The latest responses by the UK government and the ICO to the EU reform proposals will (mostly) resonate with businesses concerned about some of the more far-reaching changes.
The latest developments and time line
Datonomy has been taking stock of two recent UK developments: the Government’s response to the Justice Select Committee’s opinion on the European Data Protection framework proposals published by the MOJ on 11 January, and the “latest views from the ICO” 2 –pager on 22 January.
Datonomy readers are no doubt au fait with the intricacies of the EU legislative process, but may nonetheless enjoy the blog post by Deputy Commissioner David Smith with its helpful insight into the current state of play and user friendly time line. Despite the strength of the European Parliament’s support for the Commission’s proposals, it still has a way to go, procedurally speaking. And not everyone shares the EP’s wholehearted support for every aspect of the proposals – as the most recent UK pronouncements illustrate.
Some UK concerns
The MoJ’s response document, which will inform the UK’s negotiating stance, and the ICO paper welcome aspects of the reforms but both highlight similar concerns:
- The legal framework: both the MoJ and ICO are concerned about the “twin track” proposal for a general Regulation and the Directive relating to criminal law enforcement, and the potential for inconsistencies to arise. The UK is lobbying for the Regulation to be re-cast as a directive. Germany too has constitutional concerns about the reforms – see our 2012 post here.
- Too much harmonisation? While fundamental principles should be harmonised across Member States, both papers argue that not every detail of the regime needs to be harmonised. Indeed, for businesses operating internationally, greater harmonisation is one of the plus points of the reforms.
- The “legitimate interests” condition: Developing this theme further, the ICO’s paper argues the need to recognise different legal traditions (e.g. less prescriptive regimes like the UK’s) and cites the application of the legitimate interests condition as a practical example. As Datonomy noted in this recent post, this important condition could be significantly narrowed if the European Parliament’s amendments are adopted.
- Economic impact: the MoJ counters the Commission’s 2.3 billion Euro cost-saving estimate with the UK’s impact assessment of £100-360 million per annum, and emphasises the impact of additional red tape costs for small businesses, in particular.
- Regulatory costs: the ICO is naturally concerned about the proposed loss of funding from notification fees, aside from which it estimates the new regime could cost it an extra £8-28 million.
- Right to be forgotten: Both organisations are concerned about the practicality of the R2BF and the dangers of raising unrealistic expectations for consumers.
- Which organisations will require a DPO? The UK is advocating a more risk-based approach to the requirement to appoint a data protection officer – depending on the quantity and sensitivity of data handled, rather than a blunt threshold of size of the organisation (as proposed by the commission) or the size of the database (the EP’s counter proposal).
- Sanctions: Both advocate regulators having discretion over whether to impose fines. The MoJ believes the current proposals on sanctions could create an overly risk adverse environment, and the ICO thinks that linking fines to a percentage of turnover is “impracticable”.
The “sovereignty” theme runs through a number of these concerns (and is topical given the current debate about the UK’s future in Europe). For many businesses the debate over the form of the new rules seems academic; it is the substance and the business impact (and cost) that counts. Datonomy hopes that the politicians will not get too bogged down in form, but will instead focus on ensuring the substance of the Regulation is workable, proportionate and does not tie up recession-hit businesses in unnecessary red tape.