How 'flexible' can the UK actually be on EU data protection law? If EU member states can, by law, exercise legislative “flexibility” when implementing 50+ Articles of the General Data Protection Regulation (GDPR), how can the regulation ever become harmonised across European Union? Pose this important question another way: given that the UK government intends to use legislative flexibility …
We saw yesterday how petty this government can be in its dealings with regulators. Realistically any new Information Commissioner is going to have to tread carefully.
Shame the UK government intends to neuter the directive. Even worse if it gets stuck as a political "everything from the EU is bad" football.
"Provisions that allow Member States law to modify the GDPR provision can be found in the following Articles: 4(7), 4(9), 6(2), 6(3)(b), 6(4), 8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4), 10, 14(5)(b), 14(5)(c), 14(5)(d), 17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b), 23(1)(e), 26(1), 28(3), 28(3)(a), 28(3)(g), 28(3)(h), 28(4), 29, 32(4), 35(10), 36(5), 37(4), 38(5), 49(1)(g), 49(4), 49(5), 53(1), 53(3), 54(1), 54(2), 58(1)(f), 58(2), 58(3), 58(4), 58(5), 59, 61(4)(b), 62(3), 80, 83(5)(d), 83(7), 83(8), 85, 86, 87, 88, 89, 90."
... it was the Hitch-Hiker's Guide to the Galaxy's index entry for "sex". Perhaps they want data protection to get fucked?
Going through the courts would be the last resort. But the idea is that the Schrems judgement has set a precedent that gives the EPDB exactly these powers. As a result courts are likely to side with the EPDB all the way up the chain making it pretty pointless for member states to challenge the EPDB over this.
Cue groans of "Brussels bureaucrats stopping the UK government from watering down data privacy…" It could, of course, be argued that defending privacy is a key part of asserting sovereignty: safe harbour being struck down because it was unacceptable transfer of sovereignty. But, surely, no UK government would ever trade away sovereignty?
"But the idea is that the Schrems judgement has set a precedent that gives the EPDB exactly these powers. As a result courts are likely to side with the EPDB all the way up the chain making it pretty pointless for member states to challenge the EPDB over this."
What the article has to say about it is: "Decisions based on that Guidance can be challenged by another concerned supervisory authority and if there is such a challenge, the matter can go to the European Data Protection Board (EDPB)."
What's the situation if HMG waters down implementation to an unacceptable degree but the ICO does nothing about it. My reading that sentence implies that the EDPB would only get involved if another regulator complained. I suppose that might happen if a citizen of another country were dealing with a UK-based data controller. If, however, it was a UK citizen dealing with a UK data controller and the ICO wouldn't act then unless they could appeal direct to the EDPB there appears to be no other route than the court.
You can bet your bottom Euro that initial implementation by the UK will almost certainly not be compatible with all requirements of the GDPR.
This will end up at the ECJ, referred by the EDPB, probably sometime around 2020.
Also can't see the ICO doing anything to upset their paymasters, look what's happened to the FCA...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
