Considerable column inches have been written over “Data, a new direction”, the UK Government’s title of their “tweaking” of the existing UK-GDPR provisions within the 2018 Data Protection Act. The context of the proposed changes were outlined in a response to the consultation, and numerous commentators have tried to read into the intentions of the lawmakers.
Many commentators have missed the important context of the intention of lawmakers in
every single Data Protection Act since 1984, and this proposal.
My research into the passage of the 1984, 1988, and 2018 Data Protection Acts (hereafter known as the Acts)
demonstrate that the UK government were only signed to introducing legislation that met the minimum criteria for implementing the various European Council and EU directives, and regulations. Successive sponsoring ministers in the 1980’s, and 1990’s, echoed these sentiments.1
An example being in response to the 1995 EU Directive the government proposed, in its own white paper 2 on the enabling legislation for the 1998 Data Protection Act:
The 1984 Data Protection Act met the needs of the Directive and went further by saying ‘that those provisions are sufficient…. over-elaborate data protection threatens competitiveness and does not bring additional benefits to for individuals. It follows that the Government intends to go no further in implementing the
Directive than is absolutely necessary.
To understand the context of current proposals you need to take into account successive government ambivalence to EU law and note the speed and haste of the 2018 Data Protection Act.
The 2018 Act was in essence, forced through quickly to meet the GDPR and the EU Law enforcement directive implementation deadline of 25th May 2018. The UK at the time was a member of the EU and required enabling legislation to address the EU Directive on Law Enforcement, as well as the UK enshrining its own, allowable, variations to GDPR. GDPR did not need legislation to enact it in the UK, as the UK was still a member of the EU, but political expediency suggested that a UK Data Protection Act 2018 would allow domestic law changes at some later point, and also go a considerable way to supporting an adequacy agreement on withdrawal.
The consistency of ministers in addressing the “minimum and burden issue” was evident in the last sponsoring minister – Matt Hancock in 2016. The intention of the lawmakers is a balance between statutory obligations and individual rights 3, or do as little as possible to make this law!
So what does the context tell us about the new proposals in the GOVERNMENT proposed
legislation?
One clear fact is that there is consistency in the proposal’s message; that the “burden” on controllers has shifted towards data subjects. To an extent, the GDPR puts an unnecessary burden on controllers. However, this then contradicts itself when considering that the proposed legislation still requires a “burden” an example being; replacing Data Protection Impact Assessments with a risk-based approach, is that not what Impact assessments are?
The second clear point is that for the fourth time in forty years the UK government are attempting to redress legislation that was derived elsewhere than London, and the main driver is that that legislation has driven a compliance burden imposed upon UK organisations in some other place.
The third point is the 2018 Data Protection Act was in essence a “lift and shift” of the EU- GDPR to meet political and legislative timescales, and that the usual variations that lawmakers in the UK have consistently applied, to legislation not made in London, could not be addressed. The last two points could be addressed as political motivations to effect change, though there is no evidence to support this motive from my research a lay reader could draw that conclusion.
On reading the proposals I have enough experience in the formation of policy, the legislative process, and passage of adoption of the law, to know that the Act will look differently from the proposal in the consultation. There are some observations that the law will only apply to personal data processed in the UK, and the minute you process personal outside the UK say Berlin, Madrid, Paris, and Rome, then EU-GDPR will apply, and other countries outside the EU compliance will be required to meet local laws. This development of different
parallel compliance programmes, one for the UK, one for the EU Countries, and others for elsewhere, for many organisations will quixotically increase the burden, not reduce it!
Time will tell!
Keep attacking.
If you’d like to find out more about Data Protection, have a read through our GDPR FAQs. Alternatively, you can view our services offered to see how we could how with your organisation with data protection.
References:
1. Full list and Council Europe, ‘Details Of Treaty No.108 Convention For The Protection Of Individuals With
Regard To Automatic Processing Of Personal Data’ (European Council Treaty Office, 1981), Directive 95/46/EC
of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data, General Data Protection
Regulation [2016] OJ 2 119/33.
2. Consultation Paper on the EC Data Protection Directive, Home Office, (1995) Dep 3s 3059 s.1.2
3. Matt Hancock, Sec of State at DCMS., 2021. EU Data Protection Rules – Monday 12 December 2016 – Hansard
– UK Parliament. [online] Hansard.parliament.uk. Available at:
<https://hansard.parliament.uk/Commons/2016-12-12/debates/6EB0C615-2571-4B26-A75B-
8CD1CF5FD854/EUDataProtectionRules> [Accessed 9 May 2021].