Saturday, 28 March 2020

Coronavirus - getting home from the airport and other stories

There seems to be some confusion about the interpretation of the new regulations placing restrictions on people living in England as part of the “lockdown” announced this week. Since one of my main aims in this blog is to present a critical view of the law, and since it has personal relevance to me, I thought I would take a break from trying to talk about the GDPR and offer some clarifications.

I have been reading a lot of discussion of these rules on social media recently that assume that the regulations prohibit certain activities outside the home, but that way of thinking will end up in confusion.

The relevant rules are to be found in regulation 6 which makes it an offence to leave the place a person is living without a “reasonable excuse”. There is no fixed list of reasonable excuses, instead the regulation offers a list of “needs” which are included in the concept of “reasonable excuse”. For example, taking exercise or obtaining basic necessities.

The criminal act is the leaving of the place where a person is living, not the doing of something not on the list. If someone leaves their home and their excuse is to take exercise but on the way they decide to spend some time photographing ducks in a nearby river the act of photographing is not criminal or excluded by the regulations. It would almost certainly not be a “reasonable excuse” for leaving the home, but the person had that reasonable excuse.

One argument I have seen blow up is about whether it is OK to drive from one’s home to take exercise. The regulations do not explicitly permit travel (so the argument goes) and so the driving would be criminal even if the exercise at the end were not. But this is getting the logical order of the regulation all the wrong way around. What matters is the purpose for leaving the home, not what is done afterwards.

I am not saying whether or not driving to a place of exercise is a good or bad thing to do, just whether it is criminal.

What is more, anyone found photographing ducks by the police might have to work hard to convince them that they had a reasonable excuse for leaving the home which was not just a pretext for doing something else. But there may be good evidence for what someone’s purpose was. In the end, if they can convince a court that their reason for leaving the home was a reasonable excuse they would be guilty of no offence.

My own circumstances illustrate this. I am about to fly back to the UK from Japan (as instructed to do so by the Foreign Office). I will arrive in Heathrow and have to travel home.

Now, travel home from an airport is probably a “reasonable excuse”, but if I were prosecuted for a regulation 6 offence, the prosecution should not even be able to get that far, because on arrival I will not have left my home in England while the regulations were in force (I left some 6 months ago). Until I do return home, there is nothing to stop me from doing all kinds of entirely unreasonable activities (though of course not gathering in a group of more than 2 people who do not live with me etc).

In order to commit an offence you need to (1) have left a place where you were living (2) that place has to be in England (3) you must not be able to present a reasonable excuse for leaving.

None of this is meant to encourage anyone to avoid social distancing. Good friends of mine have put together convincing mathematical models of the situation in the UK which are very sober reading. Be safe.

Saturday, 25 January 2020

Exporting personal data I: introduction (and a small Brexit niggle)


Well, I'm back.

I hope to carry on blogging about the law from the slightly different perspective that I have adopted in the past. In particular, I want to try talking about some difficult questions that I come across while working with clients and which I can't help thinking about in my spare time. Thank you for helping me scratch that itch.

This post is just an introduction. If you are familiar with how the GDPR works, then you should skip to the bit about Brexit.

The export of personal data

I want to start by talking about the General Data Protection Regulation, or GDPR as it is affectionately known, which will have been in force for two years in May. In particular, I want to talk about the regime create by the GDPR for the international transfer of data. From a technical point of view, transferring data around the world is, thanks to the Internet, not only straightforward but often invisible. However, from a legal perspective it is not so simple.

The reason why the GDPR tries to control international transfers of data is simple to see. The GDPR's aim is to create a region of really strong protection for personal data in the European Union and the European Economic Area. If someone processing personal data could simply transfer it outside that region and do whatever they liked with it, it would be really easy to get around the GDPR. The protection it gives would be much less useful.

How exports are controlled

The GDPR divides the world into two parts: a "safe" part, which at the moment contains the EU and the EEA; and a potentially wild and dangerous part consisting of what are called "third countries". By the way, there is (as far as I have been able to discover) no formal definition of "third country" as you might expect. It seems to be understood to mean anywhere that isn't a member state of the EU or the EEA, but maybe other countries (eg the UK after Brexit) could escape being "third countries" in the same way as the EEA members have done.

