ICO Refuses to Disclose GDPR Policy Document for Special Categories Data

Screen Shot 2018-08-28 at 21.59.50

In the months leading up to 25th May 2018, data controllers will have been working like Trojans to become GDPR compliant. Data Protection Officers may have been pulling their hair out at the length of their ‘to do lists’.  Not least, working out what their lawful basis or processing is, drafting Privacy Notices in clear and plain English, reviewing their subject access and breach notification procedures and training staff.

Add to all of that the additional requirements imposed by the Data Protection Act 2018 to have an ‘appropriate policy’ in place in relation to the processing of certain special category personal data and personal data relating to criminal convictions.  Specifically s. 10 DPA requires that processing special category data meets the conditions in Part 1-3 of Schedule 1. This in turn also requires that in certain circumstances the data controller must have an ‘appropriate policy document in place’. [1]  Schedule 1, Part 4 provides some limited guidance on what must be in the policy document. The document must explain the controller’s procedures for securing compliance with the principles in Article 5 of the GDPR in connection with the processing of the personal data.  It must also explain the controller’s policies in relation to the retention and erasure of personal data processed in reliance of the condition.

This new requirement may not have been the foremost concern for every data controller and it is possible or even likely that policies may still be in draft as DPOs work out what to include in their documents.  The ICO has not, as yet, issued any guidance on these policy documents and so this no doubt will present challenges for many DPOs. . Perhaps the requirement is also presenting challenges for the ICO, because at the time of writing, the ICO is unwilling to publish its own Policy Document.

The request and the refusal

On 19th July the ICO received a request for a copy of its ‘Policy designed to show compliance with Schedule 1, Part 4 of the DPA 2018.’  Although the applicant did not explain why they wanted it (and as FOIA practitioners know, the regime is purpose blind), there can be little doubt that many data controllers would find the ICO’s own Policy Document a very useful guide to the scope and content of such a policy.  Additionally it is important that the public, and indeed ICO employees, are made aware of how the ICO itself will process special category and criminal conviction data.

On August 17th 2018 the ICO refused the request, citing the s 22 FOIA exemption (information held with a view to future publication).  S 22 provides that information is exempt information if:

  • the information is held by the public authority with a view to its publication, by the authority or any other person, at some future date (whether determined or not),
  • the information was already held with a view to such publication at the time the request for information was made, and
  • it is reasonable in all the circumstances that the information should be withheld from disclosure until the date referred to in paragraph (a).

S 22 is a qualified exemption and requires a determination of the public interest.

Sadly, the ICO’s Refusal Notice falls short of the ‘best practice’ that one should reasonably expect from the FOIA regulator.

  • The refusal notice offers no explanation of why the ICO believes it is reasonable in all the circumstances to withhold disclosure until some future date. The ICO has failed to follow its own guidance on the s 22 exemption in not even addressing this point. In fact it is arguable that by not considering this, the exemption is not engaged.
  • It fails to provide any indication of a future intended date for publication.  Although there is no requirement under the FOIA to do this, given the level of interest surrounding the new Data Protection Act it is difficult to see why the ICO did not seek to offer some indication of the intended future publication date.  It also neglects the ICO’s own advice on the s 22 exemption, that  is good practice to provide the requestor with an anticipated date of publication.
  • It fails to adequately explain the public interest factors that have been taken into account.

Weak and generic public interest assessment

The public interest test requires an assessment of whether:

In all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information.

This requires a particular attention to the ‘circumstances of the case’. In one of its earliest judgments the Information Tribunal emphasised that a public authority must ask ‘is the balance of public interest in favour of maintain the exemption in relation to this information and in the circumstances of this case?’. [2] The ICO refusal notice is however generic and lacks any explicit reference to the information requested or the particular circumstances surrounding this document.

In favour of disclosure the ICO simply states that there is a public interest in transparency being demonstrated by disclosure and a legitimate interest in the compliance of the ICO with the legislation it regulates. It could have added more weight to this side of the equation. For instance, it could have supplemented these rather generic assertions by making explicit reference to the first Principle in Article 5 (1) GDPR, that data should be processed in a transparent manner. It might also have used different language recognising a ‘strong’ (rather than legitimate) public interest in ensuring that the ICO complies with the legislation it regulates, particularly given the gravity of non-compliance.

