Overview of Data Protection Regulations and Compliance Framework

Professor David Erdos from the Faculty of Law at the University of Cambridge provides a comprehensive overview of the formal framework, GDPR/PECR demarcation, timeline of key events, GDPR fines, ICO analysis, and cross-cutting analysis regarding data protection regulations, compliance, and enforcement in the UK. The content covers the application of regulations, key provisions, enforcement mechanisms, fines, and notable observations on regulatory approaches and stakeholder engagements.

• Data protection
• Regulations
• Compliance
• GDPR
• University of Cambridge

doslu Follow

Uploaded on Sep 06, 2024 | 7 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. Professor David Erdos Faculty of Law University of Cambridge

2. Overview Formal Framework 1. 2. ICO, Tribunal & Parliamentary Actions 3. DPDI Bill Proposals 4. Possible Ways Forward

3. Timeline May 2018: General DP Regulation 2016/679 and DP Act 2018 applies; Privacy & Elec Comms Regs (PECR) supervision system unchanged. Jan 2021: End of Brexit Implementation Period. EU GDPR One-Stop- Shop ceases to apply to UK. UK GDPR. Jan 2022: DP & Digital Information Bill published.

4. Overview GDPR/PECR Demarcation: GDPR: Most (private sector) processing of personal data PECR: Rules on (i) electronic direct marketing and (ii) confidentiality of e-communications including re cookies Key Commonalities: Requests for ICO Action Information Notices Enforcement Notices Fines for Breach Key UK GDPR additions: Requests are Complaints Assessment Notices etc. Enforcement Obligatory Fines are Significant Some criminal offences

5. GDPR Fines: 17.5M/4% & 8.7M/2% (A. 83) Discipline Demo compliance Sensitive Data Criminal data Other data DP Principles Fair, lawful, transparent Transparency & Control Security Proactive Direct DP by design & default Purpose quality & limits Information quality & limits Integrity & confidentiality Legitimation Legitimating Criteria Proactive Indirect Joint controllers Retroactive Personal data breaches Control Rights Processor engagement Recording keeping DP Officer Personal Data Processing Impact Assess Export Control ICO must impose effective, proportionate & dissuasive fines

6. ICO: 5 Year Analysis (2018-23) Annual Report Numbers: Year DP Fines (at 2022) DP Notices PECR Fines (at 2022) Income (at 2022) 18/19 22 ( 3.5M) 0 23 46M 19/20 15 2 7 ( 2.6M) 56.1M 20/21 3 ( 44.4M) 1 35 59.8M 21/22 4 ( 0.2M) 0 33 ( 3.2M) 67.4M 22/23 2 or 3 ( 7.6M or 13.4M) 1 19 ( 1.88M) 67.4M Cross-Cutting Analysis: Complaints Average: GDPR/DP 37,279; PECR 109,254 2019/20 Report stated c. 75% budget on proactive engagement Asserted great impact to soft approach e.g. California 2020 visit: The reception was universally warm and welcoming and helped us build strong relationships with key stakeholders. The UK s brand of pragmatic and proportionate regulation was widely praised by businesses and lawmakers, as was our willingness to find new regulatory solutions to problems.

7. DP Scrutiny Record: Tribunal & Parliament Individual Scrutiny by Tribunal: Order to Progress Complaints remedy ruled non-substantive: The Commissioner is the expert regulator. She is in the best position to consider the merits of a complaint and to reach a conclusion as to its outcome. In so far as the Commissioner s judgments would not and cannot be matched by expertise in the Tribunal, it is readily comprehensible that Parliament has not provided a remedy in the Tribunal in relation to the merits of complaints. (Upper Tribunal in Killock, Veale et. al. 2021) Holistic Scrutiny by Parliamentary Committees: No systematic scrutiny of ICO track-record at all. [I]n practice [the DCMS] committee has been focused on newsworthy campaigns that accord with the particular interests of members, rather than more prosaic scrutiny of the ICO s performance against its statutory functions and own stated objectives. (Heuston & Tumbridge, 2020)

8. DPDI Bill: Decentering DP Supervision? Structural Changes ICO to be reestablished as a Board. ICO s PECR powers to be brought into line with GDPR. Objectives and Priorities New public trust, innovation, competition, crime, security duties. SoS to set out Strategic Priorities; ICO must have regard to these. Complaints and Scrutiny Complaints: No need to act where vexatious or where controller not had 45 days to act; must be guidance & right of appeal before Tribunal. (Wider) Scrutiny: Must publish forward-looking strategy, Key Performance Indicators and annual regulatory action report.

9. DP Enforcement: New Ideas Improving Individual Scrutiny: Require Tribunal to oversee appropriateness of ICO s substantive response at least as regards public interest complaints. Enable NGOs to bring such complaints without specific mandate. Improving Holistic Scrutiny: Require EHRC to periodically scrutinize ICO from rights viewpoint. Report to be published & sent to scrutinizing Select Committee, as well as Parliament generally and also Government.