With the EU Data Protection “reform train” rounding what is hopefully the final bend towards the summit of consensus, the UK ICO have published their latest analysis on the Council’s draft EU Data Protection Regulation. The analysis demonstrates the improvement needed in order to ensure that the new law provides effective protection to individuals while being “easy to understand and working well in practice.” To recap: all three key EU institutions – Commission, Parliament and Council – have prepared alternative drafts and are ready to negotiate in trilogue, with the timetable aiming to complete the process by the end of 2015.
The journey began in January 2012 when the European Commission issued its draft of the General Data Protection Regulation (the “DP Reg”) – the first step in meaningful revision of this area in nearly 20 years. The European Parliament approved its version of the DP Reg in March 2014 and the Council agreed upon its own version on 15 June 2015.
The ICO’s comments covered the following:
- Consent – There is a danger that the references to ‘explicit’ or ‘unambiguous’ consent could cause confusion – i.e., what is required for which context? The ICO suggests that there should be a single, high standard for consent and that there should also be realistic alternatives to consent, for example ‘legitimate interests.’
- Pseudonymisation – As a privacy enhancing tool, pseudonymisation should be encouraged. The Council’s draft suggests that, in most cases ‘pseudonymous data’ would be treated as any other form of personal data; this could remove the incentive from creating and using relatively low risk forms of personal data in the first place.
- Data subject access rights – Confusion arises over when the right of access would be free and when a charge can be made. Also the unqualified exception to giving access where it would involve disclosure of a third party’s data is unworkable and ‘unacceptable’ – a balance is needed.
- Children’s consent – The approach is too inflexible and will cause uncertainty for those offering services accessed by children. The ICO’s view is that, in principle, it should be possible for children to access certain services without parental consent. Removing the definition of ‘child’ compounds the difficulty. The ICO points out that age verification and parental consent systems could lead to service providers collecting ‘hard’ identifiers about children.
- Cooperation between Member State and European Authorities – The ICO view is that lead national supervisory bodies (based on the data controller’s main establishment) should normally be able to regulate transnational processing without formal involvement of the European Data Protection Board or other Member States’ authorities and that the trigger threshold for the ‘consistency mechanism’ is set too low.
The ICO also comments on areas such as the right to object, information notices, automated processing, data protection officer qualities and data security breach notification. Whatever the final destination of the journey, all EU organisations will have adjustments to make during the two-year implementation period. All aboard for the reform train!