Both the IAPP and the Open Rights Group are predicting or pre-empting a new data protection law for the UK. The IAPP preview it here, but mainly repeat the Government’s puffs. The Open Rights Group take a more detailed and critical view.
I have summarised the ORG criticisms as; they expect the new law to removes, the right to consultation on “high-risk” data processing changes, it will permit the easier rejection of DSARs, the weakening of the purpose limitation rules, and weakens the control/prohibition of international data transfers. It is also expected to give itself the powers to instruct the ICO, presumably in a similar way to the powers they have taken to instruct the electoral commission.
Article 51 of the GDPR requires that the data protection supervisory body is independent,
1. Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).
The IAPP note that these reforms may impact on the status and review of the EU’s Adequacy decision, which uniquely has a sunset clause, in June 2025. The other threat might be the…
