Sometimes the real message is not just what’s on the page, but between the lines.
Take this document. It’s from this month’s proceedings of the European Scrutiny Committee of the House of Commons. In this case, they were examining the proposed update of the EU’s ePrivacy Directive, that quirky piece of catch-all legislation containing, amongst other things, the “cookie law”.
Context is key. They reviewed the document with one eye on the state of play for data protection and privacy post-Brexit. They are also no doubt mindful of the stubborn opacity the May government brings to all matters digital.
So observe what they do here.
The committee wrote:
6.5 The Government provides us with an initial but comprehensive view of the proposal. However, it does not provide an impact checklist, nor address Brexit implications and only mentions in passing the recent CJEU ruling in Watson which concerned the current ePrivacy Directive.
In other words, they are pulling up the government for not doing its homework.
6.6 We thank the Minister for Digital and Culture (Matthew Hancock) his comprehensive Explanatory Memorandum (inaccessible PDF) on this important proposal.
Diverging for a moment to review the Explanatory Memorandum, it shows that the UK government has read and acknowledged the draft EU proposal but not really thought about it. So the committee lays in:
6.7 The Government has said that the UK will comply with the new data protection Regulation by 25 May 2018, before Brexit. This is the date when the Commission also intends this proposal to apply, once adopted. In the light of this we would be grateful if the Minister could confirm whether the Government:
- also intends to comply with this proposal on ePrivacy before Brexit;
- plans to keep UK law aligned with EU data protection law after Brexit, including this proposal once adopted; and
- considers that any provisions in the proposal as currently drafted are problematic in any way to the UK as a third country after Brexit.
And now in for the kill:
6.8 The Minister recalls in his account of the Commission’s review of the existing ePrivacy Directive:
“In addition, the evaluation also found potential overlaps with the GDPR, such as the provisions for data security and data breach notifications. The reform thus aims to remove contradictions and duplications between the instruments, reduce discretion for member states, as well as clarify the application of certain provisions.”
However, the respective scopes of the new GDPR and the proposed Regulation are not entirely clear to us and, by extension, may not be clear to duty-holders and data subjects. We are concerned about legal uncertainty which may become even more important after Brexit when the UK will have to consider what, if any, EU data protection law it wishes to retain in the longer term as UK law. So when the Minister next writes, please could he clarify, using practical examples where possible, when data relating to “electronic communications”, including metadata would fall to be considered:
- exclusively under the proposed Regulation;
- exclusively under the GDPR; and
- under both.
We would also be very interested to learn in due course whether there are any adverse consequences that might flow from scenarios (a)-(c), in terms of the level of legal protections provided to UK citizens or burdens imposed on UK business.
Isn’t Parliamentary scrutiny a beautiful thing?
Oh, but they’re not done.
6.9 We note that the Minister questions whether it would have been better for the Commission to have chosen a Directive instead of a Regulation as the legal instrument for this new proposal. Given the proposal’s close links with the GDPR, we consider that adopting a different legislative form to the GDPR would create unhelpful enforcement and other consistencies for Data Protection Authorities like the Information Commissioner’s Office.
In other words: nice try, lad.
6.10 The Minister states at paragraph 46 of his EM:
“The government will fully consider the impact of the proposal on stakeholders and the Information Commissioner’s Office.”
There are also various statements made by the Minister in his EM about the Government assessing further whether the proposal is adding value or imposing disproportionate burdens in various areas. We therefore request the Minister to provide us with a copy of the Government’s Impact Checklist as soon as possible. It is clearly important that the UK is not burdened with having to comply with EU legislation that imposes unnecessary burdens for UK business, public authorities or regulators for what might only be a short period before Brexit.
6.11 In his Explanatory Memorandum, the Minister welcomes consultation with interested parties, but we would be interested to learn what formal and structured consultation the Government has undertaken with stakeholders so far. Did stakeholders feed into any Government submission to the Commission’s REFIT consultation? If possible, it would be helpful for us to see a copy of any submission.
There is more available to read but I think the point has been made clear. Digital leadership, at this peculiar point in history, is coming from from the green benches. Lip service is coming from the black door.