On February 12, 2013, the UK Information Commissioner’s Office published a further analysis of the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”). This latest analysis supplements the initial analysis paper on the Proposed Regulation published on February 27, 2012. Although the general views expressed in its initial paper stand, the ICO has now provided greater detail regarding its views of the substantive provisions of the Proposed Regulation.
Highlights of the ICO’s Analysis
- The ICO confirms its views that the Proposed Regulation is overly prescriptive and emphasizes the compliance process rather than outcomes. Citing its auditing experience, the ICO reiterates its position that having policies and procedures does not in and of itself result in compliance, and “due weight needs to be given to outcomes for individuals and actual practice.”
- The ICO welcomes the idea that EU citizens have the same data protection rights regardless of whether they are dealing with an EU or non-EU controller, but doubts whether the territorial scope of the Proposed Regulation can be extended to non-EU organizations in practice (Article 3). The ICO notes that it does “not want citizens to be given the impression they have a level of protection that cannot be enforced in practice.”
- The ICO is in favor of a high standard for consent, but warns that it may be onerous and pointless to require that consent for each activity or “matter” be visually distinguishable.
- With respect to the right to be forgotten (Article 17), the ICO agrees that individuals should have stronger rights in terms of “controlling the dissemination of information about them.” The ICO has concerns, however, that it may be difficult (or impossible) to actually achieve this kind of control and individuals may be misled “as to the degree of protection the law can offer them in practice.”
- In relation to data breach notification (Article 31), the ICO supports a legal obligation to notify individuals, but states that an element of risk should be introduced here, “as clearly some breaches will be more consequential than others.” It emphasizes the need to ensure consistency with the data breach requirements under the e-Privacy Directive so that controllers are not subject to notification obligations under two different legal regimes.
- The ICO does not support a simple head-count criterion for requiring that a company designate a data protection officer (Article 35), citing the example of a social networking site that has few employees, but processes a large amount of sensitive information about numerous people.
- With respect to sanctions (Article 79), the ICO welcomes the “approach of setting out all the possible breaches in one place on the face of the legislation,” but would prefer a single, non-ranked list of breaches to different sets of more or less serious breaches (linked to fines). The ICO considers that such an approach would be more realistic and would “allow all the circumstances surrounding a particular breach to be taken into account.”