By default, moving data from the safe part of the world to a third country is forbidden, unless one of a (long) list of conditions is met. I plan to look through some of these conditions over this blog series, but in a moment, I will give a brief summary of two that are particularly significant.

Adequacy

The European Commission can declare that a country has "adequate" protection. Even though the country is a mere third country, it has done enough to live up to the high standards set by Europeans and data may be exported there.

This is a sort of data imperialism, perhaps with the hope that European data protection law will dominate the world. Given the steadily increasing list of countries declared "adequate", this may be working.

But, a word of caution about adequacy. Adequacy decisions can be made that are limited to certain kinds of transfer. In other words, just because a country is in the list, does not mean that you can just export data there without further thought. A few countries, for example the United States and Japan have adequacy decisions that are limited in various ways.

For example, the United States clearly does not think that it has to play along with the EU's data protection rules but has set up a system known as the "Privacy Shield" which allows companies to opt into a lightweight version of the GDPR. The USA only counts as having "adequate" protection for transfer to companies who are members of the Privacy Shield. I will have quite a bit to say about the Privacy Shield in a later blog.

Standard Contractual Clauses

A very popular option is for the export and importer to sign an agreement which contains a set of standard clauses approved by the European Commission (or in theory by another regulator). These are, in essence, a promise by the importer that they will not take advantage of the fact that the data is now outside the "safe" part of the world to do evil and/or unspeakable things to it and that they will in all ways be good. The standard clauses are meant to be enforceable by individuals whose personal data is being processed and they contain their own rules controlling further export of the data.

At first sight this system seems very flexible. Most transfer of data will either be internal to a company (in which case each part can sign the standard clauses) or be made subject to some terms or conditions, even if they are standard terms on a website. Including some standard material cut and pasted from the European Commission or elsewhere should be easy enough.

In practice there are quite a few difficulties with the standard clauses, which I intend to look at in some detail later in this series.

What about Brexit?

Unless something dramatic happens between now and then (given past history this is not entirely impossible), the effect of the EU-UK withdrawal agreement and the European Union (Withdrawal Agreement) Act 2020 is that the UK will leave the EU next week on the 31 January 2020.

Article 127 of the withdrawal agreement and section 1 of the Act keep EU law going in the UK for the time being during what is known as the "implementation period" until 31 December 2020 at 11.00pm GMT, though of course that data could end up being renegotiated. So at first sight it would appear that nothing will change for a while yet.

But I still have a concern. From the many examples I have seen, many agreements for sharing, selling or otherwise transferring personal data have provisions in them saying something like "... shall not transfer any personal data outside the European Economic Area..." or wording like that. The problem here is that, despite all the magic words about the implementation period, the UK will not as a matter of fact be in the European Economic Area and so any transfer within or to the UK may well end up being in breach of contract.

I have, since Brexit became a clear possibility, tried to press different wording on clients and their contracting partners. Typically I swap in "third country" for "outside the European Economic Area". It seems to me that the effect of the withdrawal agreement will be that the UK is not a "third country" until at least the end of the implementation period. The alternative would be to include a section attempting to explore all the possibilities along the lines of "If the UK is a member of ...." which seems complicated and fragile.

Does any of this matter? English courts are quite good at preventing over-literal readings of a contract. It's quite possible that a court would be generous and decide that the parties didn't intend that transfer to a country subject to EU law would be prohibited. But I can see the counter-argument quite easily. Not least that the UK is now not nearly as "safe" in GDPR terms as the EU was because in less than a year it could leave the whole protection framework behind. 

That is why I have called this a "niggle" and not a problem. Even so, it is much better to avoid having courts sort your contracts out for you. In my experience, ambiguities make it easier for an aggrieved party to get legal proceedings off the ground, even if they ultimately lose, or to refuse to comply with a contract without being taken to court. It is something that is worth correcting if you can.