Any readers aiming to get their organisation’s response to the MoJ consultation ready in time for the 6 March deadline will find much food for thought in the ICO’s initial analysis, published earlier this week.
The Initial analysis of the European Commission’s proposals for a revised data protection legislative framework covers both the draft Regulation and the proposed Directive on data protection in the context of criminal matters. The ICO makes it clear that this is unlikely to be its last word on the proposals, with more detailed analysis to come as the legislative process kicks off. Nonetheless, the ICO’s observations are an invaluable source for businesses currently analysing the potential practical implications. The ICO has focussed on aspects of the proposal which it views as unduly onerous or unlikely to work well in practice.
Given the breadth and ambition of the European Commission’s proposal, it is not surprising that the ICO’s reactions to various dimensions of the proposal are mixed. There are however some consistent themes in the ICO’s response: the need for proportionate, sensible and effective privacy protection, and less emphasis on red tape, form filling and common processes. “Harmonisation on paper…will not necessarily deliver sensible and effective data protection in practice“, states the ICO. As well as highlighting the potential burdens on the regulator itself, the response is in many respects a business-friendly one.
For those preparing a consultation response of their own, the ICO’s 29 page critique of the draft Regulation merits reading in full, but here are some key issues on which the UK regulator’s stance will be of particular interest.
- Right to be forgotten: this new right, and its practical implications, “need thinking through carefully” and should be presented in “less ambitious terms” to avoid a mismatch between individuals’ expectations and the various exceptions to the right already proposed. If the new right is “insufficiently qualified” it will have serious implications for freedom of expression in particular. – See pages 13-14
- Data portability: is welcomed in principle, but with acknowledgement of the practical burdens for data controllers and the need for businesses’ IP rights to be safeguarded.
- Profiling: clarification is needed as to whether online behavioural advertising is intended to be caught or not; a more risk-based approach is need to reflect that different types of profiling pose different levels of privacy risk – see page 15.
- Prior authorisation and prior consultation: the ICO has a number of concerns about the “unrealistic” proposals in Article 34 concerning pre vetting of certain processing activities, particularly overseas transfers. See page 19.
- Breach notification: while broadly welcoming the notification requirement, the ICO calls for more proportionate triggers and thresholds and more flexible deadlines – see page 17-18.
- DPOs: the ICO takes a measured and risk-based stance on the mandatory appointment of DPOs and rightly points out that the 250 employee threshold is too blunt an instrument for determining when an organisation should have a dedicated privacy officer – page 19.
- Sanctions: the ICO “has doubts” about a number of aspects of the proposals on turnover based fines. Again, proportionality and “a link between administrative failure and practical [privacy] consequences” are missing – page 27.
- One stop regulation for multinationals: the ICO foresees various practical obstacles to the ideal of “one stop” regulation for EU multinationals. Identifying the “main establishment” of a business with multiple centres of processing and decision making may not be as easy in practice as the draft Regulation assumes. See pages 7 and 22-23.
- Enforcement against non EU businesses: the ICO also has doubts about the efficacy of the extra-EU reach of the Regulation (page 5) and need for the designation of an EU representative – page 17.
- Children: on the issue of verifiable parental consent from under 13s, the ICO argues for a less black and white requirement, proposing that the approach to parental consent be applied more flexibly, according to the privacy risks of the particular online service – page 8.
- Personal data, sensitive personal data and data subject: the ICO broadly welcomes the proposed extension of the personal data definition – pages 5-6. However it has reservations about the continued “binary distinction” between sensitive and non sensitive personal data, and the lack of correlation which can sometimes result between the categories of sensitive data and privacy risk.
It is helpful that the ICO has shared its views with other potential respondents before the MoJ deadline, and reassuring that the regulator is alive to the practical businesses impacts and costs of the proposed changes. Businesses may be less pleased by the ICO’s assertion that the new rules – once agreed at EU level – should have a shorter lead in time than the two years currently proposed (see page 2). The ICO’s argument is that DP rules are not new, and that many aspects of the proposals simply represent current best practice.
As we’ve said before, the Regulation has a long way to go before adoption. But let’s hope that – if the ICO’s wish for a tight compliance deadline is heeded by the EU institutions – that its various suggestions for moderation of the rules are taken on board too.
For those wishing to add their views to the Ministry of Justice’s consultation by next Tuesday, the link is here.