In February the ICO published an article-by-article commentary on the proposed EU General Data Protection Regulation (the Regulation), following on their earlier comments in February 2012. As many readers will know, the draft Regulation, which will harmonise EU data protection laws, has been under discussion since 2009. However, the Regulation now looks to be well along the path to becoming law. The ICO’s comments give some helpful commentary on the current proposals and guidance on how it might work in practice.
- There is still uncertainty about whether personal data, which cannot be linked to an individual, is regulated data. The ICO prefer a wide definition of personal data, including pseudonymised data, provided the rules of data protection are applied realistically.
- The Regulation contains a high standard of data-subject consent. However, the ICO does not believe that this should leave data controllers without a lawful basis for proceeding where necessary or unobjectionable. Similarly, where an objection is raised by a data subject, a data controller should be able to refuse an objection where there are compelling and legitimate grounds for it to proceed.
- The Regulation contains a large number of delegated acts which deal with the detail of implementation and on which the ICO has not had an opportunity to comment.
- The ICO is concerned that the so-called “right to be forgotten” may be difficult or impossible to achieve in practice and could mislead individuals regarding the degree of protection they have.
- The ICO has questioned the feasibility of enforcing data protection laws against non-EU controllers.
- Throughout the Regulation, the emphasis appears to have been placed on compliance processes rather than outcomes. The ICO points out that this approach creates a danger that businesses will focus on compliance with the letter rather than the spirit of the Regulation.
- It is unclear whether the Regulation will make access requests free of charge. The ICO wants the wording to clarify this, given the significance of this potential change. The ICO’s view is that, in ordinary circumstances, access should be free.
- As the wording of the Regulation currently stands, the supervisory authority is notified of a personal data breach before the data subject. The ICO believes that the data subject should be notified first or there should be simultaneous notification. It also states that a risk-based approach should be adopted to deciding whether to notify.
- A data protection officer must be appointed for companies that process data and employ over 250 people. The ICO does not support this simple headcount criterion, as small companies employing a handful of people can process large amounts of regulated data eg social networking sites.
- The Regulation does not (and cannot) prescribe any criminal penalties. The ICO has requested clarification on the status of UK Data Protection Act offences, to the extent that they cover offences outside the Regulation.
- With respect to sanctions, the ICO welcomes the “approach of setting out all the possible breaches in one place on the face of the legislation”, but would prefer a single, non-ranked list of breaches to different sets of more or less serious breaches linked to fines.
A full copy of the ICO’s analysis can be found here.