Proposed EU data protection framework needs work, says ICO

There is a lot that is welcome in the proposed EU data protection framework, says deputy information commissioner David Smith.

There is a lot that is welcome in the proposed EU data protection framework, says deputy information commissioner David Smith.

But some aspects are less welcome, there are areas of doubt, and some things that need more work, he told the Westminster eForum on data protection and privacy.

The ICO, he said, welcomed improved rights for individuals, clearer responsibilities on organisations, the high standard of consent, recognition of existing codes of conduct and certifications, the provision for stronger supervisory authorities, the inclusion of new concepts such as privacy-by-design, and the goal of great consistency in data protection rules across the EU.

However harmonisation through a one-size-fits-all regulation that does not take individual cultures into account may not necessarily mean good data protection, said Smith.

The concern is that it could impose burdens that do not really deliver better data protection, he said. "We need to lighten up on the detail; we need consistency [of principles] rather than rigid rules," said Smith.

Over prescription of details, such as the requirements for people filling the role of company data protection officers, is one of the less welcome aspects of the proposals.

Other less welcome aspects include: the introduction of two separate instruments [a regulation and a directive] affecting how organisations operate, a lack of focus on privacy risk, the retention of special categories of data, and an outdated approach to international data transfers.

"Businesses should be allowed to make their own decisions and be accountable for data transfers; the data protection authorities should not be involved," said Smith.

The main areas of doubt for the ICO include the right to be forgotten. More work needs to be done on this so as not to create false expectations, he said. However, Smith said the proposals do include a positive shift in the balance of responsibility from data subjects to data processors.

"Under the proposals, data processors have to show why it is necessary to carry on processing personal information rather than data subjects having to show why they should stop," he said.

Further, the ICO would like more clarity around public access to official documents, funding for data protection authorities (DPAs), and how DPAs can best cope with the increased workload that the proposals in their current form would create.

More work needs to be done, said Smith, to make the new EU data protection rules workable for businesses and data protection authorities.

As part of the ICO's contribution to the UK's negotiating position on the proposals, the UK privacy watchdog plans to canvass stakeholder input and conduct research into the impact of the proposals on the ICO itself as well as business.

"We want to know what the ICO will look like under the new framework; we want to know what the real cost will be to business and if that cost will be justified," said Smith.  

Read more on Privacy and data protection