The General Data Protection Regulation is currently being negotiated at EU level following reviews in Member States, including the Ministry of Justice's 'Call for Evidence' in the UK.
The views of the European Parliament, Council of the European Union and the European Commission on the Regulation have been attracting attention of the past couple of weeks and the ICO has now put its current views on the Regulation in writing:
- The Regulation presents us with an opportunity to ensure consistency between data protection laws across Member States (a key objective of the EU in creating the Regulation & a principle that few of us would disagree with as a sensible objective).
- Individuals need greater rights in relation to their personal data and organisations need clearer responsibilities in relation to their collection and use of personal data (also in line with the EU's objective & most of us would agree that greater clarity in relation to data protection laws would be welcome - so far, so good, but....).
- The current Regulation is too prescriptive - it should be outcomes based and enable organisations to take risk-based decisions regarding the way in which they comply with data protection laws (this is a major stumbling block as the Regulation is drafted in a heavily prescriptive fashion and would require substantial re-drafting to convert it to principles or outcomes based regulation). The ICO hasn't gone as far as the Justice Select Committee in concluding that we need to 'go back to the drawing board', but this is probably the practical effect of the ICO's view (and much of the ICO's note echoes the views of the Justice Select Committee).
- The law needs to be clarified in terms of what constitutes 'personal data' and current areas of confusion/non-compliance need to be tackled definitively (e.g. the status of 'pseudonymised' data & non-obvious identifiers such as IP addresses).
- Individuals' rights need to be easy to understand and capable of being applied in practice (particularly the much criticised 'right to be forgotten' - most of us would have sympathy with this view as few of us really understand the right to be forgotten, why it is necessary (beyond existing principles/rights of data subjects) or how this will work in practice, if at all)).
- The EU needs to accept the limited power which regulators in Member States will have in relation to non-EU based data controllers (much has been made to date of the proposed extra-jurisdictional application of the Regulation as currently drafted).
- There should be a high-level threshold applicable to the consent to be secured from individuals before their data can be processed, but there should be alternatives to this requirement in situations where securing where consent isn't viable (the Regulation hasa blanket requirements for freely-given, specific, informed and explicit consent to data collection and processing by organisations which would consequential effects for 'consent' requirements in other related regulations such as PECR which deals with marketing consents and cookies).
- Notwithstanding the ICO's view that EU laws should be consistent, the ICO doesn't agree that laws across Member States should be totally harmonised & suggests that Member States should have scope for flexibility to accommodate different legal traditions (this is consistent with the UK government's view that the reforms should be implemented by a Directive rather than a Regulation in order to provide Member States with discretion as to how the law is implemented in each Member State - inevitably, this will make the pan-European 'consistency' objective much harder to achieve as individual Member States will enact laws which function in their Member State but which may not be harmonised with corresponding laws in other Member States).
- Regulators should be provided with flexibility to focus on high-risk data processing activities rather than getting involved in every breach, however minor or inconsequential, particularly given their limited resources/budgets (the current Regulation mandates the Regulators to fine for every breach, only providing discretion as to the level of the fine).
- The European Data Protection Board should have authority to ensure consistency of sanctions across Member States and fines should not be linked to a percentage of turnover and that the members of the Board should work together to develop a risk-based approach to sanctions not focussing solely on fines (the mandatory obligation to notify regulators of breaches together with the mandatory obligation to apply fines of upto 2% of turnover have attracted the attention of most organisations).
In short, there seems to be a fundamental disagreement on the current Regulation as drafted! This won't come as a surprise to anybody who has been tracking the progress of the Regulation or the ICO's stated views on this subject, but it does beg the question of how these fundamental issues will be overcome within the EU's preferred timeframe for implementation of the Regulation i.e. direct enactment of the Regulation in Member States later this year with a 2 year implementation period.
Watch this space for further developments...