UK GDPR reforms a “blunt instrument” with cross-border consequences

UK GDPR reforms a “blunt instrument” with cross-border consequences


International Employment Lawyer

“The biggest problem that employers face when dealing with DSARs is that the requests can be extremely broad and time-consuming for organisations to deal with, as well as taking up a significant amount of resources,” said GQ|Littler partner Darren Isaacs and senior associate Deborah Margolis.

“Because the current regime defines personal data so broadly, and there is no real limit on the data that has to be produced in response to a DSAR, employers end up having to trawl through vast amounts of data, often on trivial matters or which is only of a historic – if any – interest.”

Although a fee regime may reduce the number of vexatious or spurious claims, Isaacs and Margolis said they were sceptical that any fee would be proportionate to the amount of work an employer would undertake and was still unlikely to deter well-funded litigants.

“A fee regime is likely to be a blunt instrument and the government would be better off taking the opportunity to ensure any response that employers are required to provide is proportionate,” they said. “For example, by excluding data sources older than a particular window of time or not including data which is of a purely historic nature and unlikely to have any impact on the individual.”

There are also some problematic practical aspects to introducing charges, they added: “If the fee is to be calculated by reference to the number of hours of search time, or the volume of results, then that would mean an employer has to undertake the search before setting the fee, which may then be a complete waste of time if the employee does not want to pay.”

International data transfer

While the government hopes the removal of article 22 would free innovative British businesses from EU red tape, the impact of a divergent data protection regime from the rest of Europe could increase the administrative burden on multinationals.

In June 2021, the European Commission granted the UK an adequacy decision, according to which the UK is assessed as applying a high level of protection to individuals’ data, and which permits the free flow of data from Europe.

“When the EU granted the UK this status it warned that this was subject to close monitoring and would need to be reviewed if the UK moved away from GDPR. There is a risk that the more the UK government waters down the UK GDPR to reduce perceived red tape, the more the EU will be likely to view the UK’s data privacy regime as providing inadequate protection to EU residents,” explained Isaacs and Margolis.

“If the European Commission decides to revoke this decision – which it warned it might do if it considered that the UK’s standards of data protection dropped – this would mean data transfer documents would be required by businesses for transfers of data from Europe to the UK.”

“The biggest challenge is likely to be the desire for most global employers to have a consistent approach to the use of technology across geographies,” observed Mendel. “Organisations that want to use entirely automated algorithms to filter candidates for recruitment, for example, will still need to carefully consider whether their approach complies with local law across multiple countries.”

Read the full article here.