In favour of withholding the information the ICO cites three points, again without elaboration or reference to the specifics of the case.

First it states that ‘transparency is achieved through the pro-active publication of information on the web site’. Simply stating this falls well short of explaining how it is not in the public interest to disclose earlier than planned. Given that the information is going to be published at some future date, the public interest test should really consider why it is not in the public interest to publish earlier than planned. This is not addressed by the ICO.

Second, the ICO cites ‘the impact on ICO resources if we were to respond individually to requests for information that is due to be published’. This again appears to be something of a blanket refusal and fails to take into account the specific information that is being requested.

Finally, the ICO cites there is no pressing public interest in disclosing the information early. The refusal notice does not offer any reason in support of why it would not be in the public interest to disclose the document now. There is no explanation about why the ICO has reached this conclusion. However, perhaps more compelling is the fact that the Act has been in force for almost three months now. The ICO should have had a Policy Document in place since May 23rd 2018. In which case it is difficult to see how disclosing it now would be ‘early’. That is unless the document is still in a draft form and the ICO is not in a position to say when it might be published. Perhaps the ICO, like other data controllers is finding it a challenge to draft its Policy Document.

At the time of writing the requestor has submitted a request for an internal review.

I leave you with the ICO’s strapline; ICO, the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.


Susan Wolf has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. She will be delivering a range of online webinars on various subjects around GDPR. 

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.


[1]  In addition, under Part 3 of the DPA 2018 which implements the Law Enforcement Directive, sections 35 and 42 and Schedule 8 also require that data controllers have an appropriate policy document in place.

[2] Hogan and Oxford City Council v The Information Commissioner EA/2005/0026 & EA/2005/0030

Facebook Fan page administrators need to be GDPR compliant



By Susan Wolf

In our previous blog we considered the recent, and much awaited, decision of the Court of Justice of the European Union  (CJEU) on the status of Facebook fan page users [1]. After protracted litigation in the German Courts, the CJEU ruled on June 5th 2018, that the concept of data controller was wide enough to include a user of a fan page hosted on a social network (in this case Facebook).

WirtschaftsakademieSchleswig-Holstein GmbH (a private training academy) operated a Facebook fan page, which it used to promote its activities. Facebook provided Wirtschaftsakademie with anonymsied statistical data about people who visited the fan pages. The German Data Protection authority for Schleswig-Holstein ordered Wirtschaftsakademie to deactivate the page or risk a fine. This is because visitors to the fan page were not warned that their personal data was being being collected by Facebook, by means of cookies that were placed on the visitor’s hard disk. The purpose of that data collection was to compile viewing statistics for the Wirtschaftsakademieand to enable Facebook to publish targeted advertisements.

Technically the Court’s jurisdiction is limited to providing authoritative rulings on the interpretation of EU law and not determining the outcome of a case. However, in this case the Court made it very clear that, Wirtschaftsakademie was a data controller responsible for processing personal data, jointly with Facebook Ireland. However, the ruling has much wider implications and could affect all organisations that use Facebook fan pages, or other similar online social media.

Joint Data Controllers Must have an Agreement that sets out respective responsibilities under the GDPR


The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services does not mean it escapes any of the obligations concerning the protection of personal data. In short, as a joint data controller, the fan page user must comply with the GDPR.  Similarly the fact that the fan page user acts as a joint controller, in that it decides to use Facebook as its platform, does not relieve Facebook of its obligations as controller either.  They are joint data controllers; a concept specifically acknowledged by Article 26 of the GDPR, which states.

“Where two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers. They shall, in a transparent manner determine their respective responsibilities for compliance with the obligations under [the GDPR] in particular as regards the exercising of the rights of the data subject and their respective duties to provide the information referred to in Articles 13 and 14, by means of an arrangement between them unless….The arrangement may designate a contact point for data subjects.”

