The ICO has published its analysis of the Council's general approach on the proposed Data Protection Regulation (the Regulation), which sets out its observations on those parts of the Council text that, in its opinion, are most in need of improvement. Among other things, the analysis addresses questions regarding material scope, pseudonymisation, consent, right to object, data subject access requests, measures based on profiling the one-stop-shop and the consistency mechanism, and the level of administrative fines. The ICO states that although the member states should have a certain amount of flexibility in terms of the application of the Regulation, the Council approach risks the development of different data protection regimes across the EU.
It stresses that any separate arrangement must be kept to a minimum and must follow the basic standards of the Regulation itself. The ICO supports a single definition of the term "personal data" and welcomes that the Council approach no longer includes "pseudonymous data" as a separate category. The ICO is highly critical of the provisions set out in Article 6 of the Regulation regarding incompatible further processing of personal data, which it describes as a conflation of legal bases for processing and purposes limitation.
The ICO advocates a singly high standard of consent that makes it clear to organisations what type of consent they need to justify their data processing activities. The ICO also criticises the Council text with regard to its requirement for parental consent before personal data of a child can be processed. It emphasizes the importance of the provisions relating to data subjects' right to access their own data, which it describes as often the only contact many organisations have with the requirements of data protection law. The ICO stresses that this is a key right that should not be further watered down from the Commission proposal. It welcomes that in the Council text the data subject's right not to be subject to decisions based solely on automated processing including profiling applies only where this significantly affects the data subject.
The ICO maintains its view that the lead supervisory authority should normally be able to regulate transnational data processing without the formal involvement of other supervisory authorities or the EDPB. The ICO's analysis includes few surprises and does not differ much from its previous assessments. As before, it highlights the need for a risk-based approach to data protection as well as a need for flexibility on the part of national data protection authorities to implement and enforce the new rules. While this may be welcomed by some data controllers, it could also lead to a lack of harmonisation between member states, a problem that already exists under the current regime and that the Regulation was specifically designed to remedy, as well as a certain amount of forum shopping by data controllers