilst developers originally intended for SNSs to be used by adults—which they are—they have also become an integral communication platform in the lives of many children in EU Member States. Sharing personal information on SNSs is now a routine activity for many children and, whilst they are computer literate in a way that their parents are often not, a number of concerns have emerged. One of these concerns is that children are vulnerable since they lack the capacity to consent to the terms of SNS membership agreements regarding the processing of their personal data. A further concern is that children’s naïve confidence sometimes leads them to take risks—by sharing information about themselves—that adults would not take. This is particularly concerning as children may be ignorant about the fact that their profile and behavioural data is sold to data brokers who use that information to produce targeted adverts—and that these adverts may display age inappropriate content or even may not by recognised by the children as adverts. Directive 95/46/EC regulates the processing of the personal data of EU citizens, including personal data posted on SNSs. Problematically, it was drafted in a pre-SNS era and neither makes reference to children nor considers them vulnerable data subjects whose personal data should be subject to more stringent processing rules. The absence of specific legal protection for children’s data on SNSs sparked concerns that children were ignorantly disclosing personal data and being exposed to profiling and advertising without adequate privacy and data protection safeguards in place. In response to these concerns, provisions aimed at safeguarding children’s privacy and data protection rights have been included in Regulation (EU) 2016/679 (hereafter “GDPR”), which will come into force on 25 May 2018. This chapter provides a critical evaluation of the forthcoming measures to address a knowledge gap that exists because of the novelty of these provisions and the fact that scholarship in this area is currently underdeveloped. It begins by providing an overview of SNSs and the problems posed by underage children’s access to them. In this regard, it will illustrate that the biological and psychosocial developmental changes that children experience as they progress through their teenage years and develop their capacity for freedom of expression makes them vulnerable to impulsive personal information disclosures and privacy invasions. After this, an exploration of the current legal protections for children’s privacy on SNSs from the perspective of privacy as information control will highlight deficiencies in Directive 95/46/EC. This leads to an analysis of the measures in the GDPR to determine whether they will, when introduced, realise the twin goals of legitimising the processing of children’s personal data and, at the same time, protecting their fundamental privacy and data protection rights. The compatibility of measures in the GDPR with provisions in the United Nations Convention on the Rights of the Child (1989) (“the UNCRC”) and the Charter of Fundamental Rights of the European Union (2000) (“the EU Charter”) is considered as these provide a normative framework for evaluating children’s legal rights. To comply with both legal frameworks, data protection measures in the GDPR governing children’s activities on SNSs should recognise their evolving capacity for freedom of expression and privacy. This would allow them to express themselves with appropriate safeguards in place, ensuring that their best interests are protected and that they are not subject to economic exploitation through activities such as profiling and advertising without consent. Specifically, the analysis presents a critical evaluation of the introduction of an age threshold, below which children are deemed to lack capacity to consent to the processing of their personal data; the conceptual coherence of relying on parental consent for children under the threshold age; the practical implications of Member States being permitted to set the threshold age within a range of ages; and the practical challenges posed by relying on verified parental consent. The chapter concludes that measures in the GDPR are compatible with provisions in the UNCRC and the EU Charter but that a number of practical challenges remain unsolved. For instance, allowing Member States to set the threshold age means that the goal of simplifying and harmonising the regulatory environment for SNSs operating on a transnational basis will not be fully realised. Equally, reliance on parental consent and the consent of children over the threshold age is conceptually coherent, but it is dependent on the introduction of low-cost age-verification mechanisms being integrated into SNSs. It is also dependent on child data subjects (or their parents) being digitally literate enough to give unambiguous, specific consent to the processing of their personal data. Relatedly, whilst the GDPR includes measures to promote and increase the digital literacy of both parents and children, it remains to be seen how effective these will be in practice. For these reasons, the GDPR is an improvement on Directive 95/46/EC, but only a partial success

Information access rights in FOIA and FOISA – fit for purpose?

The Freedom of Information Act 2000 (FOIA) enacted by the Westminster Parliament applies to public authorities in England, Wales and Northern Ireland and to UK public authorities that operate in Scotland e.g. the BBC, whilst the Freedom of Information (Scotland) Act 2002 (FOISA), promulgated by the Scottish Parliament, applies to Scottish public authorities. Both Acts commenced on 1st January 2005, and have been hailed as success stories – helping the public and the press to obtain information on issues such as: problems with a nuclear reactor, inadequate health services, school closures, a lack of suitable quality housing for people with disabilities and so forth. Nevertheless, FOIA has been described as ‘a brilliant piece of trompe l’oeil, a sheep in wolf’s clothing,’ appearing to offer a legally enforceable right of access to governmental information subject only to specified and justifiable exemptions when, in fact, it offers weak information access rights. By contrast, it has been asserted that ‘Scotland has most robust Freedom of Information regime in the UK.’ A two-strand approach is used to test the veracity of these claims and determine whether both jurisdictions have freedom of information laws that are fit for purpose as the Acts enter their second decade. Firstly, an assessment of the degree of compliance of both Acts with principles that have been endorsed by the United Nations as forming the normative foundations of freedom of information laws is undertaken. Secondly, the Acts are compared to ascertain whether FOISA does in fact offer stronger information access rights than FOIA, and if so, what lessons the UK could draw upon to strengthen FOIA. The analysis will demonstrate that the Acts are creatures of their respective Parliaments and that distinct ‘political cultures’ have influenced their evolution over the past ten years leading to significant divergences between the two. It concludes that, at present, FOISA offers stronger information access rights whereas FOIA offers weaker rights, but both Acts should be amended to ensure full compliance with the UN endorsed principles if both jurisdictions are to have information rights that are fit for purpose as the Acts enter their second decade

UK: GDPR adaptions and preparations for withdrawal from the EU

Part I of this chapter traces the evolution of UK data protection legislation, outlines the UK government’s rationale for enacting the Data Protection Act 2018 (DPA 2018) to supplement the GDPR even though the UK is on course to leave the European Union (EU), and comments on the most interesting derogations, exemptions, and adaptations to the GDPR in the DPA 2018 – some of which are controversial, and could prove problematic in the future. Part II sets out the data protection implications of the UK leaving the EU with transitional withdrawal arrangements in place or on a ‘no deal’ basis. It outlines why the UK may struggle to obtain a finding of adequacy from the European Commission, and how the Information Commissioner’s Office (ICO) will suffer a loss of status and influence when the UK becomes a ‘third’ country for data protection purposes. It concludes that departure from the EU will not result in significant UK divergence from the GDPR