The document outlines the timeline and implications of the UK's data protection framework following its exit from the EU, emphasizing changes to data protection laws and the role of the Information Commissioner's Office (ICO). Proposed changes lean towards providing flexibility for data controllers while reducing rights for data subjects, aligning with the Data Protection Convention. The overall reforms are characterized as evolutionary rather than revolutionary, raising concerns regarding the balance of power between data controllers and subjects.

1. Dr David Erdos
Faculty of Law
University of Cambridge

3. Pathway to the Proposals
 31 January 2020: UK leaves EU; enters implementation period
 31 December 2020: EU-UK Trade & Cooperation Agreement;
start of ≥ six month transition for personal data transfers
 1 January 2021 : UK mirrors EU secondary DP law & data
adequacy agreements; full adequacy to EEA & Switzerland
 28 June 2021: EU grants UK full adequacy (excluding data
subject to “immigration exception”)
 10 September 2021: Data: A New Direction consultation start

4. Directions of Change
Change
Promote
Innovation
Reduce
Burdens
Boost
Trade
Improve
Public
Services
Reform
ICO
Regulation

5. Change: How Radical?
 Controllers would gain
more legal flexibility
(& certainty)
 Data subjects fewer
legal rights to challenge
 ICO less legally focused
on data rights & duties
 Most substantive changes
could be plausible
implementation of GDPR
 Integrity duty changes well
within Council of Europe DP
Convention 108+
 De facto ICO upholding of
data rights & duties limited

6. “The UK’s data protection standards will remain fully aligned with
the revised Convention 108.” (HM Government, 2017)

7. GDPR Building Blocks (with Restrictions)
Scope
(Personal
Data
Processing)
DP Principles
• Fair, lawful,
transparent
• Purpose quality
& compatibility
• Information
quality & limits
Legality
• Legal grounds
Sensitive Data
• Categorical
definition
• Default
prohibition
absent waiver
Integrity
• Demo compliance
• Security
• DP by design &
default
• Joint controllers
• Personal data
breaches
• Processor
engagement
• Recording keeping
• DP Officer
• Impact Assessment
• Export Control
Supervision
Transparency &
Control
• Proactive
• Reactive
GDPR Permitted Restrictions: Green = full; Amber = interpretative (see A. 6(4), 9(2)(1)(g), 10 & 23)

8. (UK) GPDR Scope
 International Background:
 Little obvious scope to restrict even under DP Convention
 But Japan has GDPR adequacy with limits based on systematic
organisation etc.
 Main Possible UK Changes:
 Put anonymisation on statutory footing stressing unreasonable time,
effort or resources constraint.
 State identifiability threshold is relative to each controller.
 Verdict: Limited change only.

9. DP Principles & Legality
 International Background:
 DP Convention similar to GDPR but with less specificity especially re:
necessity of processing and purpose compatibility
 Main Possible UK Changes:
 Clarify compatibility: law safeguarding important public interest,
where different controllers & where original ground consent
 Clarify legitimate interests: exhaustive list where no “balancing”
needed; remove “impediments” re AI & democratic engagement
 PECR: Limit/remove consent for cookies & non-commercial marketing
 Verdict: PECR change may be far-reaching; otherwise limited change.

10. Sensitive Data General Prohibition
 International Background:
 DP Convention: Narrower definition; Appropriate safeguards only
 Main Possible UK Changes:
 Limit/remove “substantial public interest” threshold uncertainties
 Secure legal grounds for health data processing in emergency, AI anti-bias
training and testing & democratic engagement of political parties etc.
 Consider new sensitive legal bases
 Verdict: Limited change only


11. Transparency and Control Rights
 International Background:
 DP Convention: Similar structure but much more limited default
 GDPR: may allow for far-reaching case-by-case limits (A 23)
 Main Possible UK Changes:
 Privacy notices: No change except limit recontact for research repurpose
 Subject Access: Nominal fee; disproportionality threshold; cost limit
 AI significant decision-making: Clarity or even remove all further rights
 Verdict:
 Generally quite limited
 But subject access & AI proposals in tension even with DP Convention

12. Integrity Duties
 International Background:
 DP Convention: High-level accountability framework
 GDPR: More detail than on substantive; complex and prescriptive
 Main Possible UK Changes:
 Privacy management programmes to replace impact assessment, prior
consultation, documentation and statutory DP officer requirements
 Breach notification to ICO only when risk “material”
 Data transfers: relax 4-yearly review of adequacy; allow controller
appropriate safeguards; state redress may be judicial only; state repetitive
derogation use okay; exempt “reverse transfers”
 Verdict: Significant change
 However, most proposals in principle within DP Convention

13. (DP Authority) Supervision
 International Background:
 DP Convention: Much looser than GDPR (which de jure is largely
peremptory) but still focus on DPA upholding data subject rights
 Main Possible UK Changes:
 Reestablish ICO as transparent Board; PECR powers to mirror GDPR
 ICO data use, growth, innovation, competition & public safety duties
 Government role & impact assessment re ICO priorities, codes of practice
& (complex) guidance
 Complaints – require process starts with controller first & legal criteria on
when ICO will pursue
 Verdict: Significant changes, squaring with DP Convention questionable
 But de facto ICO upholding of data rights & duties anyway limited.

14. Conclusions
 GDPR (not PECR) proposals evolutionary not revolutionary
 Many of these changes are sensible and clearly within at least
DP Convention framework
 But overall package is tilted to controllers not data subjects
 Entrenchment & acceleration of ICO agenda away from
upholding data rights & duties of particular concern.