Comments on Tene’s quick notes on UK GDPR consultation

On 22 Sept, Omer Tene, Vice-President of the International Association of Privacy Professionals, posted a very useful summary of main points in the UK Government consultation on a “new direction” for data – and data protection – in the UK after Brexit. Below, I reproduce those points with quick comments of my own (marked “DK Comment”), focusing mainly on the implications for data transfers and more in particular for onward transfers of personal data first transferred from the EU/EEA to the UK under the recently adopted EU Commission GDPR adequacy decision on the UK.

Under that decision, personal data may be freely transferred from the EU/EEA to the UK because the EU Commission has held (contrary to the analyses by Ian Brown and me) that the UK post-Brexit data protection law (the UK Data Protection Act and the “UK GDPR”) provide “essentially equivalent” protection to the EU GDPR.

  • Tene: [The UK Government suggested approach] demonstrates one advantage of UK going at it alone – it’s far easier to consider radical change without having to align 28 national governments.

DK Comment: Yes, but it means giving up on “essential equivalence” – and thus in due course (once even the Commission accepts that) – giving up on being held to provide “adequate” protection under the EU GDPR. Is that really an advantage?

  • Tene: It amounts to a wholesale rebuttal of EDPB opinions and guidelines going back years to the days of the 29 WP.

DK Comment: That reinforces my previous remark.

  • Tene: Writing several “legitimate interests” uses into the law, and in these cases doing away with the “balancing test” of Art 6(1)(f).

DK Comment: This would in effect deliberately create bypasses around the more restrictive EU GDPR legal bases for processing of personal data.

  • Tene: Permitting the use of sensitive data in order to monitor against bias and discrimination in AI.

DK Comment: This may be a good idea, provided it is hatched about with serious safeguards – but without such serious safeguards it would undermine the prohibition on the use of sensitive data in fully-automated decision-making (ADM), laid down in the EU GDPR.

  • Tene: Removing Art 22 requirement for “human in the loop” in ADM.

DK Comment: The “human in the loop” requirement in the EU GDPR is already insufficient to protect individuals against unfair and biased automated decisions – removing it will create a serious divergence by the UK from the (in this respect already insufficient) EU protections.

  • Tene: Tightening definitions of ADM and profiling to focus on inferred data (which is often not linkable to an individual).

DK Comment: This is yet another example of how, in a crucial area, the UK is deliberately going to go far below the level of protection accorded by the EU GDPR, here in relation to ADM and profiling (which can cause serious harm to individuals if not properly regulated).

  • Tene: Reformulating the test for anonymization as risk-based and aligning it with the CJEU Breyer decision.

DK Comment: This is not unexpected: the UK Government has stressed it wants to make the use of personal data for research purposes (widely defined to include monetisation) much easier for, e.g., the pharmaceutical industry. It shows that the non-incorporation of the EU GDPR recitals into the UK DPA and UK GDPR has real (for data protection negative) effects: it will allow wide use of (often flimsily) “pseudonymised”/“de-identified” personal data for a wide range of purposes. In effect, under UK law pseudonymised data will be treated like fully anonymised data, i.e., as outside of the scope of the law altogether. A free for all.

  • Tene: Dramatically shifting accountability requirements from formalistic [requirements] (including *removing* the obligations of Art 30 record keeping; appointment of a DPO; and conducting DPIAs!) to substantive (creating scalable privacy management programs).

DK Comment: This would totally undermine the crucial “accountability” principle that is the bedrock of the EU GDPR – and with it, the effectiveness of the law altogether.

  • Tene: Raising the threshold for breach notifications.

DK Comment: This too would seriously undermine the level of actual effective protection in the UK to a level well below the EU.

  • Tene: Permitting companies to charge for DSARs.

DK Comment: Companies can already refuse to respond to vexatious requests. So this would penalise – and certainly strongly discourage – the genuine, proper exercise of crucial data protection rights. As noted in the context of criteria for adequacy, without full and effective data subject rights a third country should not be granted a positive adequacy decision. If this is implemented, it would add yet further arguments for the withdrawal of the UK’s status.

  • Tene: Permitting companies to place analytics (and perhaps additional) cookies without consent.

DK Comment: This would seriously undermine the protection of data and privacy of individuals in the online environment. Presumably, if the UK had remained an EU Member State it would have argued for this in the context of the drafting of the new e-Privacy Regulation. Hopefully this will now not be argued by any major MS in the trilogues.

  • Tene: Greatly expanding the list of adequate countries and focusing on “an assessment of real-world outcomes rather than on a largely textual comparison of another country’s legislation”.

DK Comment: This is the most dangerous proposition of all. It would totally undermine the strong requirements of EU law as forcefully confirmed by the Court of Justice of the EU in Schrems II – and would turn the UK into a personal data laundering haven (as I predicted would happen). If this were to happen, it should be inconceivable that the EU Commission would not take urgent steps to suspend the UK adequacy decision. The main test here will be to see if the UK will declare the USA to provide “adequate” protection in terms of the UK DPA and UK GDPR – that really would be a rocket fired directly at the EU data protection edifice!

  • Tene: In the transfer context, accepting not just judicial but also administrative “redress”.

DK Comment: This would seriously undermine the right to an effective remedy before a “tribunal”, guaranteed by Article 47 of the EU Charter of Fundamental Rights. Another nod in the direction of holding USA to provide “adequate” protection in UK terms.

  • Tene: Allowing repetitive use of Art 49 derogations.

DK Comment: This too would fundamentally undermine the EU data transfer regime set out in Chapter V of the EU GDPR: it would turn the exception clause (which the EDPB has stressed cannot be relied on for regular, repetitive transfers) into the norm – again also contrary to the CJEU Schrems II judgment (which the UK has undertaken to comply with!)

  • Tene: Requiring the ICO to consider not just DP but also “economic growth and innovation” and competition.

DK Comment: The ICO was always weak (and intended to be weak). Now it will become a facilitator to the exploitation of personal data.

Many thanks, Omer, for this good short summary! I hope you find my comments of use.