These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
3. Pathway to the Proposals
31 January 2020: UK leaves EU; enters implementation period
31 December 2020: EU-UK Trade & Cooperation Agreement;
start of ≥ six month transition for personal data transfers
1 January 2021 : UK mirrors EU secondary DP law & data
adequacy agreements; full adequacy to EEA & Switzerland
28 June 2021: EU grants UK full adequacy (excluding data
subject to “immigration exception”)
10 September 2021: Data: A New Direction consultation start
5. Change: How Radical?
Controllers would gain
more legal flexibility
(& certainty)
Data subjects fewer
legal rights to challenge
ICO less legally focused
on data rights & duties
Most substantive changes
could be plausible
implementation of GDPR
Integrity duty changes well
within Council of Europe DP
Convention 108+
De facto ICO upholding of
data rights & duties limited
6. “The UK’s data protection standards will remain fully aligned with
the revised Convention 108.” (HM Government, 2017)
7. GDPR Building Blocks (with Restrictions)
Scope
(Personal
Data
Processing)
DP Principles
• Fair, lawful,
transparent
• Purpose quality
& compatibility
• Information
quality & limits
Legality
• Legal grounds
Sensitive Data
• Categorical
definition
• Default
prohibition
absent waiver
Integrity
• Demo compliance
• Security
• DP by design &
default
• Joint controllers
• Personal data
breaches
• Processor
engagement
• Recording keeping
• DP Officer
• Impact Assessment
• Export Control
Supervision
Transparency &
Control
• Proactive
• Reactive
GDPR Permitted Restrictions: Green = full; Amber = interpretative (see A. 6(4), 9(2)(1)(g), 10 & 23)
8. (UK) GPDR Scope
International Background:
Little obvious scope to restrict even under DP Convention
But Japan has GDPR adequacy with limits based on systematic
organisation etc.
Main Possible UK Changes:
Put anonymisation on statutory footing stressing unreasonable time,
effort or resources constraint.
State identifiability threshold is relative to each controller.
Verdict: Limited change only.
9. DP Principles & Legality
International Background:
DP Convention similar to GDPR but with less specificity especially re:
necessity of processing and purpose compatibility
Main Possible UK Changes:
Clarify compatibility: law safeguarding important public interest,
where different controllers & where original ground consent
Clarify legitimate interests: exhaustive list where no “balancing”
needed; remove “impediments” re AI & democratic engagement
PECR: Limit/remove consent for cookies & non-commercial marketing
Verdict: PECR change may be far-reaching; otherwise limited change.
10. Sensitive Data General Prohibition
International Background:
DP Convention: Narrower definition; Appropriate safeguards only
Main Possible UK Changes:
Limit/remove “substantial public interest” threshold uncertainties
Secure legal grounds for health data processing in emergency, AI anti-bias
training and testing & democratic engagement of political parties etc.
Consider new sensitive legal bases
Verdict: Limited change only
11. Transparency and Control Rights
International Background:
DP Convention: Similar structure but much more limited default
GDPR: may allow for far-reaching case-by-case limits (A 23)
Main Possible UK Changes:
Privacy notices: No change except limit recontact for research repurpose
Subject Access: Nominal fee; disproportionality threshold; cost limit
AI significant decision-making: Clarity or even remove all further rights
Verdict:
Generally quite limited
But subject access & AI proposals in tension even with DP Convention
12. Integrity Duties
International Background:
DP Convention: High-level accountability framework
GDPR: More detail than on substantive; complex and prescriptive
Main Possible UK Changes:
Privacy management programmes to replace impact assessment, prior
consultation, documentation and statutory DP officer requirements
Breach notification to ICO only when risk “material”
Data transfers: relax 4-yearly review of adequacy; allow controller
appropriate safeguards; state redress may be judicial only; state repetitive
derogation use okay; exempt “reverse transfers”
Verdict: Significant change
However, most proposals in principle within DP Convention
13. (DP Authority) Supervision
International Background:
DP Convention: Much looser than GDPR (which de jure is largely
peremptory) but still focus on DPA upholding data subject rights
Main Possible UK Changes:
Reestablish ICO as transparent Board; PECR powers to mirror GDPR
ICO data use, growth, innovation, competition & public safety duties
Government role & impact assessment re ICO priorities, codes of practice
& (complex) guidance
Complaints – require process starts with controller first & legal criteria on
when ICO will pursue
Verdict: Significant changes, squaring with DP Convention questionable
But de facto ICO upholding of data rights & duties anyway limited.
14. Conclusions
GDPR (not PECR) proposals evolutionary not revolutionary
Many of these changes are sensible and clearly within at least
DP Convention framework
But overall package is tilted to controllers not data subjects
Entrenchment & acceleration of ICO agenda away from
upholding data rights & duties of particular concern.