On 8 April 2013, the Deputy Commissioner of the Information Commissioner’s Office (“ICO”), which is responsible for enforcing data protection legislation in the UK, issued further comments about the European Commission’s (“Commission”) proposed reform of EU data protection laws currently being debated by the European legislature. The Commission’s proposals for a new data protection Regulation have been controversial given the significantly more onerous compliance burden and sanctions for businesses.
The ICO’s new comments follow recent reassurance from the Director General of the Commission’s Justice Directorate representatives that the new legal framework will not be overly prescriptive and that a risk based approach will be followed instead. According to the Director General, such an approach would in practice mean “less emphasis on a local butcher having to draft a data protection policy before compiling a customer list, but a greater focus on how a health clinic stores personal details of patients”.
The ICO states that it still has reservations about the proposed data protection reforms, including in relation to:
- the additional flexibility afforded to public sector organisations;
- the increased role of data protection authorities in approving arrangements for international data transfers; and
- the impact of changes to the funding of data protection authorities.
The ICO notes that its concerns are shared by many other data protection authorities in the EU and that these views have been compiled and published in a recent statement produced by the Article 29 Working Party (“Working Party” - an independent advisory body that represents data protection authorities in the EU).
In its statement, the Working Party raises concerns about the proposed easing of regulation for the public sector where, it argues, more effective protection is needed given the powerful position of governments in relation to individuals. The Working Party also addresses the key issue of pseudonymisation, a way of disguising identities in a retraceable way. Under the risk-based approach favoured by the ICO this could potentially be used to allow lighter obligations for data controllers provided that the data were rendered sufficiently unidentifiable and it was not possible to single out or track a person via their pseudonym. In the ICO’s view, it would therefore be misleading to think of an IP address as a pseudonym.
In terms of timing, the ICO notes the Commission’s confidence that a political agreement can be reached by June this year but considers that more time will likely be required to finalise the text given that more than 3,000 amendments were proposed in the latest version of the Regulation text issued in January 2013. The ICO is however hopeful that an improved Regulation will emerge towards the end of 2013.
The ICO’s comments can be found on their website