On January 25, 2012, the UK Information Commissioner’s Office (“ICO”) published an initial statement welcoming the European Commission’s proposed new General Data Protection Regulation (the “Proposed Regulation”), and commended the Commission’s efforts to strengthen the rights of individuals, recognize important privacy concepts such as privacy by design and privacy impact assessments, and include accountability requirements.
On February 27, 2012, the ICO released an initial analysis of the Commission’s package of proposals (including the proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”)). The ICO stated that its analysis is not intended to be comprehensive, but rather provides an overview of the most significant components. The ICO may follow up with further comments.
Highlights of the ICO’s Analysis
- The ICO recognizes that the Commission’s proposals are necessary, and that any attempt to revise existing national data protection laws would not suffice.
- The ICO would have preferred to see one comprehensive instrument, and is concerned that having two instruments — a Regulation and a Directive — will adversely impact harmonization. The ICO conceded that a reasonably consistent framework can be achieved if the Proposed Regulation and the Proposed Directive adopt a common approach with respect to fundamental principles.
- The ICO considers the proposals to be too detailed and prescriptive, and states that a prescriptive approach will not necessarily result in greater data protection. The ICO suggests that a more flexible approach may achieve greater compliance and result in a higher standard of data protection.
- The ICO has serious doubts regarding whether the territorial scope of the Proposed Regulation can be extended to non-EU organizations in practice (Article 3), as it is unclear how enforcement actions could be taken outside of the EU. The ICO notes that the Proposed Regulation should “encourage” voluntary compliance by non-EU organizations.
- The ICO welcomes the expanded definitions of “data subject” and “personal data.” However, the ICO advises that the Proposed Regulation should make clear when online identifiers (e.g., IP addresses) do or do not constitute personal data (as Recital 24 is unhelpful). The ICO suggests that a better approach would be to establish that, where an online identifier is used to target content at an individual (e.g., behavioral advertising) or otherwise treat one person differently from another, then the online identifier will constitute personal data.
- The ICO welcomes the eradication of the distinction between “ordinary” and “explicit consent” and the transition to only one form of consent. In addition, the ICO welcomes the clarification that, for consent to be valid, the data subject must take some positive action to demonstrate his or her consent.
- The ICO states that the definition of “main establishment” in the Proposed Regulation requires further consideration as it currently assumes that decisions regarding processing all are made in the same place, which is not necessarily the case for many organizations.
- The ICO notes a significant variation between the principles relating to the processing of personal data in the Proposed Regulation and in the Proposed Directive, and it would like to see greater harmonization. Otherwise, the ICO predicts that considerable confusion likely will ensue, particularly for organizations that are required to comply with both the Proposed Regulation and the Proposed Directive.
Rights of Data Subjects under the Proposed Regulation
The ICO particularly welcomes the strengthening of the rights of data subjects under the Proposed Regulation and notes the following key concepts:
- The requirements for transparent and accessible information (Article 11) reflect the ICO’s own approach; providing data subjects with information regarding data recipients (Articles 13 and 14(3)) is particularly key given the increasing prevalence of data sharing; expanded fair processing notices (Article 14) are also welcomed, but data controllers should be permitted to improve on any standard forms that the Commission may draft; data controllers should not be able to circumvent the right to data portability (Article 18) by holding information in non-standard formats; and the ICO welcomes the shift in burden from data subject to controller in terms of the right to object (Article 19).
- The ICO agrees that individuals who publish information about themselves online generally should be able to remove it easily (Article 17); the ICO notes, however, that an insufficiently qualified right to be forgotten “could have serious implications for freedom of expression – particularly the right to publish information – and for the maintenance of the historical record.”
Obligations of Controllers and Processors under the Proposed Regulation
With respect to the obligations of controllers and processors, the ICO notes the following:
- The concept of accountability is welcomed. However, the ICO is concerned that the Proposed Regulation places particular emphasis on documentation, as opposed to the actual conditions of processing personal data.
- In relation to data breach notification, the ICO strongly supports a legal obligation to notify (but only in circumstances where it would be proportionate), and notes that regulators should not be overwhelmed by trivial breaches. In addition, notification to data subjects should be triggered by financial loss and other negative consequences, and not just by adverse effects to data subjects’ privacy.
- With respect to international data transfers (Articles 34 and 40 – 43), the ICO prefers that controllers and processors primarily be responsible for identifying and minimizing risks, and have greater flexibility to make their own adequacy findings.
- The ICO would prefer to encourage the appointment of DPOs, rather than require such appointments. The ICO also argues that a requirement to appoint a DPO should not be linked to an organization’s number of employees.
- With respect to sanctions, the ICO questions whether “specifying in such detail all the possible breaches and the level of fine that follows is either helpful or proportionate.” The ICO states that there should be a link between the failure to comply and the actual consequences of the breach, and “[f]ines should not be imposed for procedural or record keeping failures alone.”
The UK Ministry of Justice is currently operating a Call for Evidence relating to the Commission’s proposals, which will close on March 6, 2012. Responses to the Call for Evidence are expected to shed light on whether the ICO’s views of the Commission’s proposals are shared across the UK.