The Justice Select Committee's report states that the system proposed in the draft Regulation 'cannot work', is 'a regime which no-one will pay for' and which will not produce a 'proportionate, practicable, affordable or effective system of data protection in the EU'.
It gets worse, as the Committee concluded that 'the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive…'.
There is (thankfully, for those that drafted the Regulation at least) some good news, as the Committee agreed that data protection laws across Europe require harmonisation (in order to simplify things for those who do business in different member states, often having to adopt different practices as regards data protection compliance in different member states under the current regime). It also concluded that the timing was right to review and revise data protection laws due to advances in digital technology, and in particular, use of social media and to recognise the fundamental rights of individuals.
The Justice Select Committee's report also found that:
- The processes and procedures in the proposed Regulation are too prescriptive and don't provide sufficient flexibility or discretion for organisations who hold personal data (or data protection regulators).
- The proposals should focus on those elements that are required to achieve the Commission’s objectives (i.e. harmonisation and amplifying the rights of individuals to guard against the potential risks posed by use of new technologies).
- Certain rights of individuals envisaged by the Regulation are necessary (e.g. those which increase individuals' rights regarding access, rectification and erasure of their data together with the right to object to profiling), albeit some of these rights require further modification in order that they are realistic and workable in practice;
- The 'right to be forgotten' should be qualified/clarified to avoid the perception that this will amount to total erasure of all data relating to an individual in all circumstances.
- The right of individuals to request and receive personal data should not be subject to a fee.
- The requirement for data protection officers should not be determined by number of employees but by the nature of a data controller's business and the sensitivity of data which it holds (e.g. a large business which doesn't utilise individual data in a dynamic way should not have a greater regulatory burden than a small business which interrogates and uses data in an aggressive/potentially intrusive way).
- Local regulators/law-makers should have greater discretion than is envisaged by the Regulation (which is interesting given the Committee's focus on the importance of harmonisation and the issues which have been created by data protection laws having been implemented and interpreted differently in each member state).
- Businesses will benefit from the key driver - to harmonise data protection laws across member states (see above!).
So, yet another set of views to add to the myriad of existing views which have been expressed to date by businesses, organisations, regulators, government agencies and civil liberties groups. The report is a useful barometer and a helpful follow-up to the conclusions reached by the MoJ following its call for evidence on the Regulation in the summer.
Whilst it seems likely that the Regulation will ultimately proceed in something like its current form, our view is that there are likely to be various qualifications and concessions along the path to finalising the Regulation as national governments' continue to lobby in response to the hostile reaction which the Regulation has generated, particularly from the business community. To this end, the Committee noted in its report that the UK government and the ICO believe that any issues with the draft Regulation can be resolved through negotiation.
Those of you familiar with our blog will have seen that in the past week, there has been a suggestion that the Regulation may see some concessions (in particular for SME's). Whilst this may encourage businesses to take a 'wait and see' approach, our view in light of the significant number of fundamental changes which the Regulation seeks to introduce (even if these are ultimately qualified) and the risk profile which the Regulation will create , is that it remains advisable to consider the potential impact of the changes for your organisation now (and this goes for data processors as well as data controllers).This information is intended as a general discussion surrounding the topics covered and is for guidance purposes only. It does not constitute legal advice and should not be regarded as a substitute for taking legal advice. DWF is not responsible for any activity undertaken based on this information.