Concerned that the prescriptive nature of the proposed EU Data Protection Regulation will impose a significant additional administrative burden on regulators, the UK Information Commissioner’s Office (ICO) has published on its website a letter to the Secretary of State for Justice which re-states the Information Commissioner’s concerns about the proposed Regulation.

The key source of the Commissioner’s concerns is that the prescriptive nature of the Regulation will impose a significant additional administrative burden on regulators.  Coupled with the abolition of notification fees, the ICO’s current source of funding, the Commissioner suggests the ICO would no longer be able to intervene on the basis of risk and proportionality, and that this would make it less effective.

Aspects of the Regulation which the Commissioner identifies as being of particular concern are:

  • The emphasis on punishment and sanctions at the expense of awareness raising and education
  • The requirement for all data breaches to be notified to Data Protection Authorities, rather than just those that pose significant risk
  • Prior authorization to be required for international transfers where this is not required under current regime
  • Limited discretion for Data Protection Authorities over administrative sanctions, which are imposed on the basis of process failures rather than privacy risks
  • Participation in a consistency mechanism that is insufficiently risk-based and contains unrealistic time limits