It is now two days since the UK went to the polls to elect the 650 people who will be responsible for representing us until Parliament dissolves on Monday 20 April 2020 (assuming the Fixed-Term Parliaments Act 2011 remains in place and intact). The result was significant for many reasons, some of which I may address in a future blog post. The focus of this blog post though will be the possible impact on Data Protection, Privacy and Freedom of Information following the result in this election.
Data Protection and Privacy
It is well known that one of the promises David Cameron made was a referendum on the UK’s continued membership of the EU if the Conservatives were returned to power with a majority. They were, albeit a small and fragile one, and as such it is likely that in 2017 we will have a referendum on whether the UK will continue to be part of the EU, or not. If the UK were to leave the EU (and this is purely hypothetical at this stage), then there would be no requirement for the UK to continue to comply with EU law; including the Directives underpinning the Data Protection Act and the Privacy and Electronic Communications Regulations.
Withdrawal from the EU would not, of course, immediately repeal every piece of law that is implementing an EU Directive – such a position would be unworkable. Overtime there would, like there is in every other area of law, be reform and that could include both the Data Protection Act and the Privacy and Electronic Communications Regulations.
That is not the end of the story though; our continued relationship with the EU will have some impact in this area, especially with regards to the Data Protection Act. If we were to remain part of the EEA, we would still have to comply with EU law except in some areas: data protection is not one of those. So, if we withdrew from the EU and remained part of the EEA, nothing would change.
If we withdrew from both the EU and the EEA there would still be some Data Protection implications. The eighth Data Protection Principal prevents the transfer of personal data outside the EEA unless the country or territory to which the personal data is to be sent “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” In other words, we would require some form of Data Protection or Privacy legislation that meets the test of “adequate” under EU data protection law. This is a requirement that looks set to stay as part of the Data Protection Regulation currently working its way through the EU legislative process. In all likelihood we would probably adopt the same data protection regulations as the EU, or something substantially similar thereto. For that reason, Data Protection and Privacy looks fairly safe over the coming 5 years.
Freedom of Information
Scotland has its own Freedom of Information laws that cover Scottish public authorities. These laws will likely remain largely unchanged in light of the 2015 election result.
Freedom of Information Act 2000
The FOIA covers English and Welsh authorities as well as UK-wide authorities such as UK Government Departments, the British Transport Police, the BBC, Channel 4 etc. They are not popular with the Government; they force the Government to reveal information it would rather keep secret. The Prime Minister isn’t a big fan of FOI; it “furs up the arteries of Government”. We can expect to see some changes to FOI laws over the coming 5 years: the veto will likely be strengthened in light of the recent UK Supreme Court decision in the Prince Charles case; there could well be changes to the cost limits making it harder to get access to information and there could be the introduction of fees (at least for Tribunal cases). Substantial harm could be done here (and if you value FOI and the power it gives you to access information held by public bodies I would commend the Campaign for Freedom of Information to you – they could need a lot of help, support and money over the coming 5 years).
Environmental Information Regulations 2004
These implement an EU Directive and provide a much tighter access to information regime with respect to Environmental Information – they also cover a much wider number of bodies than the FOIA does. While they implement an EU Directive, they have their origin in another international Convention (one which is not anything to do with the EU), the Aarhus Convention. The UK is a signatory and so if it were to remain a signatory it is likely that there would be no change to the substance of the EIRs. There would be changes though.
Currently, because they are based upon EU law, they are subject to the primacy of EU law. It is largely for this reason that the veto was held not to apply to Environmental Information. It also gives recourse to the Court of Justice of the European Union in respect of interpretation (as was seen with Fish Legal). This strengthens the EIRs significantly. However, all is not lost. In terms of the Aarhus Convention there is a right of remedy to the Aarhus Compliance Committee.