There’s no doubt that the EU’s legal framework for data protection needs modernising in the face of increasingly sophisticated information systems, global information networks, mass information sharing, the ever-growing online collection of personal data and the increasing feeling of individuals that they have lost control of their personal information. The proposal seeks to address these needs.
In response to the plans put forward, Information Commissioner Christopher Graham has called for:
- an effective new data protection framework that’s overarching, clear in scope and easy to understand and apply
- clear, effective rights for individuals with simple, low-cost means of exercising them
- clear responsibility and accountability placed on those processing personal data throughout the information life cycle
- obligations to be focused on processing that poses genuine risks to individuals or society
- data protection authorities that are independent with a clear role, effective powers and flexibility
“The European Commission’s proposal goes a long way towards satisfying these requirements,” stated Graham. “In particular it strengthens the position of individuals, recognises important concepts such as privacy by design and privacy impact assessments and requires organisations to be able to demonstrate that they have measures in place to ensure personal information is properly protected.”
However, Graham went on to comment: “While recognising that there is inevitably some tension between the drive for harmonisation of data protection standards across the European Union and a desire for flexibility in focusing obligations on processing that poses genuine risks, I believe that in a number of areas the proposal is unnecessarily and unhelpfully over-prescriptive. This poses challenges for its practical application and risks developing a ‘tick box’ approach to data protection compliance.”
As far as Graham’s concerned, the proposal also fails to properly recognise the reality of international transfers of personal data in today’s globalised world and misses the opportunity to adjust the European regulatory approach accordingly.
Elements of the proposals welcomed by the ICO
Elements of the proposals that the Information Commissioner particularly welcomes include:
- strengthening of provisions relating to consent so that when an individual’s consent is relied on for processing personal data it is genuine consent
- making the right to object meaningful by shifting the requirement from one where the individual has to demonstrate compelling legitimate grounds for deletion to one where the controller has to demonstrate compelling legitimate grounds for retention
- introducing the right to data portability enabling individuals to obtain a copy of data held about them in a reusable, electronic format
- placing important legal obligations directly on to processors
- introducing a compulsory data breach notification duty that applies across all sectors (albeit that the Commissioner considers this should be restricted to serious breaches only)
- giving legal recognition to the use of binding corporate rules to provide appropriate safeguards for international data transfers
- encouraging incentives for data protection compliance in the form of certification mechanisms and data protection seals and marks
- strengthening the powers of data protection authorities including comprehensive investigative powers
Areas demanding further consideration
Those eements of the proposals which the Commissioner believes require further thought include:
- retaining the concept of special or sensitive categories of personal data and the inflexible nature of the grounds on which such data can be processed
- requiring organisations to obtain the prior approval of the data protection authority for some types of processing, particularly in relation to international transfers
- extending the scope of data protection obligations to any processing that’s directed at individuals residing within the EU without any clear indication of how the regulation’s requirements can be readily enforced outside the EU
- restricting the ability of public authorities to process personal data even where the processing can only be of benefit to individual citizens
The Information Commissioner has also examined the European Commission’s separate proposal for a new directive applying to the processing of personal data by law enforcement authorities.
Graham is concerned that, in an area where the processing of personal data can have a particularly adverse impact on individuals, the Commission’s proposals are much less ambitious.
He believes a high level of data protection that – as is the case with the current UK Data Protection Act – is equally applicable across all sectors is required, and hopes that these provisions will be strengthened as negotiations progress.
This is the Information Commissioner’s first but nevertheless informed reaction to the European Commission’s proposals. According to the official statement, he will now be examining the published proposals in detail, contributing to the Article 29 Working Party’s consideration of them and commenting further in due course.p>