On January 25, 2012, the European Commission released a data protection law reform package, including its proposed General Data Protection Regulation (the “Proposed Regulation”). The UK Information Commissioner’s Office (“ICO”) has reacted positively to the Proposed Regulation, in particular commending efforts to strengthen the rights of individuals, the recognition of important privacy concepts such as privacy by design and privacy impact assessments, and new accountability requirements to ensure organizations properly demonstrate and document their data protection safeguards and procedures.
The ICO also commended the Proposed Regulation’s:
- clarification and strengthening of the definition of “consent” to ensure that consent is “genuine;”
- shifting the burden from individuals to controllers with respect to the right to object to processing;
- introduction of the right to data portability, to enable individuals to switch between online service providers more easily;
- introduction of obligations imposed directly on data processors (under the current Directive and the UK Data Protection Act 1998, processors are under contractual, but not statutory, obligations);
- introduction of data breach notification for all industry sectors, although the ICO notes the Commissioner’s preference that only serious breaches should require notification;
- introduction of data protection certification mechanisms, seals and marks, to encourage businesses to adopt data protection best practices; and
- strengthening of DPAs’ powers.
On the other hand, the ICO characterized certain provisions as being “unnecessarily and unhelpfully over prescriptive,” and criticized the Proposed Regulation for not addressing inadequacies in the current framework for international data transfers, noting that the Proposed Regulation “fails to properly recognize the reality of international transfers…in today’s globalised world.” The ICO also called for further consideration of (1) the concept of “special” or “sensitive” categories of personal data and restrictions on processing such data, (2) requirements surrounding organizations’ obligations to obtain prior DPA approval, especially with respect to international data transfers, and (3) how the Proposed Regulation would be enforced against controllers and processors based outside the European Economic Area.
The ICO also criticized the proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”), as being “much less ambitious” than the Proposed Regulation. The ICO believes that the Proposed Regulation and the Proposed Directive should afford equal protection to personal data across all sectors, and hopes that the Proposed Directive will be strengthened prior to its adoption.