Joint controllers must enter into a specific agreement, or contract, that sets out their respective responsibilities under the GDPR.

Joint Controller does not necessarily mean ‘equal controller’


The fact that two entities are joint controllers does not mean that they are ‘equals’. The CJEU acknowledges that the existence of joint responsibility, with an online social network, such as Facebook does not necessarily imply equal responsibility.

Depending on the circumstances, different operators may be involved at different stages of that processing, and also to different degrees.  So for example, it is not necessary for a data controller to have complete control over all aspects of data processing. Indeed data processing today is becoming much more complex and may involve several distinct processes that involve numerous parties, each exercising different degrees of control. With such complexity it is even more important that roles and responsibilities are clearly defined and easily allocated.  However Article 26 GDPR also requires that the ‘allocation’ of responsibilities must be transparent. The Article 29 Working Party 2010 Opinion on Data Controllers [2] (Now the European Data Protection Board) emphasises that the complexities of joint control arrangements must not result in an unworkable distribution of responsibilities that will make it more difficult for data subjects to enforce their rights.

On 15th June Facebook issued a statement for users of Facebook fan pages. This also acknowledges that ‘it does not make sense to impose an equal footing on page operators for the data processing carried out by Facebook’.  Accordingly Facebook has indicated that it will update its own terms and conditions to clarify the respective data protection responsibilities of Facebook and Fan Page site users. (The statement does not expressly refer to the GDPR). However, at the time of writing this blog nothing further has been issued.

A note of caution: Liabilities

The terms of any joint controller agreement will be very important because of the provisions of Article 82 (4). This states that where more than one data controllers are involved in the ‘same processing’ and where they are responsible for any damage caused by processing, each controller shall be held liable for the entire damage. This is to ensure the effective compensation of data subjects who suffer any ‘material or non material’ damage as a result of any breach of the GDPR. However, GDPR Recital 146 states that where both controllers are joined in the same legal proceedings, compensation may be apportioned according to the responsibility of each controller. (Subject to the caveat that the data subject who has suffered any damage is compensated in full).  Therefore an agreement that specifically allocates responsibilities, and liabilities, should be regarded as essential.

What steps should Fan Page users be taking now?

Until Facebook clarifies its position on joint controller agreement, it might be prudent for anyone thinking of opening a Facebook fan page, to defer from doing so.

However, existing fan page users do need to take steps to become GDPR compliant.

The Information Commissioner’s Office has not, as yet, issued any guidance to fan page users. However, the German Data Protection Authorities have issued a statement advising Facebook fan page users/operators that they must comply with the applicable provisions of the GDPR and specifically the following obligations:

  • The operator must provide information on processing activities by Facebook and by the operator itself transparently and in an understandable form.
  • The operator must ensure that Facebook provides the relevant information to enable the operator to fulfil its information obligations.
  • The operator must obtain opt-in consent for tracking visitors to a fan page (e.g., by using cookies or similar technologies).
  • The operator must enter into a co-controller agreement with Facebook.

Perhaps a more pragmatic solution is for fan page users to consider what steps an organisation would need to take, as data controller, if they had created their own website (other than via Facebook) and embedded cookies and implemented a tool similar to the Facebook Insights tool, in order to compile viewing statistics.

[1] Case C210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v

Wirtschaftsakademie Schleswig-Holstein GmbH

[2] Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of “controller” and “processor”


Act Now provides a full GDPR Course programme including one day workshops, elearning, Healthchecks and our GDPR Practitioner Certificate. 

Book now to avoid disappointment! 


Decision: Facebook Fan Page Administrators are Data Controllers


By Susan Wolf

On 5th June 2018 the Court of Justice of the European Union (CJEU) delivered its long awaited Facebook fan page decision. The case concerned the definition of data controller under the now repealed Data Protection Directive 95/46/EC [1] and in particular whether the administrator user of a Facebook fan page was a data controller.

The fact that the Data Protection Directive has been replaced by the GDPR 2016 should not diminish the importance of this ruling, particularly for organisations that use Facebook or other social media platforms to promote their business or organisation.

