This morning the UK Parliament’s Justice Select Committee held its first evidence session on the EU Data Protection Framework Proposals. Representatives from the Association of Chief Police Officers, the Met Police, the Federation of Small Businesses, Microsoft as well as the Information Commissioner’s Office provided their views on the two draft EU legal instruments – the Directive (concerned with criminal data) and the Regulation (concerned with pretty much everything else).
While the witnesses accepted that the Regulation did bring welcome changes to reduce certain aspects of the current regime’s bureaucracy (for instance, around notifying DPAs), the overwhelming response was to criticise the overly-engineered text of the Directive and Regulation (including the numerous delegated powers given to the EU Commission). A key tension in the Regulation exists between the drive towards harmonisation (particularly dear to the Commission) and the consequent prescriptive practices and procedures that the Commission’s version of harmonisation requires.
The Business view
Although international businesses are keen on a single data protection standard across the EU, this becomes less palatable when the requirements for that standard are set out in precise detail. Additionally, while the Regulation appears to hold out all sorts of new rights to individuals as data subjects, industry queried what incentives the Regulation contained for them to comply and what compensation they would receive for the additional administrative burdens they would have to bear (such as maintaining detailed documentation about their data processing and responding to subject access requests if the fee is abolished). Industry supported an approach that encouraged codes of conduct and certification to promote trust between consumers and business.
The Regulator’s view
In his evidence, Christopher Graham, the Information Commissioner, was particular trenchant in his view that full compliance by the Information Commissioner’s Office with the requirements of the Regulation was not only unworkable but also exorbitantly expensive. He indicated that potentially millions more pounds would need to be allocated to the ICO for the office to fulfil its obligations under the Regulation such as checking that data controllers appoint DPOs or carry out PIAs. The ICO emphasised the need for the Regulation to focus on good data protection outcomes rather than prescribing the means by which this is achieved. For the ICO, the Regulation should promote a risk-based rather than one-size fits all approach.
The ICO was optimistic that its view during the negotiations on the Regulation would make some headway. In particular the ICO was not keen to see its reputation as a regulator that advises and assists transformed into an administrative centre where it is obliged to punish compliance failures with no ability to apply discretion and judgment.
The right to be disappointed….
Although there was some discussion amongst the Committee and witnesses on the impact of the right to be forgotten, some witnesses considered this would swiftly become a ‘right to be disappointed’. Though packaged up as a new right, witnesses made the point that a similar if not identical right already exists in the current regime. Additionally the practical feasibility of organisations scouring the internet to identify and delete every reference to an individual means that it will be well nigh impossible for an organisation to conclusively delete every reference to an individual. Disappointment and disenchantment would inevitably set in. The ICO also mentioned that it is still unclear whether search engines would be caught by the obligation to implement an individual’s right to be forgotten.