Infosec 2013: ICO expects clarity on EU data rules only in 2014

The ICO expects a clear picture of the coming European data protection framework in early 2014, says deputy commissioner David Smith

The Information Commissioner’s Office (ICO) expects to have a clear picture of the coming European data protection framework only early in 2014, says deputy commissioner David Smith.

By then, the ICO expects to see several changes, particularly around the more prescriptive parts of the proposals, but no fundamental changes, he told attendees of Infosecurity Europe 2013 in London.

Breaking down the timeframe, Smith explained that the European Commission’s proposals are now being examined in detail by the European Parliament and the European Council.

There is bound to be some change, he said, with something like 3,000 proposed amendments by the European Parliament alone so far.

Negotiating the final version

By the end of June, there should be a consolidated view from both of these processes, but only then does parliament, the council and the commission come together to thrash out the final version.

European countries handled the issue of Google’s unauthorised gathering of Wi-Fi data very differently – there needed to be more consistency

David Smith, ICO

“There is no certainty that there will be agreement at the end of it,” said Smith. “I would put money on the fact that there will be an agreement, but not a lot,” he added.

The UK is working to influence the negotiation process through its representation on the European Council to voice concerns of UK stakeholders.

One area of concern is that in a bid to achieve a harmonisation of rules throughout Europe, the result may be overly prescriptive rules that do not make sense in the UK context.

“We are following developments closely to see if proposals will indeed deliver better protection of personal data, and that they are easy to apply and understand,” said Smith.

The concern is that if they are too complex, no-one will apply them in a way that is effective in actually protecting personal data, which should be the main goal, he said.

Smith said harmonisation is not a good driver. He believes consistency would be a better guiding principle.

“European countries handled the issue of Google’s unauthorised gathering of Wi-Fi data very differently – there needed to be more consistency, “ he said.

The ICO is also concerned about in the current form, rules say data protection authorities will impose fines for data breaches. 

“We would prefer the wording: may impose fines, and hopefully this will change,” said Smith.

Another concern is around the punitive sanctions for serious breaches with fines currently set at €1m or 2% of global turnover, whichever is the greater.

“This is not necessarily proportionate,” said Smith. However, the ICO believes punitive sanctions have a role to play and claims that its power to impose penalties of up to £500,000 have been effective.

Criminal offences left to the member states

The proposed framework does not address criminal offences, as this is something that is left up to member states to decide.

The ICO, for example, is pressing for the criminalisation of trade in personal information by individuals who have acquired that information through deception or bribery.

“Currently there is provision for prison sentences, but we hope to have provisions in place by this time next year,” said Smith.

ICO welcomes the framework in principle

Despite these and other concerns, Smith said it was important to note that the ICO does not think the EC’s proposed data protection framework is universally bad.

“We welcome better data protection, we welcome concepts such as greater accountability that requires companies to demonstrate they have effective protections in place,” he said.

One of the biggest potential problems is that rules will be too details, too prescriptive, which could lead to a tick-box approach to data protection, rather than one aimed at actually protecting data.

For this reason, the UK is championing a risk-based approach in which defines desired outcomes rather than prescribes what qualifications a data protection officer should have, said Smith.

The UK also believes that punitive sanctions should be more focused on real data protection failures rather than on failure to comply with the letter of the law.

Commenting briefly on the controversial “right to be forgotten,” Smith said it is not realistic for anyone to expect to be able to delete all digital data.

However, he said that the slogan is helpful in selling the proposed framework and highlights the need for organisations to delete personal data when appropriate and not to keep it longer than necessary.

It also highlights the importance of having mechanisms in place to enable individuals to object to data being held unnecessarily and will help shift the balance of power to individuals.

The requirement to notify data protection authorities of data breaches within 24 hours is another provision that has caused some concern.

'Unrealistic and impractical' provision

However, this is one provision where there could and should be change, said Smith, although he said it could not be taken for granted.

“The requirement to notify within 24 hours is unrealistic and impractical; this is an example of bad law making and would not be useful or helpful,” said Smith.

The onus should be on organisations to notify data protection authorities where appropriate and within a reasonable period of time. If they fail to do so, then punitive sanctions are appropriate, he said.

Compulsory data breach notification will not go away, said Smith, but he believes there are “encouraging signs” that the notification period may not be 24 hours and that it may not cover all breaches.

“The EC has recognised that the original proposals are over-prescriptive and over-detailed in places,” he said.

The UK is not alone in the European Council in its opposition of certain provisions. For this reason, there is likely to be changes that will lighten the burden on organisations, said Smith.

“These changes may not go as far as we would like, it will not be perfect, it is a compromise, but we will make it better,” he said.

Read more on Privacy and data protection