We explain some of the issues raised in the case and consider the implications of the ruling for administrators of Facebook fan pages under the GDPR.

The case

The case involved Wirtschaftsakademie Schleswig-Holstein GmbH, a private training academy in Germany. The company provided business training for commerce and industry (including GDPR training).  It operated a Facebook fan page to make people aware of its range of services and activities.

Fan pages are user accounts that can be set up on Facebook by individuals or businesses. According to Facebook, a fan page is a place where businesses can create a space on Facebook, to connect with people to tell them about their business.  Fan pages are not the same as Facebook profiles, which are limited purely for individuals’ personal use. Unlike a personal Facebook profile, a Fan page is accessible to anyone using the Internet.

Authors of fan pages must register with Facebook in order to use the online platform to post any kind of communication. At that time, fan page administrators could obtain, from Facebook, anonymous statistical information on visitors to the fan page, via a function called ‘Facebook Insights’. That information was collected by means of ‘cookies’, each containing a unique user code, which remained active for two years and were stored by Facebook on the hard disk of the computer or on other media of visitors to fan pages. The user code, which could be matched with the connection data of users registered on Facebook, was collected and processed when the fan pages were opened.

The service, which was provided free of charge under non-negotiable terms, was no doubt very useful to the German Training Academy.  Unfortunately, neither Wirtschaftsakademie, nor Facebook Ireland notified anybody ‘visiting’ the fan page about the use of the cookies or the subsequent processing of the personal data.  The German Data Protection Supervisory Authority for the Schleswig-Holstein Land (Region) took the view that by setting up its fan page, the Wirtschaftsakademie had made an active and deliberate contribution to the collection by Facebook of personal data relating to visitors to the fan page, from which it profited by means of the statistics provided to it by Facebook.  The regulator concluded (in November 2011) that the Wirtschaftsakademie was a data controller and consequently ordered it to deactivate its fan page and threatened a penalty payment if the page was not removed.

The Wirtschaftsakademie challenged that before the German Administrative Court. Their main argument was that it was not responsible under data protection law for the processing of the data by Facebook or the cookies that Facebook installed, and neither had it commissioned Facebook to process personal data on its behalf. This argument was successful before the administrative court. However the regulator appealed and what followed was lengthy protracted litigation in the German courts. By 2016 the case had reached the Federal Administrative Court. The Federal Court also agreed that the Wirtschaftsakademie was not responsible for the data processing as defined by Article 2 (d) of the Data Protection Directive:

  • (d) ‘controller’ shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. The GDPR, Article 4 defines data controller in identical terms.

However, the Federal Court also decided that it was necessary to refer the question to the CJEU under the preliminary rulings, particularly since the CJEU had previously ruled [2] that the concept of data controller should be given a broad interpretation in the interests of the effective protection of the right of privacy.

The CJEU Ruling

The CJEU has no difficulty in concluding that Facebook Inc. and Facebook Ireland were data controllers because they

determined the purposes and means of processing the personal data of Facebook users and anyone visiting fan pages hosted on Facebook. However, the Court recalls that the definition includes entities that  ‘alone or jointly with others’ determine the purposes and means of data processing. In other words, the purposes may be determined by more than one controller and may be determined by ‘several actors taking part in the processing’ with each being subject to the provisions of the Directive.

On the facts, the Court considered that the administrator of a Facebook fan page:

  • Enters into a contract with Facebook Ireland and subscribes to the conditions of use, including the use of cookies.
  • Is able to define the parameters of the fan page, which has an influence on the processing of personal data for the purposes of producing statistics based on visits to the fan page.
  • Could, with the help of filters made available by Facebook, define the criteria for statistical analysis of data.
  • Could designate the categories of persons whose personal data is to be made use of by Facebook.
  • Can ask Facebook for demographic data relating to its target audience, including age, sex, relationship and occupation, lifestyle and purchasing habits.

These factors pointed to the fact that the administrator of a fan page hosted on Facebook takes part in the determination of the purposes and means of processing the personal data of visitors to the fan page. Consequently the administrator of the fan page is to be regarded as a data controller, jointly with Facebook Ireland.

