These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.

1. Dr David Erdos
Faculty of Law
University of Cambridge

3. Pathway to the Proposals
 31 January 2020: UK leaves EU; enters implementation period
 31 December 2020: EU-UK Trade & Cooperation Agreement;
start of ≥ six month transition for personal data transfers
 1 January 2021 : UK mirrors EU secondary DP law & data
adequacy agreements; full adequacy to EEA & Switzerland
 28 June 2021: EU grants UK full adequacy (excluding data
subject to “immigration exception”)
 10 September 2021: Data: A New Direction consultation start

4. Directions of Change
Change
Promote
Innovation
Reduce
Burdens
Boost
Trade
Improve
Public
Services
Reform
ICO
Regulation

5. Change: How Radical?
 Controllers would gain
more legal flexibility
(& certainty)
 Data subjects fewer
legal rights to challenge
 ICO less legally focused
on data rights & duties
 Most substantive changes
could be plausible
implementation of GDPR
 Integrity duty changes well
within Council of Europe DP
Convention 108+
 De facto ICO upholding of
data rights & duties limited

6. “The UK’s data protection standards will remain fully aligned with
the revised Convention 108.” (HM Government, 2017)

7. GDPR Building Blocks (with Restrictions)
Scope
(Personal
Data
Processing)
DP Principles
• Fair, lawful,
transparent
• Purpose quality
& compatibility
• Information
quality & limits
Legality
• Legal grounds
Sensitive Data
• Categorical
definition
• Default
prohibition
absent waiver
Integrity
• Demo compliance
• Security
• DP by design &
default
• Joint controllers
• Personal data
breaches
• Processor
engagement
• Recording keeping
• DP Officer
• Impact Assessment
• Export Control
Supervision
Transparency &
Control
• Proactive
• Reactive
GDPR Permitted Restrictions: Green = full; Amber = interpretative (see A. 6(4), 9(2)(1)(g), 10 & 23)

8. (UK) GPDR Scope
 International Background:
 Little obvious scope to restrict even under DP Convention
 But Japan has GDPR adequacy with limits based on systematic
organisation etc.
 Main Possible UK Changes:
 Put anonymisation on statutory footing stressing unreasonable time,
effort or resources constraint.
 State identifiability threshold is relative to each controller.
 Verdict: Limited change only.

9. DP Principles & Legality
 International Background:
 DP Convention similar to GDPR but with less specificity especially re:
necessity of processing and purpose compatibility
 Main Possible UK Changes:
 Clarify compatibility: law safeguarding important public interest,
where different controllers & where original ground consent
 Clarify legitimate interests: exhaustive list where no “balancing”
needed; remove “impediments” re AI & democratic engagement
 PECR: Limit/remove consent for cookies & non-commercial marketing
 Verdict: PECR change may be far-reaching; otherwise limited change.

10. Sensitive Data General Prohibition
 International Background:
 DP Convention: Narrower definition; Appropriate safeguards only
 Main Possible UK Changes:
 Limit/remove “substantial public interest” threshold uncertainties
 Secure legal grounds for health data processing in emergency, AI anti-bias
training and testing & democratic engagement of political parties etc.
 Consider new sensitive legal bases
 Verdict: Limited change only


11. Transparency and Control Rights
 International Background:
 DP Convention: Similar structure but much more limited default
 GDPR: may allow for far-reaching case-by-case limits (A 23)
 Main Possible UK Changes:
 Privacy notices: No change except limit recontact for research repurpose
 Subject Access: Nominal fee; disproportionality threshold; cost limit
 AI significant decision-making: Clarity or even remove all further rights
 Verdict:
 Generally quite limited
 But subject access & AI proposals in tension even with DP Convention

12. Integrity Duties
 International Background:
 DP Convention: High-level accountability framework
 GDPR: More detail than on substantive; complex and prescriptive
 Main Possible UK Changes:
 Privacy management programmes to replace impact assessment, prior
consultation, documentation and statutory DP officer requirements
 Breach notification to ICO only when risk “material”
 Data transfers: relax 4-yearly review of adequacy; allow controller
appropriate safeguards; state redress may be judicial only; state repetitive
derogation use okay; exempt “reverse transfers”
 Verdict: Significant change
 However, most proposals in principle within DP Convention

13. (DP Authority) Supervision
 International Background:
 DP Convention: Much looser than GDPR (which de jure is largely
peremptory) but still focus on DPA upholding data subject rights
 Main Possible UK Changes:
 Reestablish ICO as transparent Board; PECR powers to mirror GDPR
 ICO data use, growth, innovation, competition & public safety duties
 Government role & impact assessment re ICO priorities, codes of practice
& (complex) guidance
 Complaints – require process starts with controller first & legal criteria on
when ICO will pursue
 Verdict: Significant changes, squaring with DP Convention questionable
 But de facto ICO upholding of data rights & duties anyway limited.

14. Conclusions
 GDPR (not PECR) proposals evolutionary not revolutionary
 Many of these changes are sensible and clearly within at least
DP Convention framework
 But overall package is tilted to controllers not data subjects
 Entrenchment & acceleration of ICO agenda away from
upholding data rights & duties of particular concern.