Initial response from the ICO on the European Commission’s proposal for a new general Data Protection Regulation
Statement: 25 January 2012
The Information Commissioner welcomes the Commission’s proposal. There is no doubt that the EU’s legal framework for data protection needs modernising in the face of increasingly sophisticated information systems, global information networks, mass information sharing, the ever growing online collection of personal data and the increasing feeling of individuals that they have lost control of their personal information. The proposal seeks to address these needs.
The Commissioner has called for:
- an effective new Data Protection framework that is overarching, clear in scope and easy to understand and apply;
- clear, effective rights for individuals with simple, low-cost means of exercising them;
- clear responsibility and accountability placed on those processing personal data throughout the information life cycle;
- obligations to be focussed on processing that poses genuine risks to individuals or society;
- data protection authorities that are independent with a clear role, effective powers and flexibility.
The Commission’s proposal goes a long way towards satisfying these requirements. In particular it strengthens the position of individuals, recognises important concepts such as privacy by design and privacy impact assessments and requires organisations to be able to demonstrate that they have measures in place to ensure personal information is properly protected.
Whilst recognising that there is inevitably some tension between the drive for harmonisation of data protection standards across the European Union and his desire for flexibility in focussing obligations on processing that poses genuine risks, the Commissioner believes that in a number of areas the proposal is unnecessarily and unhelpfully over prescriptive. This poses challenges for its practical application and risks developing a “tick box” approach to data protection compliance. The proposal also fails to properly recognise the reality of international transfers of personal data in today’s globalised world and misses the opportunity to adjust the European regulatory approach accordingly.
Elements of the proposal that the Commissioner particularly welcomes include:
- strengthening of provisions relating to consent so that when an individual’s consent is relied on for processing personal data it is genuine consent;
- making the right to object meaningful by shifting the requirement from one where the individual has to demonstrate compelling legitimate grounds for deletion to one where the controller has to demonstrate compelling legitimate grounds for retention;
- introducing the right to data portability enabling individuals to obtain a copy of data held about them in a reusable, electronic format;
- placing important legal obligations directly on to processors;
- introducing a compulsory data breach notification duty that applies across all sectors (albeit that the Commissioner considers this should be restricted to serious breaches only);
- giving legal recognition to the use of binding corporate rules to provide appropriate safeguards for international data transfers;
- encouraging incentives for Data Protection compliance in the form of certification mechanisms and Data Protection seals and marks;
- strengthening the powers of Data Protection authorities including comprehensive investigative powers.
Elements of the proposal which the Commissioner believes require further thought include:
- retaining the concept of special or sensitive categories of personal data and the inflexible nature of the grounds on which such data can be processed;
- requiring organisations to obtain the prior approval of the data protection authority for some types of processing, particularly in relation to international transfers;
- extending the scope of data protection obligations to any processing that is directed at individuals residing within the EU without any clear indication of how the Regulation’s requirements can be readily enforced outside the EU;
- restricting the ability of public authorities to process personal data even where the processing can only be of benefit to individual citizens.
The Commissioner has also examined the European Commission’s separate proposal for a new Directive applying to the processing of personal data by law enforcement authorities. He is concerned that in an area where the processing of personal data can have a particularly adverse impact on individuals the Commission’s proposals are much less ambitious. He believes that a high level of data protection that, as with the current UK Data Protection Act, is equally applicable across all sectors is required and hopes that these provisions will be strengthened as negotiations progress.
This is the Commissioner’s first but nevertheless informed reaction to the European Commission’s proposals. He will now be examining the published proposals in detail, contributing to the Article 29 Working Party’s consideration of them and commenting further in due course.