Feeds

ICO Deputy exposes Data Protection law wish list

Harmonisation of EU data protection law may be a pipe-dream

SANS - Survey on application security programs

Comment Last Friday, data protection day, was commemorated with a meeting organised by the Ministry of Justice in Whitehall. At that meeting, David Smith, the Deputy Information Commissioner (DIC), reviewed the Information Commissioner’s wish list of changes to data protection law. This blog reports on the content of that list.

Regulation or new directive?

Speaking to “very well informed sources” at a break in the meeting it became clear that the UK government wants the changes to data protection law to be implemented by a Directive (unlike the EDPS, who wants a Regulation). If this is the case, Directive negotiations will take an age, and one can assume that any prospect of a new Data Protection law in the UK will be booted into the long grass (five to eight years at least – well into the next Parliament).

So if the Commission decides on a Regulation, I think it will have to give Member States a considerable degree of subsiduarity (eg, Member States have flexibility in the area of national security or law enforcement). Otherwise, some Member States (eg, the UK) will ensure that any internal discussion about a Regulation will become protracted because, in the UK, law enforcement and national security agencies are used to relying on generous exemptions from the data protection rules. I got the sense at the meeting that this position will NOT substantially change.

Also lurking in the background is the “Protocol on the Position of the United Kingdom and Ireland in Respect of the Area of Freedom, Security and Justice”. Article 6a of this Protocol to the Lisbon Treaty states that:

The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title IV of Part Three of that Treaty where the United Kingdom and Ireland are not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16.

Let’s cut the legalese. The above means the UK can opt out in areas of judicial co-operation and serious crime especially where data protection rules impacts in these areas. This is another legacy of New Labour, over-anxious that Europe would not be able to interfere with Surveillance Britain.

It is interesting to note that no one has challenged the Coalition Government as to whether it agrees with this opt-out – I suspect it does agree.

In addition, those who support a Regulation want a Regulation to be a harmonising measure so that all Europe’s data protection laws provide the equivalent standard of data protection. They also support a Regulation as Member States will be obliged to translate its provisions into national data protection laws.

However, if Member States can go their own way – as the UK can in these sensitive areas – then the rationale for supporting a Regulation is lost. To put it bluntly, I can see many Member States saying: “Well if the UK can do it, so can we,” (or “Yes we can,” for American readers).

Accountability and pragmatism

The ICO, like all European Commissioners, supports the idea of a prominent Accountability Principle. For instance, the DIC indicated that the ICO favours details about data protection compliance appearing in Annual Reports and in published Privacy Impact Assessments. However the D. I. C. did not support a statutory appointment of a data protection officer as that might not be appropriate for all Small to Medium Enterprises. What the ICO wants senior management of all endeavours to formally identify someone as being responsible for data protection compliance. So expect this to form part of the UK’s implementation of any new Accountability Principle.

Similarly, the Commissioner is lukewarm with respect to a statutory data breach notification requirement because he considers the requirement to notify data subjects of a breach depends on the circumstances of the breach. He is content with the current UK situation where personal data loss is first notified to the Commissioner.

All this leads to the concept of “pragmatism in data protection”. At the meeting, the DIC stressed that ICO’s policy is to adopt a pragmatic approach to resolving data protection problems because such a pragmatic approach offered more influence with the data controller community. In other words, data protection principles were not fundamental principles to be held inviolate on every processing occasion.

Although the DIC accepted that this pragmatic view was seen by others (presumably other European Privacy Commissioners) as “a sign of weakness”, the approach found acceptance with the Government’s spokeswoman. Dogmatism in data protection was something for those Europeans to have in their law (but not ours!).

The lasting impression is that these statements comprise a public admission that the future development of data protection policy in Europe is split at the highest level. If this is true, any Regulation or Directive is impossible to draft as there appears to be a rift between privacy fundamentalism on the one hand and data protection pragmatism on the other. The only outcome can be an agreement to disagree – especially in the areas of law enforcement.

One can therefore predict that harmonisation of European data protection law may well be a pipe-dream.

High performance access to file storage

Next page: A question of harm?

More from The Register

next story
MtGox chief Karpelès refuses to come to US for g-men's grilling
Bitcoin baron says he needs another lawyer for FinCEN chat
Did a date calculation bug just cost hard-up Co-op Bank £110m?
And just when Brit banking org needs £400m to stay afloat
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Don't let no-hire pact suit witnesses call Steve Jobs a bullyboy, plead Apple and Google
'Irrelevant' character evidence should be excluded – lawyers
EFF: Feds plan to put 52 MILLION FACES into recognition database
System would identify faces as part of biometrics collection
Ex-Tony Blair adviser is new top boss at UK spy-hive GCHQ
Robert Hannigan to replace Sir Iain Lobban in the autumn
Alphadex fires back at British Gas with overcharging allegation
Brit colo outfit says it paid for 347KVA, has been charged for 1940KVA
Jack the RIPA: Blighty cops ignore law, retain innocents' comms data
Prime minister: Nothing to see here, go about your business
Banks slap Olympus with £160 MEEELLION lawsuit
Scandal hit camera maker just can't shake off its past
France bans managers from contacting workers outside business hours
«Email? Mais non ... il est plus tard que six heures du soir!»
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.