In a statement posted to the U.K. Parliament website yesterday by Baroness Neville-Rolfe, the U.K. government has made it known that it will not choose to opt-in to Article 43a of the proposed General Data Protection Regulation. House of Lords member Neville-Rolfe is Parliamentary Under-Secretary for Department of Culture, Media and Sport, the department that now houses the Information Commissioner’s Office.
Article 43a is a “new” portion of the GDPR, added after the Commission’s initial draft, coming just after Article 43, which governs the international transfers of data via binding corporate rules. It reads, in full:
“Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
Some have referred to this article as the “anti-FISA” clause, referring to the United States’ FISA court, to which U.S. intelligence appeals for permission to access data, though 43a would apply to any third country. Essentially, it says that controllers based in the EU should not transfer data to a third country for the purposes of law enforcement or intelligence access unless there is something like a mutual legal assistance treaty in place with that third country, which would govern the method of transfer.
The United States does, for example, have such a treaty in place (in this case to help with narcotics investigations) with every country in the EU. Further, in the Microsoft Ireland case, Microsoft argues that the MLAT mechanism should have been used by the U.S. government to request the data on its servers that is stored in Ireland. However, there are many criticisms of the MLAT process, including that it is too slow and unwieldy for modern law-enforcement needs.
In the statement on the Parliament’s site, Neville-Rolfe writes, “The text restricts a member state from enforcing a judgment requiring the transfer or disclosure of personal data where there is no international agreement or treaty. As a result of concerns relating to the integrity of the U.K. legal system, the U.K. will not exercise the opt-in to the parts of Article 43a which trigger the Protocol 21.”
Protocol 21 to the Treaty on European Union says that “[t]he U.K., and separately Ireland, may choose, within three months of a proposal being presented to the Council … whether it wishes to participate in the adoption and application of any such proposed measure.” The U.K. considers the proposal to have been put forward on December 17, 2015, following the trilogue negotiations.
If you want to comment on this post, you need to login.