Dr Nóra Ní Loideain reviews a long awaited new edition of a seminal text on data protection
This long-awaited latest edition was published in December 2020. Delays to its hardback publication, and indeed this book review, are therefore of course all the fault of the pandemic.
Data Protection Law and Practice is a text written for legal practitioners by legal practitioners. That said, the lead author Rosemary Jay and other contributing authors make their analysis in this comprehensive reference guide insightful and accessible to a broader audience thanks to the clear and understandable writing style found throughout all twenty-nine chapters. Keeping up with the relentless pace of change in the legislation and case law of UK data protection law is no mean feat over an eventful eight years since the fourth edition’s publication in 2012. This being a landmark period for UK data protection law encompassing the enactment the GDPR and the Law Enforcement Directive (LED), their domestic implementation via the UK Data Protection Act 2018, and all major policy developments leading up to the UK’s official exit from the EU in January 2021.
This fifth edition also stands on the shoulders of its 2017 precursor Guide to the GDPR: A Companion to Data Protection Law and Practice. In doing so, it effectively builds on and incorporates into the UK data protection legal landscape the latter comprehensive guide to the overall EU data protection law reform package. Accordingly, new to the fifth edition are chapters, and some new contributors, dealing with notable reforms and new explicit principles and requirements introduced by the GDPR. These include new chapters on Processors (Louise Townsend), Subject Access and Data Portability (Ellis Parry), Transparency and Notice (Anita Bapat), and Accountability (Bridget Treacy). What will also be welcomed by practitioners no doubt is the revised chapter on Overseas Transfers (William Malcolm) which sets out the findings and broader implications of the CJEU’s 2020 landmark judgment in Schrems II for data transfers between the EU and third countries and particularly the post-Brexit transfer regime.
An unfortunate gap from the fifth edition is its previous detailed chapter on Data Retention which navigated the increasingly complex UK legislative and policymaking framework concerning the interception, retention, and access to communications data for the purposes of law enforcement and safeguarding national security. Some discussion of the communications data provisions in relation to the e-Privacy Directive (2002/58/EC) and Investigatory Powers Act 2016 is provided in the chapter on the PECR 2003 and The Investigatory Powers (Interception by Businesses etc for Monitoring and Record Keeping Purposes) Regulations 2018. Readers seeking further detailed analysis of this intricate and evolving area of UK law are (rightly) directed to relevant chapters in Graham Smith, Internet Law and Regulation (Sweet & Maxwell 2019).
Also missing is a detailed assessment of the long-awaited Adequacy Decisions granted to the UK in relation to the GDPR and the LED, and notably the extent to which these decisions may be vulnerable to being struck down by the CJEU for not meeting the standard of ‘essential equivalence’ in light of bulk data retention case law such as La Quadrature du Net. Of course, this omission is beyond the fault of the authors as these decisions only came into force post-publication in June 2021 thus demonstrating the ever rapidly evolving landscape of data protection law and policymaking within both the UK and the EU. Another significant set of developments to also be addressed in the future sixth edition will no doubt be the vast array of reforms to the Data Protection Act 2018 that may soon be coming down the line if the bulk of proposals as currently put forward by the government in the 2021 DCMS Consultation Paper, Data: a new direction, are adopted. Indeed, this would likely require for instance an entire rewrite of the chapter concerning The Role of Powers of the Information Commissioner.
Nevertheless, the fifth edition of this text remains an impressive and comprehensive update of an invaluable resource for any practitioners, policymakers, or scholars whose work concerns UK data protection law.
Dr Nóra Ní Loideain is Director of the Information Law & Policy Centre within the University of London’s Institute of Advanced Legal Studies. Her research focuses on human rights and technology, particularly within the contexts of privacy and data protection, AI and gender, law enforcement and national security in EU and ECHR law.
ABOUT THE BOOK
Data Protection Law and Practice