Innovative Reform Potential in Brexit Data Protection Law
This article explores the missed opportunities for innovative reform in data protection laws post-Brexit, highlighting challenges and new proposals. It discusses the legislative freedom gained by the UK after leaving the EU, failed attempts at passing new Data Protection Bills, and the emergence of the Data Use and Access Bill. The concept of personal data, problematic elements, and the broad standards related to information are also examined.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.
E N D
Presentation Transcript
Brexit and Data Protection Law: A Possible (Missed) Opportunity for Innovative Reform? Dr Henry Pearce University of Portsmouth henry.pearce@port.ac.uk
Brexit The UK left the European Union in January 2020. Newfound legislative freedom for the UK. we do not need to copy and paste the EU s rule book, the General Data Protection Regulation, word-for-word. Oliver Dowden MP, Sec of State for Digital, Culture, Media and Dowden MP, Sec of State for Digital, Culture, Media and Sport, March 2021 Sport, March 2021 Oliver
A new approach to data protection? Two primary versions of a Data Protection and Digital Information (DPDI) Bill were introduced to the House of Commons by the Conservative government (the first in 2022, the second in 2023), Both were heavily criticised, and ultimately failed to complete legislative passage.
A new approach to data protection? New proposals have recently emerged for a Data Use and Access Bill (DUAB). Whatever happens, personal data will likely remain data protection law s central concept.
Personal data any information relating to an identified or identifiable natural person Article 4(1) UK GDPR Article 4(1) UK GDPR the principles of data protection should not apply to anonymous information Recital 26 UK GDPR Recital 26 UK GDPR
Personal data Several problematic elements: Relating to Identified or identifiable Information and data
Relating to Information will relate to someone when it is obviously about them Edem Edem [2014] [2014] EWCA EWCA Civ Civ 92 92 Even if information is not relate to someone if it is used to evaluate them , treat them in a certain way , influence their behaviour , or in a way that will impact their rights and interests Nowak not obviously about anyone, it will still Nowak (Case C (Case C- -434/16) 434/16)
Relating to A very broad standard, according to which lots of information that has no obvious relationship to, or connection with, a person could potentially relate to them E.g., data about general retail patterns in a shop that is used to inform targeted marketing strategies. This creates difficulties for data controllers, which will likely worsen as technology continues to develop
Relating to Our everyday lives are increasingly datafied . In smart environments most (if not all) data generated and collected will relate to identifiable people according to the Nowak standard Purtova Purtova (2018) (2018) The processing of personal data will literally be everywhere, ergo data protection law will become the law of everything ?
Identified or identifiable Data protection law operates on a personal/anonymous data dichotomy. Data that cannot be used to identify a person = anonymous data. Case law and regulatory guidance generally establish that a person will be identifiable if they can be distinguished from other members of a group.
Identified or identifiable Breyer Breyer (Case C data will be a matter of context and degree. (Case C- -582/14) 582/14) whether someone is identifiable from UK case law seemingly presents a somewhat muddled picture (e.g., Queen Mary University of London v ICO & Queen Mary University of London v ICO & Alem EA/2015/0269 EA/2015/0269 cf. NHS v Information Commissioner & NHS v Information Commissioner & Spivack [2021] UKUT 192 (AAC) [2021] UKUT 192 (AAC)) Alem Mathees Mathees Spivack When/whether/at which point data become legally anonymous is not entirely clear.
Identified or identifiable Anonymisation techniques are frequently used by data controllers to anonymise personal data. The failure of commonly-used anonymisation techniques raises questions regarding persisting with a model of data protection based on a personal/anonymous data dichotomy Ohm (2009) Ohm (2009) Nowadays, determining whether anonymisation efforts have been successful can be extremely challenging Elliot et al (2018) Elliot et al (2018)
Information and data Generally treated as straightforward interchangeable terms by the courts, no meaningful attempts made to define or disambiguate. Widely recognised in non-legal fields (e.g., philosophy) as being distinct and intricate concepts Floridi Floridi (2005) (2005)
Information and data The (possible) under-appreciated breadth of these terms could mean personal data encompasses far more than data controllers might commonly assume? Physical objects are increasingly mined for information. Increasingly difficult to justify any distinction between information and data (e.g., derived from medical analyses) and the physical material that constitute their medium (e.g., blood cells/human tissue) S and UK UK [2008] ECHR 1851 [2008] ECHR 1851 S and Marper Marper v v
Personal data A vague, indeterminate, and (possibly) unlimitedly expansive concept? Determining whether/when information will be personal data is becoming an increasingly complicated task. Is this approach sustainable?
Personal data The whole world is getting more and more unclear, which is odd, as ordinarily you would expect the introduction of some new law to make things clearer. It seems to me, that as time goes on, we are essentially going in reverse. Anon Anon.
Where do we go from here? An information harms-based approach? Data protection rules could be triggered according to the level of potential harm inherent in specific data processing activities regardless of whether data involved were nominally personal .
Where do we go from here? Under such an approach, harm could be expressed as a function of probability and severity. I.e., harm = probability of harm occurring x severity of harm should it occur. Data protection rules could then apply on a sliding scale according to a data processing activity s overall harm level .
Possible severity levels of data harms Negligible Negligible Limited Limited Significant Significant Maximum Maximum Minor Prevention of using a service anonymously. Legal processes becoming unavailable. Major financial losses. annoyances, irritations and inconveniences. Denial of non-essential services. Vulnerable persons being identified. Inability to work. Social embarrassment. Long-term significant health problems. Misappropriation of funds. Moderate financial losses. Damage to property. Moderate stress and anxiety. Permanent injury. Loss of employment. Creation of new data that could be used for adverse purposes. Death. Significant but non- permanent health problems.
Data harms probability/severity matrix 4 Moderate High Very High Maximum 3 Low Moderate High Very High 2 Very Low Low Moderate High 1 Minimal Very Low Low Moderate 1 2 3 4
Maximum Processing is strictly prohibited in all but the most exceptional circumstances, where overriding public interest or legal necessity can be demonstrated with extensive justification and prior regulatory approval. Very High Processing is prohibited except in highly controlled circumstances, where it is limited to specific, narrowly defined purposes and subject to rigorous legal and regulatory controls, including prior authorisation and continuous monitoring. High Processing is prohibited unless the data controller demonstrates strict adherence to enhanced data protection measures, including thorough risk assessments, external audits, and additional safeguards to minimise potential harms. Moderate Processing is permitted provided the data controller implements and maintains a comprehensive range of data protection measures, including conducting internal reviews, ensuring transparency, and minimising risks through standard safeguards. Low Processing is permissible with the application of a limited range of standard data protection measures, focusing on basic compliance, transparency, and security requirements. Very Low Processing is permissible with minor compliance requirements, including basic data management practices and low-level protective measures to address any minimal risks Minimal Processing is permissible with little to no applicable data protection obligations, as the potential for harm is extremely limited or nonexistent.
Greater focus on actual risks and harms Improved flexibility Possible merits Encouragement of responsible data handling Reduction in over-compliance Consistency with other relevant regulatory models/approaches (e.g., EU AI Act)
Difficulties in quantifying harms Increased complexity Possible limitations Potential for inconsistently performed risk assessments Possible blindness to cumulative data effects Possible compatibility issues with EU GDPR
