Proposals for the new European data protection framework are over-engineered and need a lot of work, says Information Commissioner Christopher Graham.
In their current form, the proposals are also unaffordable because regulators would need a small army of staff to cope, he told a Westminster eForum seminar in London.
“The draft proposals demand that data protection authorities must impose fines for a whole list of things classified as data breaches, leaving no room for regulators to exercise discretion,” said Graham.
European data protection authorities, he said, would never be able to get enough funding to implement and enforce all the proposals to the letter as they now stand.
“The result would be that they be forced to pick and choose [which to enforce], which would lead to inconsistencies across Europe,” he said.
Many regulations would also not be enforced, he said, leading to less effective data protection regulation for Europe than those currently in place.
“Surely it is possible to get agreement to say instead that data protection authorities may impose fines, rather than must,” said Graham.
Read more about proposed EU data protection framework:
The Information Commissioner's Office (ICO) wants to see consistency, he said, and is pushing for this as an active member of the Article 29 Working Party made up of representatives of European data protection authorities.
But all stakeholders should engage with the process of formulating a new data protection framework and not just leave it up to governments and data protection authorities, said Graham.
“It is no good waiting until legislation is passed, and then saying the law is an ass,” he said.
The Information Commissioner said all new regulation should take into account the rights of constituents and consumers.
“Instead of raging against the machinery [of regulation], get stuck in and help negotiate something that is relevant to the 21st century,” he said.