This paper analyses the post-Brexit reforms to UK data protection put forward in Data: A New Direction. It is found that they are wide-ranging and significant but generally not radical. The great bulk of the proposed substantive changes to data protection (although not the most far-reaching suggestions concerning either e-privacy or automated decision-making) could be plausibly justified under the restrictions regime set out in the General Data Protection Regulation (GDPR). The reforms to the integrity duties would be deeper and pose some risk of reducing ʻaccountabilityʼ to formalistic theatre even when high risk processing is underway. Nevertheless, in principle their basic structure remains compatible with Data Protection Convention 108+ (DPC+). Proposals to shift the ICO away from a de jure focus on upholding data protection rights are difficult to square even with the DPC+. De facto the ICO is not acting as an effective enforcer of data subject rights even today, but these proposals would entrench and further this troubling reality. This points to a critical problem with the initiative, namely, its lack of balance vis-à-vis the interests of the data subject. A reform package which sought to marry more robust and accountable enforcement for individuals with some liberalisation of the substance and process of data protection would offer a better way forward.
Erdos, David, Assessing UK Data Protection Reform in Transnational Context: What New Direction? (October 12, 2021).