back to article How 'flexible' can the UK actually be on EU data protection law?

If EU member states can, by law, exercise legislative “flexibility” when implementing 50+ Articles of the General Data Protection Regulation (GDPR), how can the regulation ever become harmonised across European Union? Pose this important question another way: given that the UK government intends to use legislative flexibility …

  1. Adam 52 Silver badge

    We saw yesterday how petty this government can be in its dealings with regulators. Realistically any new Information Commissioner is going to have to tread carefully.

    Shame the UK government intends to neuter the directive. Even worse if it gets stuck as a political "everything from the EU is bad" football.

  2. TRT

    The last time I saw a list like this...

    "Provisions that allow Member States law to modify the GDPR provision can be found in the following Articles: 4(7), 4(9), 6(2), 6(3)(b), 6(4), 8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4), 10, 14(5)(b), 14(5)(c), 14(5)(d), 17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b), 23(1)(e), 26(1), 28(3), 28(3)(a), 28(3)(g), 28(3)(h), 28(4), 29, 32(4), 35(10), 36(5), 37(4), 38(5), 49(1)(g), 49(4), 49(5), 53(1), 53(3), 54(1), 54(2), 58(1)(f), 58(2), 58(3), 58(4), 58(5), 59, 61(4)(b), 62(3), 80, 83(5)(d), 83(7), 83(8), 85, 86, 87, 88, 89, 90."

    ... it was the Hitch-Hiker's Guide to the Galaxy's index entry for "sex". Perhaps they want data protection to get fucked?

  3. Doctor Syntax Silver badge

    Procedure

    How can the EDPB get involved in this? Does it have to be through another national regulator or could a citizen dissatisfied with his own regulator's lack of action approach them? Or would the latter, like Schrems, have to go via the ECJ?

    1. Charlie Clark Silver badge

      Re: Procedure

      Going through the courts would be the last resort. But the idea is that the Schrems judgement has set a precedent that gives the EPDB exactly these powers. As a result courts are likely to side with the EPDB all the way up the chain making it pretty pointless for member states to challenge the EPDB over this.

      Cue groans of "Brussels bureaucrats stopping the UK government from watering down data privacy…" It could, of course, be argued that defending privacy is a key part of asserting sovereignty: safe harbour being struck down because it was unacceptable transfer of sovereignty. But, surely, no UK government would ever trade away sovereignty?

      1. Doctor Syntax Silver badge

        Re: Procedure

        "But the idea is that the Schrems judgement has set a precedent that gives the EPDB exactly these powers. As a result courts are likely to side with the EPDB all the way up the chain making it pretty pointless for member states to challenge the EPDB over this."

        What the article has to say about it is: "Decisions based on that Guidance can be challenged by another concerned supervisory authority and if there is such a challenge, the matter can go to the European Data Protection Board (EDPB)."

        What's the situation if HMG waters down implementation to an unacceptable degree but the ICO does nothing about it. My reading that sentence implies that the EDPB would only get involved if another regulator complained. I suppose that might happen if a citizen of another country were dealing with a UK-based data controller. If, however, it was a UK citizen dealing with a UK data controller and the ICO wouldn't act then unless they could appeal direct to the EDPB there appears to be no other route than the court.

  4. Duncan Macdonald
    Thumb Down

    Useless

    The UK government will appoint the members of the UK Supervisory Authority who will proceed to give a green light to whatever the UK government does.

    It will be as useful as the USA's FISC which has not rejected a single spying request.

  5. Bob McBob
    Stop

    Lengthy legal battles on the horizon

    You can bet your bottom Euro that initial implementation by the UK will almost certainly not be compatible with all requirements of the GDPR.

    This will end up at the ECJ, referred by the EDPB, probably sometime around 2020.

    Also can't see the ICO doing anything to upset their paymasters, look what's happened to the FCA...

    1. Charlie Clark Silver badge

      Re: Lengthy legal battles on the horizon

      It might not matter. Schrems is precedent and the UK courts are likely to cite it as they hand out smackdowns. The legal position may then be than the bendiness doesn't apply until the courts approve it.

  6. Wolfclaw
    Big Brother

    How bendy will UK law be? Has anybody asked Google, Facebook, Microsoft, Amazon, Apple a sthey will be writing most of the legislation for that Dave "Muppet" Camoron to order Theresa "Darth Sidious Sister" May to sign off on !

  7. Charlie Clark Silver badge
    Thumb Up

    Good article

    Lots of detail and a clear summary of the issues.

  8. Tomato42
    Joke

    Flexibility?

    given their ability to suck their own jingle bones, I would asses the government's ability to be flexible as "extraordinary"

  9. caljudge6

    The ICO's stance on Data Protection and brexit:

    https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2016/04/statement-on-the-implications-of-brexit-for-data-protection/

    So no, it won't be a 'lite' version of DPA.

  10. Wommit

    Flexible enough to kiss the boots of the organisation(s) shafting us, whilst bend double.

  11. douwekorff

    More details on flexibility provided by EDRi

    European Digital Rights (EDRi) has released a more detailed analysis of the "flexibility" provisions, showing the serious risks to harmonisation. It is available here:

    https://edri.org/files/GDPR_analysis/EDRi_analysis_gdpr_flexibilities.pdf

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like