Feeds

ICO Deputy exposes Data Protection law wish list

Harmonisation of EU data protection law may be a pipe-dream

The Power of One Infographic

Comment Last Friday, data protection day, was commemorated with a meeting organised by the Ministry of Justice in Whitehall. At that meeting, David Smith, the Deputy Information Commissioner (DIC), reviewed the Information Commissioner’s wish list of changes to data protection law. This blog reports on the content of that list.

Regulation or new directive?

Speaking to “very well informed sources” at a break in the meeting it became clear that the UK government wants the changes to data protection law to be implemented by a Directive (unlike the EDPS, who wants a Regulation). If this is the case, Directive negotiations will take an age, and one can assume that any prospect of a new Data Protection law in the UK will be booted into the long grass (five to eight years at least – well into the next Parliament).

So if the Commission decides on a Regulation, I think it will have to give Member States a considerable degree of subsiduarity (eg, Member States have flexibility in the area of national security or law enforcement). Otherwise, some Member States (eg, the UK) will ensure that any internal discussion about a Regulation will become protracted because, in the UK, law enforcement and national security agencies are used to relying on generous exemptions from the data protection rules. I got the sense at the meeting that this position will NOT substantially change.

Also lurking in the background is the “Protocol on the Position of the United Kingdom and Ireland in Respect of the Area of Freedom, Security and Justice”. Article 6a of this Protocol to the Lisbon Treaty states that:

The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title IV of Part Three of that Treaty where the United Kingdom and Ireland are not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16.

Let’s cut the legalese. The above means the UK can opt out in areas of judicial co-operation and serious crime especially where data protection rules impacts in these areas. This is another legacy of New Labour, over-anxious that Europe would not be able to interfere with Surveillance Britain.

It is interesting to note that no one has challenged the Coalition Government as to whether it agrees with this opt-out – I suspect it does agree.

In addition, those who support a Regulation want a Regulation to be a harmonising measure so that all Europe’s data protection laws provide the equivalent standard of data protection. They also support a Regulation as Member States will be obliged to translate its provisions into national data protection laws.

However, if Member States can go their own way – as the UK can in these sensitive areas – then the rationale for supporting a Regulation is lost. To put it bluntly, I can see many Member States saying: “Well if the UK can do it, so can we,” (or “Yes we can,” for American readers).

Accountability and pragmatism

The ICO, like all European Commissioners, supports the idea of a prominent Accountability Principle. For instance, the DIC indicated that the ICO favours details about data protection compliance appearing in Annual Reports and in published Privacy Impact Assessments. However the D. I. C. did not support a statutory appointment of a data protection officer as that might not be appropriate for all Small to Medium Enterprises. What the ICO wants senior management of all endeavours to formally identify someone as being responsible for data protection compliance. So expect this to form part of the UK’s implementation of any new Accountability Principle.

Similarly, the Commissioner is lukewarm with respect to a statutory data breach notification requirement because he considers the requirement to notify data subjects of a breach depends on the circumstances of the breach. He is content with the current UK situation where personal data loss is first notified to the Commissioner.

All this leads to the concept of “pragmatism in data protection”. At the meeting, the DIC stressed that ICO’s policy is to adopt a pragmatic approach to resolving data protection problems because such a pragmatic approach offered more influence with the data controller community. In other words, data protection principles were not fundamental principles to be held inviolate on every processing occasion.

Although the DIC accepted that this pragmatic view was seen by others (presumably other European Privacy Commissioners) as “a sign of weakness”, the approach found acceptance with the Government’s spokeswoman. Dogmatism in data protection was something for those Europeans to have in their law (but not ours!).

The lasting impression is that these statements comprise a public admission that the future development of data protection policy in Europe is split at the highest level. If this is true, any Regulation or Directive is impossible to draft as there appears to be a rift between privacy fundamentalism on the one hand and data protection pragmatism on the other. The only outcome can be an agreement to disagree – especially in the areas of law enforcement.

One can therefore predict that harmonisation of European data protection law may well be a pipe-dream.

The Power of One Brief: Top reasons to choose HP BladeSystem

Next page: A question of harm?

More from The Register

next story
Sit back down, Julian Assange™, you're not going anywhere just yet
Swedish court refuses to withdraw arrest warrant
UK Parliament rubber-stamps EMERGENCY data grab 'n' keep bill
Just 49 MPs oppose Drip's rushed timetable
MPs wave through Blighty's 'EMERGENCY' surveillance laws
Only 49 politcos voted against DRIP bill
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Delaware pair nabbed for getting saucy atop Mexican eatery
Burrito meets soft taco in alleged rooftop romp outrage
British cops cuff 660 suspected paedophiles
Arrests people allegedly accessing child abuse images online
LightSquared backer sues FCC over spectrum shindy
Why, we might as well have been buying AIR
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.