The Court rejected arguments that the Wirtschaftsakademie only received the statistical data in anonymised form because the fact remained that the statistics were based on the collection, by cookies, of the personal data of visitors to the fan page.

The fact that the fan page administrator uses the platform provided by Facebook does not exempt it from compliance with the Directive. The Court also added that non Facebook users may visit a fan page and therefore the administrator’s responsibilities for the processing of the personal data appears to be even greater as the mere consultation of the home page automatically starts the processing of personal data.

[1]  Case C210/16 Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v

Wirtschaftsakademie Schleswig-Holstein GmbH

[2]Case C 212/13  František Ryneš v Úřad pro ochranu osobních údajů


We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now. New Dates added for London!

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

Act Now welcomes Susan Wolf to the team

image002 copy

Susan Wolf has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. She has also presented workshops on the FOIA, the EIR, and access to EU information in Germany, Czech Republic and throughout the UK. Susan developed the Postgraduate Certificate in Data Protection Law & Information Governance at Northumbria University.

Susan is the author of the Law Society’s Environmental Information: A Practical Guideand contributed to the Law Society’s Information Sharing Handbook. She has also published articles on various aspects of the EIR and Access to EU Documentation. Susan has also published textbooks on European Union and Environmental Law.

Susan worked for Newcastle City Council for ten years advising on access to EU funding and worked closely with the EU institutions. She is also a trustee of a national charity, leading on information governance and implementation of the GDPR. Susan has undertaken contract research, consultancy and training for public sector organisations.

Ibrahim Hasan said, “Susan’s experience shines through. With her many years teaching practitioners at University and work within the public sector, she will be an excellent addition to the growing Act Now team. With all this experience we believe we are even better placed to fulfil all your organisations information governance needs. Be sure to look out for Susan’s workshops in our course programme.”

The role of the Court of Justice of the European Union ( CJUE) post Brexit


By Susan Wolf

In our previous Blog, we examined the European Union (Withdrawal) Act 2018 and explained that the GDPR, EIR and PECR will remain on the domestic statute book post Brexit. In other words they will continue to be legally binding after the date that the UK leaves the European Union in March 2019.

In this blog we briefly examine the role of the Court of Justice of the EU (or CJEU) post Brexit. We explain how, despite leaving the EU, the interpretive rulings of the CJEU in relation to the following legislation, will continue to have relevance for UK organisations and practitioners:

  • The GDPR 2016
  • The Law Enforcement Directive 2016/680
  • The Directive on Public Access to Environmental Information 2003/4
  • The Privacy and Electronic Communications Directive 2002/58

Preliminary Rulings of the CJEU

Any national court or tribunal of a Member State has the right to request a ‘preliminary ruling’ from the CJEU, where it considers that a ruling is ‘necessary’ to enable it to give judgment in a case involving the interpretation of EU law.  The CJEU has jurisdiction to interpret EU Law, but it does not rule on the outcome of a case. This task falls to the national court that has requested the ruling. However, the national court is bound to follow the interpretive ruling, which is binding. The ruling is also authoritative and must be followed by the courts and tribunals of all the Member States.

For example in East Sussex County Council v the ICO (2013), the First Tier  (Information Rights) Tribunal requested a ruling from the CJEU on the meaning of the ‘reasonable charges’ for the supply of environmental information.  Quite clearly, the CJEU’s interpretation has had major implications for public authorities subject to the EIR 2004, particularly those providing property search information. But the interpretation given by the CJEU is also binding on public authorities throughout the EU.

The purpose of the procedure is to ensure that EU Law is interpreted ‘uniformly.’ This is particularly important given that the EU currently comprises 28 Member States and has 24 official languages and each country has a different and unique legal tradition and culture.

A Red Line not to be crossed

The role of the Court of Justice, post Brexit, has been one of the controversial aspects of the Brexit negotiations, with the Prime Minister Teresa May suggesting that its continued jurisdiction was a ‘red line’ not to be crossed.  In fact the position is more complex and nuanced.

