Font Size

Initial ICO response on the European Commissions proposal for a new general Data Protection


The Information Commissionerís Office

Business Articles
Submit Articles   Back to Articles

Statement: 25 January 2012

The Information Commissioner welcomes the Commissionís proposal. There is no doubt that the EUís legal framework for data protection needs modernising in the face of increasingly sophisticated information systems, global information networks, mass information sharing, the ever growing online collection of personal data and the increasing feeling of individuals that they have lost control of their personal information. The proposal seeks to address these needs.

The Commissioner has called for:

an effective new Data Protection framework that is overarching, clear in scope and easy to understand and apply;

clear, effective rights for individuals with simple, low-cost means of exercising them;

clear responsibility and accountability placed on those processing personal data throughout the information life cycle;

obligations to be focussed on processing that poses genuine risks to individuals or society;

data protection authorities that are independent with a clear role, effective powers and flexibility.

The Commissionís proposal goes a long way towards satisfying these requirements. In particular it strengthens the position of individuals, recognises important concepts such as privacy by design and privacy impact assessments and requires organisations to be able to demonstrate that they have measures in place to ensure personal information is properly protected.

Whilst recognising that there is inevitably some tension between the drive for harmonisation of data protection standards across the European Union and his desire for flexibility in focussing obligations on processing that poses genuine risks, the Commissioner believes that in a number of areas the proposal is unnecessarily and unhelpfully over prescriptive. This poses challenges for its practical application and risks developing a "tick box" approach to data protection compliance. The proposal also fails to properly recognise the reality of international transfers of personal data in todayís globalised world and misses the opportunity to adjust the European regulatory approach accordingly.

Elements of the proposal that the Commissioner particularly welcomes include:

strengthening of provisions relating to consent so that when an individualís consent is relied on for processing personal data it is genuine consent;

making the right to object meaningful by shifting the requirement from one where the individual has to demonstrate compelling legitimate grounds for deletion to one where the controller has to demonstrate compelling legitimate grounds for retention;

introducing the right to data portability enabling individuals to obtain a copy of data held about them in a reusable, electronic format;

placing important legal obligations directly on to processors;

introducing a compulsory data breach notification duty that applies across all sectors (albeit that the Commissioner considers this should be restricted to serious breaches only);

giving legal recognition to the use of binding corporate rules to provide appropriate safeguards for international data transfers;

encouraging incentives for Data Protection compliance in the form of certification mechanisms and Data Protection seals and marks;

strengthening the powers of Data Protection authorities including comprehensive investigative powers.

Elements of the proposal which the Commissioner believes require further thought include:

retaining the concept of special or sensitive categories of personal data and the inflexible nature of the grounds on which such data can be processed;

requiring organisations to obtain the prior approval of the data protection authority for some types of processing, particularly in relation to international transfers;

extending the scope of data protection obligations to any processing that is directed at individuals residing within the EU without any clear indication of how the Regulationís requirements can be readily enforced outside the EU;

restricting the ability of public authorities to process personal data even where the processing can only be of benefit to individual citizens.

The Commissioner has also examined the European Commissionís separate proposal for a new Directive applying to the processing of personal data by law enforcement authorities. He is concerned that in an area where the processing of personal data can have a particularly adverse impact on individuals the Commissionís proposals are much less ambitious. He believes that a high level of data protection that, as with the current UK Data Protection Act, is equally applicable across all sectors is required and hopes that these provisions will be strengthened as negotiations progress.

This is the Commissionerís first but nevertheless informed reaction to the European Commissionís proposals. He will now be examining the published proposals in detail, contributing to the Article 29 Working Partyís consideration of them and commenting further in due course.

If you need more information, please contact the ICO press office on 0303 123 9070 or visit the website at:

About the Author

The Information Commissionerís Office is the UKís independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. We do this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken.

The ICO enforces and oversees the following legislation:

  •  Data Protection Act 1998
  •  Freedom of Information Act 2000
  •  Privacy and Electronic Communications Regulations 2003
  •  Environmental Information Regulations 2004

Follow us @Scopulus_News

Article Published/Sorted/Amended on Scopulus 2012-01-26 13:12:38 in Business Articles

All Articles

Copyright © 2004-2021 Scopulus Limited. All rights reserved.