Considerable column inches have been written over “Data, a new direction”, the UK
Government’s title of their “tweaking” of the existing UK-GDPR provisions within the 2018
Data Protection Act. The context of the proposed changes were outlined in a response to
the consultation, and numerous commentators have tried to read into the intentions of the
Many commentators have missed the important context of the intention of law makers in
every single Data Protection Act since 1984, and this proposal. My research into the
passage of the 1984, 1988, and 2018 Data Protection Acts (hereafter known as the Acts)
demonstrate that the UK government were only signed to introducing legislation that met the minimum criteria for implementing the various European Council and EU directives, and
regulations. 1 Successive sponsoring ministers in the 1980’s, and 1990’s, echoed these sentiments. An example being in response to the 1995 EU Directive the government
proposed, in its own white paper 2 on the enabling legislation for the 1998 Data Protection
The 1984 Data Protection Act met the needs of the Directive and went further by
saying ‘that those provisions are sufficient…. over-elaborate data protection
threatens competitiveness and does not bring additional benefits to for individuals.
It follows that the Government intends to go no further in implementing the
Directive than is absolutely necessity.
To understand the context of current proposals you need to take account of successive
government ambivalence to EU law and note the speed and haste of the 2018 Data
Protection Act. The 2018 Act, which was in essence, forced through quickly to meet the
GDPR and the EU Law enforcement directive implementation deadline of 25 th May 2018. The UK at the time was a member of the EU and required enabling legislation to address the
EU Directive on Law Enforcement, as well the UK enshrining its own, allowable, variations to
GDPR. GDPR did not need legislation to enact it in the UK, as the UK was still a member of
the EU, but political expediency suggested that a UK Data Protection Act 2018 would allow
domestic law changes at some later point, and also go a considerable way to supporting an
adequacy agreement on withdrawal. The consistency of ministers in addressing the
“minimum and burden issue” was evident in the last sponsoring minister – Matt Hancock in
2016. The intention of the law makers is a balance between statutory obligations and
individual rights 3 , or do as little as possible to make this law!
So what does the context tell us about the new proposals in the governments proposed
legislation? One clear fact is that there is consistency in the proposals message; that the
“burden” on controllers has shifted towards data subjects. To an extent the GDPR puts an
unnecessary burden on controllers. However, this then contradicts itself when considering
that the proposed legislation still requires a “burden” an example being; replacing Data
Protection Impact Assessments with a risk-based approach, is that not what Impact
The second clear point is that for the fourth time in forty years the UK government are
attempting to redress legislation that was derived elsewhere than London, and the main
driver being that that legislation has driven a compliance burden imposed upon UK
organisations in some other place.
The third point is the 2018 Data Protection Act was in essence a “lift and shift” of the EU-
GDPR to meet political and legislative timescales, and that the usual variations that law
makers in the UK have consistently applied, to legislation not made in London, could not be
addressed. The last two points could be addressed as political motivations to effect change,
though there is not evidence to support this motive from my research a lay reader could
draw that conclusion.
On reading the proposals I have enough experience of the formation of policy, the
legislative process, and passage of adoption of law, to know that the Act will look differently
from the proposal in the consultation. There are some observations that the law will only
apply to personal data processed in the UK, and the minute you process personal outside
the UK to say Berlin, Madrid, Paris, and Rome, then EU-GDPR will apply, and other countries
outside the EU compliance will be required to meet local laws. This developing of different
parallel compliance programmes, one for the UK, one for the EU Countries, and others for
elsewhere, for many organisations will quixotically increases the burden, not reduce it!
Time will tell!
1 Full list and Council Europe, ‘Details Of Treaty No.108 Convention For The Protection Of Individuals With
Regard To Automatic Processing Of Personal Data’ (European Council Treaty Office, 1981), Directive 95/46/EC
of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard
to the processing of personal data and on the free movement of such data, General Data Protection
Regulation  OJ 2 119/33.
2 Consultation Paper on the EC Data Protection Directive, Home Office, (1995) Dep 3s 3059 s.1.2
3 Matt Hancock, Sec of State at DCMS., 2021. EU Data Protection Rules – Monday 12 December 2016 – Hansard
– UK Parliament. [online] Hansard.parliament.uk. Available at:
8CD1CF5FD854/EUDataProtectionRules> [Accessed 9 May 2021].