University of Hertfordshire

From the same journal

  • Sophie Stalla-Bourdillon
  • Henry Pearce
  • Niko Tsakalakis
View graph of relations
Original languageEnglish
Number of pages22
Pages (from-to)784-805
JournalComputer Law & Security Review
Journal publication date1 Aug 2018
Early online date28 Jun 2018
Publication statusPublished - 1 Aug 2018


This article offers an interdisciplinary analysis of the General Data Protection Regulation (GDPR) in the context of electronic identification schemes. Gov.UK Verify, the UK Government's electronic identification scheme, and its compatibility with some important aspects of EU data protection law are reviewed. An in-depth examination of Gov.UK Verify's architecture and the most significant constituent elements of both the Data Protection Directive and the imminent GDPR – notably the legitimising grounds for the processing of personal data and the doctrine of joint controllership – highlight several flaws inherent in the Gov.UK Verify's development and mode of operation. This article advances the argument that Gov.UK Verify is incompatible with some major substantive provisions of the EU Data Protection Framework. It also provides some general insight as to how to interpret the requirement of a legitimate legal basis and the doctrine of joint controllership. It ultimately suggests that the choice of the appropriate legal basis should depend upon a holistic approach to the relationship between the actors involved in the processing activities.

ID: 14509611