The document discusses the implications of the UK’s data protection framework post-Brexit, noting that while immediate changes are minor, longer-term divergence from EU regulations is expected. It highlights the UK's commitment to the Council of Europe framework, which is less prescriptive and more pragmatic compared to the EU's GDPR, particularly regarding transparency and special data provisions. As a result, the UK's data protection regime will evolve distinctly, influenced by these foundational differences.

1. Dr David Erdos
Faculty of Law
University of Cambridge

2. Introduction
 S. I. 2019/419 provides for only minor immediate
changes to UK DP in event of even “no deal” Brexit.
 But longer-term will likely see divergence.
 But in addition to seeking adequacy, UK will remain
part of CoE framework including Convention 108+.
 Going to explore what less prescriptive substantive
approach within CoE framework might look like.

3. Article 8 of EU Charter Will Go
 Specific things within Article 8 are high-level & not
controversial: fairness, purpose specification, legal basis,
right of access & rectification.
 But Article 8 gives a special status not just to this but to right
of data protection more generally.
 Special status is bolstered by emphasis Court of Justice
places on DP as a fundamental right.
 None of that is fully replicated in CoE DP or will be
replicated in UK domestically in event of Brexit.

4. Transparency Rules
 Both instruments have proactive & reactive rights here.
 But, Convention 108+ much weaker esp. re: proactive (A. 8):
 Less information ‘mandatory’ (storage period, automated
decision-making, source etc.).
 Explanatory Report seems to see public notice as sufficient.
 Report also seems to imply that if not direct collection then must
be from third party – but what about imputed or public domain?
 Disproportionate effort is also full exemption – no mention of
appropriate protective measures, let alone “making the information
publicly available” (cf. GDPR, art. 14(5)(b)).

5. Special/Sensitive Data: Overview
 Special/sensitive data not mentioned per se in EU Charter.
 But it is a core part of granular law in both EU and CoE.
 However, divergences here could also feed into shift to less
prescriptive, more “pragmatic” approach.
 This is especially apparent as regards the definition of special
data but may also arise as regards type of safeguards.

6. Protection of Criminal-Related Data
 Scope:
 Stringency:
GDPR: “data relating to criminal convictions and offences or related
security measures” (A. 10)
Convention 108+: “data relating to offences, criminal proceedings and
convictions and related security measures.” (A. 6)
GDPR: Control of official authority or law with appropriate safeguards.
Convention 108+: Law with appropriate safeguards.

7. Other Special/Sensitive Data
 Stringency:
 Convention 108+: Law with appropriate safeguards.
 GDPR: General prohibition absent waiver or weighty public
interest & safeguards (A. 9)
 Scope:
 Both adopt categorical approach & only minor differences.
 But Convention 108+ usually also requires sensitive purpose:
 This would even cover super-sensitive areas like health & sex life.
“The processing of: …
- personal data for the information they reveal … shall only be allowed with
appropriate safeguards are enshrined in law.”

8. Discipline Provisions
CoE & GDPR:
Security
Accountability
Export Control
(DPA Breach)
Rules on:
Processor
Joint Control
Export Rules:
“essential
equivalence”
Closed list
Breach Regime:
- DPA
- Subject
- Public
DP Officer
Documentation
Impact Assess.
Prior Consult

9. Conclusions
 In event of Brexit, UK with leave EU Charter and
substantive DP regime will slowly diverge from that of EU.
 UK remains commited not just to ‘adequacy’ but also CoE DP,
which shares common roots and structure with EU DP.
 But CoE less prescriptive & more pragmatic especially re:
 Proactive Transparency
 Discipline provisions
 Special data regime.
 Those differences are likely to impact UK DP in future.