Initial ICO response on the European Commissions proposal for a new general Data Protection

Business Articles
Submit Articles Back to Articles
Statement: 25 January 2012
The
Information Commissioner welcomes the Commission’s proposal. There is
no doubt that the EU’s legal framework for data protection needs
modernising in the face of increasingly sophisticated information
systems, global information networks, mass information sharing, the
ever growing online collection of personal data and the increasing
feeling of individuals that they have lost control of their personal
information. The proposal seeks to address these needs.
The Commissioner has called for:
an effective new Data Protection framework that
is overarching, clear in scope and easy to understand and apply;
clear, effective rights for individuals with
simple, low-cost means of exercising them;
clear responsibility and accountability placed
on those processing personal data throughout the information life
cycle;
obligations to be focussed on processing that
poses genuine risks to individuals or society;
data protection authorities that are
independent with a clear role, effective powers and flexibility.
The Commission’s proposal goes a long way
towards satisfying these requirements. In particular it strengthens the
position of individuals, recognises important concepts such as privacy
by design and privacy impact assessments and requires organisations to
be able to demonstrate that they have measures in place to ensure
personal information is properly protected.
Whilst recognising that there is inevitably
some tension between the drive for harmonisation of data protection
standards across the European Union and his desire for flexibility in
focussing obligations on processing that poses genuine risks, the
Commissioner believes that in a number of areas the proposal is
unnecessarily and unhelpfully over prescriptive. This poses challenges
for its practical application and risks developing a "tick box"
approach to data protection compliance. The proposal also fails to
properly recognise the reality of international transfers of personal
data in today’s globalised world and misses the opportunity to adjust
the European regulatory approach accordingly.
Elements of the proposal that the Commissioner
particularly welcomes include:
strengthening of provisions relating to consent
so that when an individual’s consent is relied on for processing
personal data it is genuine consent;
making the right to object meaningful by
shifting the requirement from one where the individual has to
demonstrate compelling legitimate grounds for deletion to one where the
controller has to demonstrate compelling legitimate grounds for
retention;
introducing the right to data portability
enabling individuals to obtain a copy of data held about them in a
reusable, electronic format;
placing important legal obligations directly on
to processors;
introducing a compulsory data breach
notification duty that applies across all sectors (albeit that the
Commissioner considers this should be restricted to serious breaches
only);
giving legal recognition to the use of binding
corporate rules to provide appropriate safeguards for international
data transfers;
encouraging incentives for Data Protection
compliance in the form of certification mechanisms and Data Protection
seals and marks;
strengthening the powers of Data Protection
authorities including comprehensive investigative powers.
Elements of the proposal which the Commissioner
believes require further thought include:
retaining the concept of special or sensitive
categories of personal data and the inflexible nature of the grounds on
which such data can be processed;
requiring organisations to obtain the prior
approval of the data protection authority for some types of processing,
particularly in relation to international transfers;
extending the scope of data protection
obligations to any processing that is directed at individuals residing
within the EU without any clear indication of how the Regulation’s
requirements can be readily enforced outside the EU;
restricting the ability of public authorities
to process personal data even where the processing can only be of
benefit to individual citizens.
The Commissioner has also examined the European
Commission’s separate proposal for a new Directive applying to the
processing of personal data by law enforcement authorities. He is
concerned that in an area where the processing of personal data can
have a particularly adverse impact on individuals the Commission’s
proposals are much less ambitious. He believes that a high level of
data protection that, as with the current UK Data Protection Act, is
equally applicable across all sectors is required and hopes that these
provisions will be strengthened as negotiations progress.
This is the Commissioner’s first but
nevertheless informed reaction to the European Commission’s proposals.
He will now be examining the published proposals in detail,
contributing to the Article 29 Working Party’s consideration of them
and commenting further in due course.
If you need more information, please contact the ICO press
office on 0303 123 9070 or visit the website at: www.ico.gov.uk.
About the Author
The Information Commissioner’s Office is the UK’s
independent authority set up to uphold information rights in the public
interest, promoting openness by public bodies and data privacy for
individuals. We do this by promoting good practice, ruling on
complaints, providing information to individuals and organisations and
taking appropriate action when the law is broken.
The ICO enforces and oversees the following
legislation:
- Data Protection Act 1998
- Freedom of Information Act 2000
- Privacy and Electronic Communications
Regulations
2003
- Environmental Information Regulations
2004
Follow us @Scopulus_News
Article Published/Sorted/Amended on Scopulus 2012-01-26 13:12:38 in Business Articles
All ICO Articles