Under the terms of the EU Withdrawal Act 2018, the UK national courts and tribunals, including the First Tier (Information Rights) Tribunal, will no longer be allowed to refer questions about the interpretation of EU law to the Court of Justice. However, in the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.  Therefore, anyquestions as to the meaning of EU retained law will be determined by the UK courts by reference to the CJEU’s case law as it exists on the day the UK leaves the EU.  For example, the CJEUs ruling on the interpretation of the Privacy and Electronic Communications Directive in a German case  (Deutsche Telekom AG v Bundesrepublik Deutschland (2011) continues to be binding on the UK courts.

The Supreme Court

The position is different for the Supreme Court  (or High Court of Justiciary in Scotland). Under the EU (Withdrawal) Act both the English and Scottish highest courts can depart from any retained EU case law if it appears ‘right to do so’. In deciding whether to do this the court must apply the same test as it would apply in deciding whether to depart from its own case law. In practice, this power is exercised rarely and there is no reason to suggest that the Supreme Court will seek to depart from any existing CJEU rulings, at least in the immediate future.

What about future CJEU rulings?

There can be no doubt that the GDPR and the Law Enforcement Directive 2016 will raise significant questions of interpretation in the future.  Inevitably the  CJEU will soon be faced with preliminary ruling requests on key questions, such as the interpretation of the ‘right to be forgotten’in the GDPR.  However, given the time it takes to obtain a preliminary ruling (often over a year), it will be some time before the Court is able to cast some light on these new provisions.

As one might expect, the EU Withdrawal Act makes it clear that the domestic national courts and tribunals are no longer bound by any principles laid down, or any decisions made by the CJEU on or after the date of exiting the EU. This comes as no surprise. However, what is perhaps less well known is that the national courts and tribunals may have regardto post Brexit rulings if the national court ‘considers it appropriate to do so’.  Of course, it remains to be seen how willing the national courts will be to ‘follow’any future rulings. However, it would be prudent to suggest that information rights /data protection practitioners and lawyers should still play close attention to future CJEU rulings on the interpretation of EU information rights and data protection laws, post March 2019.

(Future CJEU preliminary rulings will be posted on the Act Now Blog).

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.



The EU Withdrawal Act 2018: What does it mean for information rights practitioners?


By Susan Wolf

Amidst all the media attention about the resignation of David Davis and Boris Johnson, and what type of deal (if any) the UK will end up with, uncertainty seems to be the current default setting in British politics. However, there is one certainty that may have escaped many people’s attention, namely that the European Union (Withdrawal) Act 2018 received Royal Assent on 26 June 2018. Many would be forgiven for not noticing that after over 270 hours debate in Parliament (during which the government was forced to concede some significant amendments proposed by the House of Lords) the Bill became law on 26thJune. Many would also be forgiven for not knowing what the Act does or what it is trying to achieve. This guide is intended to briefly summarise the EU Withdrawal Act 2018. Further and more detailed information will be provided in follow up blogs on the impact of Brexit on the GDPR, EIR  and the PECR.

Why was it necessary to enact the EU (Withdrawal) Act  and what does it do?

EU law covers many areas of daily life, including employment law, environmental law and of course data protection law.  EU legislation, enacted by the EU institutions, takes the form of:

  • EU Regulations (such as the General Data Protection Regulation 2016). EU Regulations are described as ‘directly applicable’. This means that they require no national implementing legislation, because they automatically become part of domestic law when enacted by the EU institutions. EU Regulations are designed to ensure that the law is uniform throughout the EU.
  • EU Directives are quite different from EU Regulations. Directives set out the objectives that are to be achieved but leave some degree of latitude to Member states on how to achieve them. Directives require Member States to introduce national legislation in order to bring the provisions of the directive into force.
    • For example, the Environmental Information Regulations (EIR) 2004 is a piece of domestic law that implements the provisions of the EU Directive on Public Access to Environmental Information 2003/4/EC.
  • Most EU Directives are implemented into domestic law by means of statutory instruments, but the Data Protection Directive 95/46/EC was implemented into domestic law by the Data Protection Act 1998. The Law Enforcement Directive 2016/680/EU has been implemented into domestic law by Part 3 of the Data Protection Act 2018.

