ICO blog: the future of data protection in the EU

Welcome to our blog. Writing this is a new experience for me and is the start of a new venture for the ICO. From time to time we will be blogging on current information rights issues. There won’t necessarily be a pattern to this – just as and when we believe we have something useful to say. And it won’t always be me that writes. My colleagues will be playing their part too.

This time it’s about the future of Data Protection law in Europe. The big event we’re all waiting for is the release of the Commission’s proposals for a new legal framework. First it was going to be last summer, then before Christmas and now we’ve been promised the 25th of January or thereabouts. I wouldn’t put too much money on this. The Commission are working hard and, if all goes well, they should be able to deliver on time. However they still have to go through their inter-service consultation. This is where those drafting the legislation, DG Justice, have to consult the other parts of the Commission. Given that data protection impacts on so many of the EU’s activities, whatever the sector, they are not guaranteed an easy ride.

Directive or Regulation?

There has been much speculation as to whether it will be another Directive or a Regulation. Directives we are familiar with. Regulations have direct effect in that they do not have to be transposed into member states’ laws.

The Commissioner Viviane Reding, has been very keen to stress the need for harmonisation of the law across member states so this hints at a Regulation but she has also pointed out that a Directive can be quite prescriptive and a Regulation can allow some flexibility. Speculation has also been rife as to whether there will be one new legal instrument or two; one to replace the current Directive and one to cover the former third pillar areas of crime and justice. Two instruments would fit with the UK Government’s right to opt out of new EU measures covering the former third pillar, but might make it harder to achieve our objective of a single, overarching framework applying to all the processing of personal data carried out in the EU.

Our view

Our views on what we expect we might see in any new legal instrument are set out more fully in our recent stakeholder briefing. Put simply, we want a framework that in the context of ever developing technology and new applications is clear in what it does and does not cover and is easy for businesses to understand and apply. Regulation that is hard to understand and even harder to apply will not be followed in practice and does not serve the interests of those we are trying to protect.

The same is true of individual rights. They need to be clear, effective and simple to use. Technology should enable individuals to have more control over their personal information and easier means of access. There has been much hype over the so called “right to be forgotten”. Taken literally this would be a step too far but the position of the individual could be strengthened simply by changing the existing right to object to processing from one where the individual has to provide compelling legitimate reasons for deletion to one where it is the data controller who has to provide the compelling legitimate reasons for retention.

What we don’t want to see though are unnecessary burdens on businesses. We want a framework that is clear about the standards we expect businesses to achieve, but leaves them freedom to decide how to do so.

This is the essence of an accountability principle. The law should be less prescriptive about means but business should be able to account for how they deliver data protection in practice. Concepts like privacy impact assessments and in house data protection officers are important, but should not be mandatory in all cases. This approach should extend to international transfers of personal data so that businesses take their own decisions on “adequacy” but can be challenged if they get this wrong.

The role of data protection authorities

This is how we see the future role of the data protection authority. We need to be independent, have a clear role and be armed with effective powers but we should supervise, enforce and advise rather than give prior approval or authorisation to a data controller’s activities.

What some of our European counterparts would call “ex post” rather than “ex ante” supervision. And notification as we know it seems likely to go. We can only support this as a move towards “better regulation”, but we do want to be able to keep the fee-based funding model, which has served the UK so well.

One thing that does stand out is how influential large multi-national, mainly US based, businesses appear to have been on the Commission’s thinking, particularly in relation to harmonisation. At a recent conference Paul Nemitz, a senior Commission official, went out of his way to say how the Commission would welcome a higher level of engagement from those representing European business and citizens’ interests. Time is running out but the Commission are willing to listen and there may still be an opportunity to have your say before their proposals are published.

If you’d like to get in touch about anything we blog about, please email us at blog@ico.org.uk

The European Commission has indicated they will publish their proposal early in 2012. This is the start of the process towards a change in the law which will be negotiated in the European Council and Parliament. Changes to the law are likely to take at least a couple of years after this date to agree and a timetable for implementation will then be required.

David SmithAs well as providing Data Protection leadership across the ICO, David Smith has direct responsibility for oversight of its Strategic Liaison Division which develops and manages the ICO’s relations with its key stakeholders.
This entry was posted in David Smith and tagged , , . Bookmark the permalink.