Abstract
This article offers an interdisciplinary analysis of the General Data Protection Regulation (GDPR) in the context of electronic identification schemes. Gov.UK Verify, the UK Government's electronic identification scheme, and its compatibility with some important aspects of EU data protection law are reviewed. An in-depth examination of Gov.UK Verify's architecture and the most significant constituent elements of both the Data Protection Directive and the imminent GDPR – notably the legitimising grounds for the processing of personal data and the doctrine of joint controllership – highlight several flaws inherent in the Gov.UK Verify's development and mode of operation. This article advances the argument that Gov.UK Verify is incompatible with some major substantive provisions of the EU Data Protection Framework. It also provides some general insight as to how to interpret the requirement of a legitimate legal basis and the doctrine of joint controllership. It ultimately suggests that the choice of the appropriate legal basis should depend upon a holistic approach to the relationship between the actors involved in the processing activities.
Original language | English |
---|---|
Pages (from-to) | 784-805 |
Number of pages | 22 |
Journal | Computer Law & Security Review |
Volume | 34 |
Issue number | 4 |
Early online date | 28 Jul 2018 |
DOIs | |
Publication status | Published - 1 Aug 2018 |
Keywords
- Data protection
- Electronic identification
- GDPR
- Gov.UK Verify
- Joint controllership
- Legal bases
- RCUK
- EPSRC
- EP/L016117/1