The European Communities Act (ECA) 1972is the statutory mechanism that enables such EU legislation to have legal effect in the UK. In particular it allowed EU regulations to take effect in domestic law and gave Ministers powers to introduce secondary legislation to implement directives.

The referendum decision on 23rd June 2016, in favour of leaving the EU meant that the European Communities Act 1972 had to be repealed. However, repealing the ECA 1972 would have resulted in large areas of EU law and regulation no longer having any legal effect in the UK. It is widely recognised that this would have created a “black hole’ in the domestic statute book and huge amount of legal uncertainty about the applicable law and the rights previously conferred by EU Law.

The EU (Withdrawal) Act 2018 repeals the European Communities Act from the date that we leave the EU, 29thMarch 2019. However, to avoid the problem described above, the Act essentially ‘converts’ EU law as it stands at the time we exit the EU into domestic law. It also ‘preserves’ all laws made in the UK to implement EU obligations (such as the Environmental Information Regulations 2004).  In a nutshell it means that all the laws and regulations made over the last 40 years, while the UK was an EU Member State, will continue to apply after Brexit. Contrary to what members of the public may have believed when they voted in favour of leaving, EU law will continue to have force in the UK after the date of exit.

This means the following will continue to have effect after the date when the UK leaves the EU:

  • The GDPR 2016
  • The Environmental Information Regulations 2004
  • The Law Enforcement Directive 2016 provisions in Part 3 of the Data Protection Act 2018
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003

After the UK has exited the EU in March 2019, Parliament will be able to decide which of the ‘EU retained’ laws and regulations it wishes to keep, repeal or amend. Ministers will be given wide-ranging and somewhat controversial powers to make these changes by secondary legislation. In particular, there has been criticism about the use of secondary legislation (and the lack of parliamentary scrutiny) to potentially repeal important statutory provisions.

The extent to which these powers may be exercised and may impact on current EU law information rights and data protection law, including the GDPR, the Privacy and Electronic Communications Regulations, the Environmental Regulations and the Law Enforcement Directive will be considered in subsequent blogs and forthcoming webinars.

Judicial interpretation of retained EU Law

The courts and tribunals of the Member States have a legal obligation to interpret national law that gives effect to EU law, in a purposive manner. This means there is a duty on the courts to do what is within their jurisdiction to interpret national law in a manner that best achieves the results laid down in EU law, and offers the effective protection of any legal rights conferred by EU law.   This is known as ‘indirect effect or the duty of sympathetic interpretation’. For example, the Information rights Tribunal has frequently cited the aims of the Environmental Information Directive as an aide to the interpretation of the EIR 2004.  The Directive requires that the exceptions to disclosure are interpreted in a restrictive manner, and there is clear evidence that the First Tier and upper tribunals have taken this on board in their decision-making.

Post Brexit, the national courts will no longer be bound to do this.  However, it is unlikely that the national courts will return to the traditional ‘literal’ approach to interpretation. Increasingly the national courts have shown a willingness to interpret most legislation in a purposive fashion and this is unlikely to change as a result of Brexit.

Where the courts have been faced with the interpretation of national law that gives effect to EU law, then they have been able to refer questions to the Court of justice of the European Union, using the ‘preliminary rulings procedure’.  The preliminary rulings of the CJEU are currently binding and seek to ensure that the law throughout Europe is uniformly interpreted. As many information rights practitioners will know, the CJEU has handed down some significant rulings on the interpretation of the 1995 Data Protection Directive 1995/46/EC (such as the famous Lindqvist case in 2001 on the processing of personal data on the internet [1]) and on public authorities under the Environmental Information Directive 2003/4/EC in Fish Legal v the Information Commissioner. [2] In the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.

The continuing relevance of these decisions and the role of the Court of Justice, post Brexit, will be considered in a later Blog.

[1]Case C 101/01 Criminal proceedings against Bodil Lindqvist

[2]  Case C-279/12 Fish Legal and Emily Shirley v Information Commissioner and Others

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

%d bloggers like this: