Welcome to the Regulatory Group’s Winter newsletter.
Whilst we may find ourselves in a lockdown, St Philips Chambers’ Regulatory Group remains in a position to assist you and your clients in all aspect of regulatory law. Our barristers can attend hearings and conferences both in person and virtually and remain fully committed to providing the highest quality of service. Meanwhile our clerks, Alan Durham and Dan Giles, remain on hand to deal with any enquires you may have.
This newsletter contains three articles. The first – Muck and Ferraris – is by Jim Puzey, head of the Regulatory group, and provides an interesting overview of the case of The Environment Agency v John Bruce and brings into sharp focus the application of POCA to environmental offences. Next, Jane Sarginson, Chambers’ resident expert in GDPR, considers GDPR in the post-Brexit era. And finally, I deal with Account Freezing Orders.
Enjoy and stay safe,
Jonathan Barker is a member of the St Philips Chambers’ Regulatory Group and is editor of the group’s newsletter. He read law at UCL and was called to the Bar in 2006. He is recommended by the latest edition of the Legal 500 for Crime. He is on the Attorney General’s List of Specialist Regulatory Advocates in Health & Safety and Environmental Law (Band B) and is a grade 4 prosecutor.
MUCK AND FERRARIS – MAKING SURE ENVIRONMENTAL CRIME DOES NOT PAY – By James Puzey
On 22 December 2020 at Worcester Crown Court His Honour Judge Cole ordered that John Bruce of Throckmorton, near Pershore should pay a confiscation order of £2,102,208 within three months and imposed a default terms of 7 years imprisonment. This confiscation order was made on the application of the Environment Agency and is one of the largest orders made for environmental crime in this area. The case illustrates the money to be made from such criminality and how those who commit regulatory offences are being pursued for their profits.
John Bruce has a long history of environmental offending going back to the early 2000s. He has served prison sentences previously but continued his activities undeterred. In 2011 he purchased land at the Throckmorton airfield at Long Lane, Pershore and proceeded to turn it into an unlicensed landfill site. Over the next 7 years or so tens of thousands of tonnes of industrial waste was deposited on the site or buried in it including foundry sand containing aluminium dross which is hazardous waste. He grazed cattle on the site as well and also ran a commercial vehicles business there, which he was later to claim was the legitimate source of the millions of pounds going through his bank accounts.
In 2017 he was charged with a series of offences relating to the unlawful waste operation that he carried on. On 11 May 2018 John Bruce was sentenced to 26 months imprisonment for 6 offences contrary to environmental legislation which spanned the years 2012 to 2014. The Prosecution then sought to confiscate the proceeds of criminality, which had continued to accrue in the intervening years since 2014. The proceedings were drawn out, in part because of Bruce’s claims that he was unfit to participate in the proceedings. The case concluded in December 2020 when His Honour Judge Cole concluded that Bruce had benefitted by over £5m from his illegal waste business and that the assets available for confiscation totaled over £2m. These included the Airfield and farm buildings, a Ferrari F430, personalised number plates and a portfolio of commercial and residential properties.
The Judge disbelieved Bruce’s claims that he had made only a few hundred thousand pounds from turning the airfield into a landfill site.
The case presented a number of challenges, such as obtaining information on the defendant’s true means because he used other individuals, businesses, and a sham trust to hold his assets. Establishing the volume of waste deposited was also difficult because records were not kept and so the Prosecution used aerial survey data to estimate the increase in ground levels at the site during the period of the waste operations.
The case serves as an illustration that regulators are prepared to go to considerable lengths to seize criminal property and thus deter “white-collar” criminals not just with the threat of prison but also with a threat to their bank balances.
James Puzey specialises in Government litigation, particularly in the fields of Tax, Health and Safety law and Environmental Law. He is ranked in Chambers & Partners as a Leading Individual and in the Legal 500 as a Leading Junior. He is on the Attorney General’s List of Specialist Regulatory Advocates in Health & Safety and Environmental Law (Band A).
BREXIT AND GDPR – WHERE ARE WE NOW? – By Jane Sarginson
Until the advent of GDPR, Data Protection was one of those subjects that few appeared interested in, and even fewer understood.
Back in 2016, when the GDPR was first published, the media went into overdrive highlighting its requirements, the need for compliance and the eye watering maximum monetary penalties that could be imposed for breaches. By 2018 Data Protection had become a well worn phrase with many more individuals and hopefully all organisations not only aware of its existence but understanding the need for data protection and its requirements. Today, those organisations should have systems in place to ensure that the principles are adhered to and individuals have the ability to exercise their fundamental rights.
Then came Brexit.
With the prospect of the UK no longer being one of the EU’s Member States, what standing would the GDPR have within the UK, and exactly how would the UK approach data protection in the future?
First, some history. By virtue of the European Communities Act 1972 the GDPR was automatically incorporated into UK law on the 25 May 2018. At about the same time, parliament having reviewed the existing legislation, repealed the DPA 1998 and replaced it with the DPA 2018. The new statute was intended to supplement the terms and application of GDPR including widening its scope both in terms of some definitions and certain types of processing carried out by public authorities (“applied GDPR”), it dealt with exemptions and derogations to GDPR and included the imposition of additional safeguards. Of note, the scope of the DPA 2018 is not limited to GDPR but also incorporates the EU Law Enforcement Directive into UK law and deals with data protection regarding the processing of personal data carried out by the Intelligence Services.
Following the referendum, and with the UK’s departure from the EU on the 31 December 2020, very much on the agenda, the UK parliament took stock of all European law and passed the European (Withdrawal) Act 2018 repealing the European Communities Act 1972 but saved the application of GDPR up until the end of the transition period ending on the 31st December 2020.
Significantly as part of the EU-UK Trade and Cooperation Agreement dated the 24th December 2020, and as far as Data Protection is concerned, the UK and EU agreed that that the transition period was extended for a period of up to 6 months within which time the EU will make its adequacy decision as far as UK data protection legislation. This second transition period is referred to as ‘the bridge’
At the end of the transitional period, section 8 of the European (Withdrawal) Act 2018 incorporates GDPR into ‘retained EU law’ but it will be amended by legislation including the Data Protection, Privacy and Electronic Communications (Amendment et) Regulations 2019 (soon to be further amended/revoked). The amended version of the GDPR will be known as the UK-GDPR.
The 2019 Regulations have the effect of leaving the terms of the GDPR largely unchanged save for a number of amendments including those to take account of the UK leaving the EU, the UK being a third country, the powers of the ICO, and the fact that the ICO will no longer be recognised as a European Supervisory Authority. It will also incorporate ‘applied GDPR’ as set out in Chapter 3, Part 2 of the DPA 2018 into the UK-GDPR.
The upshot is that post Brexit, all processing within the UK must continue to comply with the GDPR,(now termed the UK-GDPR), the DPA 2018, and for the purposes of the UK, the ICO will still remain the Data Protection Authority.
The one major difference in the post Brexit era, is of course your approach to data protection in circumstances where you as an organisation either receive or transfer personal data to a country in the EU/EEA.
Fortunately, by virtue of the initial transitional period and ‘the bridge’, the status quo has been preserved, and for the time being there is no change in application of the Regulation until the transitional period/bridge expires.
One of the purposes of the bridge is for the EU to determine whether or not the UK may qualify for a certificate of adequacy. Some commentators have a gloomy outlook on this – others are more buoyant. Life will be a whole lot easier if a certificate of adequacy is obtained, but there is no guarantee of success.
What should you be doing now?
1. Examine your organisation’s data flows and your processes. Identify which processes include the sending or receiving of personal data to the EU/EEA. Identify which personal data will be subject to the changes and which will not.
2. If you have no contracts or customers within the EU then there is very little for you to change.
3. If your organisation sends personal data to the EU/EEA then as far as the UK government is concerned you will not have to comply with any further legislation in order to do so. However as far an EU/EEA state is concerned, you will be an organisation from a third country and any transfer will be subject to additional scrutiny which is likely to include the requirement for an agreement including Standard Contract Clauses. These will take a time to organise and therefore preparation needs to be underway now.
4. If your organisation operates within the UK and the EU/EEA then you will need to comply with both EU GDPR and UK GDPR/DPA 2018.
A. As the UK is a third country, the ICO will no longer be recognised as a Supervisory Authority for the purposes of the EU-GDPR. Hence when dealing with transfers you will need to identify a relevant Lead Supervisory Authority to whom individuals may complain, and Supervisory Authorities make contact.
B. You may need to appoint a representative within the EU/EEA who can deal with issues raised by the Lead Supervisory Authority and act on your behalf.
C. You need to review any Binding Corporate Rules and consider whether they need amending and/or re-authorising.
D. You need to review your policies and privacy notices to ensure they reflect the changes that you are imposing, ensuring individuals are adequately informed.
5. If your organisation transfers personal data out of the UK and beyond the EU/EEA then the restrictions remain the same.
6. If you are transferring personal data to the US – then following the Schrems II case heard in July 2020, resulting in the immediate invalidation of the privacy shield – you will need to take extra care. Perhaps that subject is best left for another day, when better minds than mine have created an acceptable solution.
Jane Sarginson was called in 2000. She has a thriving regulatory law practice with particular expertise in Information and Data Privacy law.
ACCOUNT FREEZING ORDERS – By Jonathan Barker
The Criminal Finances Act 2017 introduced Chapter 3B to The Proceeds of Crime Act 2002 (POCA) and with it the concept of Account Freezing Orders (AFrO) (see POCA, s303Z1 – 303Z8). Pursuant to s303Z1, an AFrO can be sought where an enforcement officer has reasonable grounds for suspecting that money held in an account maintained with a bank or building society is recoverable property or is intended by any person for use in unlawful conduct. Recoverable property is “property obtained through unlawful conduct”. A person obtains property through unlawful conduct (whether his own conduct or another’s) if he obtains property by or in return for the conduct. Once made, an AFrO prohibits those named within the order from making withdrawals and payments from the account(s) in question although a court may make exclusions from the prohibition to make provision for the purpose of enabling a person by or for whom the account is operated to meet the person’s reasonable living expenses or to carry on any trade, business, profession or occupation or for legal expenses. Note, applications can only be made where there is at least £1000 in the account which is subject of the application.
Applications for AFrOs are governed by The Magistrates’ Courts (Freezing and Forfeiture of Money in Bank and Building Society Accounts) Rules 2017 (the Rules). Applications can be made without notice if it would prejudice steps to forfeit the money; otherwise, a copy of the written application and notification of the hearing of the application must be given by the applicant to any person by or for whom the account which is subject of the application is operated (see Rule 3).To make an AFrO, the court must be satisfied on the balance of probabilities that there are reasonable grounds to suspect the account contains recoverable property (or is intended by any person for use in unlawful conduct). At the hearing for the AFrO, any person to whom the notice of the application has been given may attend and be heard on the question of whether the application should be granted, but the fact that any such person does not attend shall not prevent the court from hearing the application (see Rule 16). However, the court must require the matters contained in the application to be sworn by the applicant under oath and may require the applicant to answer any questions under oath and may require any response from the respondent to the application to be made under oath (See Rule 16). The Court must record or cause to be recorded the substance of any statements made under oath which are not already recorded in the written application. An AFrO can be granted for a period of up to two years. Provisions exist for the variation and setting side of an AFrO (see Rule 4). Ultimately, AFrOs are an effective way to enable enforcement officers to investigate the origins of ‘suspicious’ monies held in bank accounts; they are usually a precursor for forfeiture (see s303Z9 – s 303Z17) and/or the beginning of other proceedings; and the legal threshold for obtaining them is relatively low – reasonable grounds for suspicion!