Tag Archive for BREXIT

Brexit amendment to FOIA

FOIMan highlights a new amendment to FOIA resulting from the UK’s planned departure from the European Union.

It’s all getting real isn’t it? Aside from all the shenanigans in the Conservative Party this week, we’re seeing more and more of the practical application of Brexit from government. And the Freedom of Information Act (FOIA) isn’t immune from this.

Under the European Union Withdrawal Act 2018, ministers can make amendments to legislation to ensure that it is compatible with the terms of Brexit using secondary legislation. Yesterday the government outlined changes that would be made using this mechanism to the Data Protection Act 2018 (and through that, the application of GDPR in the UK) if the UK leaves the EU with no deal. (The Information Commissioner has also issued guidance on how no deal will affect data protection, especially when it comes to international transfers of personal data.)

In truth, FOIA isn’t massively affected by Brexit. But it has been necessary for the government to lay regulations making one very specific amendment. Section 44 of FOIA provides an absolute exemption from the duty to provide information or confirm its existence in circumstances where other laws prevent disclosure. It avoids a conflict between FOIA and other laws. Specifically, s.44(1)(b) of FOIA specifies that information will be exempt from disclosure if it:

is incompatible with any EU obligation

Yesterday the Cabinet Office laid regulations before Parliament which simply replace the reference to ‘any EU obligation’ with ‘any retained EU obligation’.

And there we are – FOIA is ready for Brexit when (or if) it comes.

 


The Freedom of Information Officer's Handbook, Facet PublishingA reference guide to the FOIA exemptions is provided in the Freedom of Information Officer’s Handbook by Paul Gibbons, which will be published in January 2019. Readers and subscribers to this blog can pre-order copies direct from the publisher with a 30% discount (so it will only cost you £45.45) by emailing info(Replace this parenthesis with the @ sign)facetpublishing.co.uk and quoting the code FOIBLOG30 (do not supply payment card or bank account details by email). The publisher’s distributor will then contact you to arrange payment and discuss despatch instructions.

GDPR – the phoney war is over

FOIMan launches a new resource to help practitioners and others get to grips with the General Data Protection Regulation (GDPR).

Data Protection Reform and GDPRThose interested in privacy had been waiting for years for the European Union to agree its new rules on data protection. Finally, in May of this year, the General Data Protection Regulation (GDPR) became law. Cue party poppers all round.

The party was well and truly pooped though a month later. Instead of starting a long campaign to educate colleagues and businesses about their new obligations (which take effect from May 2018), practitioners have been forced to spend the summer and early Autumn speculating about what BREXIT means for GDPR. Even if they wisely chose to continue their preparations, their words fell on stony ground as those in charge looked to government for a decisive message more informative than “BREXIT means BREXIT”.

Thankfully we now have more clarity. During a committee hearing last week, the Secretary of State for Culture, Media and Sport, Karen Bradley, stated that:

“An example might be the General Data Protection Regulation, which of course comes into effect in the spring of 2018. We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.” (Oral evidence to the Culture, Media and Sport Select Committee, HC 764, 24 October 2016, answer to Q.72)

So whilst there’s still a possibility that the rules will change again in a few years, at least we now know that GDPR is coming to stay and will be with us for a while. Long enough for us to give it a bedroom and clear some drawer and wardrobe space. Maybe even to cut it a set of keys.

In the meantime, the hands of the clock have been moving apace. There are now just over 18 months to get your house in order, which is not long given how much you need to do to make sure that you meet GDPR’s exacting requirements.

Thankfully there are lots of places to look for help. And now I’m adding to the list. I’ve added a new section to the FOIMan site dealing specifically with data protection reform and GDPR. There are free resources to help you understand your obligations, and suggestions as to where to start your preparations. There’s also a link to the GDPR itself in case you need it. I’ll be updating this page from time to time and adding new links, resources and suggestions so keep popping back for more as your preparations continue.

GDPR is coming – BREXIT or not

FOIMan points to a comment from a BREXIT campaigner which reinforces the message that a vote to leave the EU would have little effect on the adoption of the new General Data Protection Regulation in the UK.

On my data protection courses I’ve come to expect the obvious question whenever I mention that the General Data Protection Regulation (GDPR) will come into force on 25 May 2018 and will apply across the European Union (EU). Which is, of course:

What happens if we vote to leave the EU on 23 June?

I’m no constitutional expert, but I’ve been reassured by the fact that my usual answer has been in line with what many other commentators have said on this question. GDPR is coming whether we leave the EU or not. The latest comments from the BREXIT camp if anything seem to me to reinforce this view.

Firstly, one of the most likely flavours of BREXIT is that the UK would join the wider European Economic Area (EEA) – the group that Norway is a member of. Nations in this group still have to comply with many EU laws, and this would include GDPR. Result of this option: GDPR would apply.

Secondly, if the UK goes for another flavour of BREXIT, then it wouldn’t have to adopt GDPR itself, but following the European Court’s decision on Safe Harbor last October, if UK businesses were to continue to do business with European companies and public bodies then it would almost certainly have to adopt an “equivalent” level of data protection. Result of this option: a new Data Protection Act that is to all intents and purposes the GDPR by another name.

One complicating factor is that it has previously been assumed that post-BREXIT negotiations would take two years to complete. This would mean that however we vote, the GDPR would apply for a matter of months after 25 May 2018. If businesses and public bodies have to do enough to comply with the regulation for a few months, what would be the point of lowering standards that they have already worked to meet?

Now comments by one of the leading BREXIT campaigners seem to me to make it even more important for businesses to assume that GDPR is on the way – and will be here to stay. Michael Gove recently suggested that negotiations post-BREXIT would be unlikely to be complete by the time of the General Election in 2020. If BREXIT happens more than 2 years after GDPR has been brought into force, it seems less likely than ever that BREXIT would affect GDPR.

The bottom line is: whatever the outcome on 23 June, the GDPR is on the way and organisations need to prepare for it now.