UK views on data protection will go to Brussels, says Lord McNally

Government negotiators will take UK views to negotiations over the proposed EU data protection regulatory framework, says justice minister Lord McNally

Government negotiators are taking UK views to negotiations over the final draft of the proposed EU data protection regulatory framework, according to justice minister Tom McNally.

"We will take our evidence to the negotiations and work to achieve the best outcome," McNally told the Westminster eForum on data protection and privacy, McNally said.

The government is considering the proposals and gathering the views of UK stakeholders, including responses to the Ministry of Justice's public consultation, said McNally.

UK negotiators will be presenting this evidence together with input from previous consultations and on-going consultations with subject experts throughout the finalisation process.

UK requirements of a revised data protection framework include the provision that it is based on proper evidence; that benefits are made clear to data subjects; takes into consideration the impact of rules on data controllers; and recognises the view of the UK's Information Commissioner's Office (ICO).

"We recognise the risk of setting standards so high that it will not work in practice," said McNally.

The UK is particularly keen to ensure the data protection regulatory framework does not impose burdens on small and medium enterprises (SMEs) that are too onerous.

However, McNally said the UK government was encouraged by the recognition in the draft proposals of some SME concerns, such as exemption from the requirement to appoint a data protection officer.

McNally also expressed concerns about the right-to-be-forgotten principle; the requirement for organisations to notify authorities of data breaches within 24 hours; and the provision for fines.

The right to be forgotten would have to be proportionate and workable in the final implementation McNally said. He cautioned against promising something that could not be delivered.

"It is obviously important to notify data protection authorities of a breach, but to do so within 24 hours may delay important work to mitigate the effects of the breach," he said. 

The existing e-privacy directive's requirement of notification "without undue delay" is more realistic, said McNally.

While the UK government supports the idea of data protection authorities being able to impose fines, McNally said monetary penalties should be proportionate, especially when violation of bureaucratic rules are concerned, rather than in cases of real harm caused by data breaches.

"To get it right, I believe we need to apply both technical expertise and political judgement. It is not just about techie issues; it is also about politics," McNally said.

The draft proposals published in January will now be passed on to the European Parliament and EU Member States meeting in the Council of Ministers for discussion.

The EU data protection framework is expected to take effect in about two years after they have been adopted. National governments will have to agree to the data protection proposals before any rules are enforced.

This will give companies time to get their affairs in order, but data protection experts have warned that none should delay, as it may take time for some businesses to implement robust policies around access to and storage of the sensitive data.

Read more on IT legislation and regulation