ICO Deputy exposes Data Protection law wish list
Harmonisation of EU data protection law may be a pipe-dream
Comment Last Friday, data protection day, was commemorated with a meeting organised by the Ministry of Justice in Whitehall. At that meeting, David Smith, the Deputy Information Commissioner (DIC), reviewed the Information Commissioner’s wish list of changes to data protection law. This blog reports on the content of that list.
Regulation or new directive?
Speaking to “very well informed sources” at a break in the meeting it became clear that the UK government wants the changes to data protection law to be implemented by a Directive (unlike the EDPS, who wants a Regulation). If this is the case, Directive negotiations will take an age, and one can assume that any prospect of a new Data Protection law in the UK will be booted into the long grass (five to eight years at least – well into the next Parliament).
So if the Commission decides on a Regulation, I think it will have to give Member States a considerable degree of subsiduarity (eg, Member States have flexibility in the area of national security or law enforcement). Otherwise, some Member States (eg, the UK) will ensure that any internal discussion about a Regulation will become protracted because, in the UK, law enforcement and national security agencies are used to relying on generous exemptions from the data protection rules. I got the sense at the meeting that this position will NOT substantially change.
Also lurking in the background is the “Protocol on the Position of the United Kingdom and Ireland in Respect of the Area of Freedom, Security and Justice”. Article 6a of this Protocol to the Lisbon Treaty states that:
The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title IV of Part Three of that Treaty where the United Kingdom and Ireland are not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16.
Let’s cut the legalese. The above means the UK can opt out in areas of judicial co-operation and serious crime especially where data protection rules impacts in these areas. This is another legacy of New Labour, over-anxious that Europe would not be able to interfere with Surveillance Britain.
It is interesting to note that no one has challenged the Coalition Government as to whether it agrees with this opt-out – I suspect it does agree.
In addition, those who support a Regulation want a Regulation to be a harmonising measure so that all Europe’s data protection laws provide the equivalent standard of data protection. They also support a Regulation as Member States will be obliged to translate its provisions into national data protection laws.
However, if Member States can go their own way – as the UK can in these sensitive areas – then the rationale for supporting a Regulation is lost. To put it bluntly, I can see many Member States saying: “Well if the UK can do it, so can we,” (or “Yes we can,” for American readers).
Accountability and pragmatism
The ICO, like all European Commissioners, supports the idea of a prominent Accountability Principle. For instance, the DIC indicated that the ICO favours details about data protection compliance appearing in Annual Reports and in published Privacy Impact Assessments. However the D. I. C. did not support a statutory appointment of a data protection officer as that might not be appropriate for all Small to Medium Enterprises. What the ICO wants senior management of all endeavours to formally identify someone as being responsible for data protection compliance. So expect this to form part of the UK’s implementation of any new Accountability Principle.
Similarly, the Commissioner is lukewarm with respect to a statutory data breach notification requirement because he considers the requirement to notify data subjects of a breach depends on the circumstances of the breach. He is content with the current UK situation where personal data loss is first notified to the Commissioner.
All this leads to the concept of “pragmatism in data protection”. At the meeting, the DIC stressed that ICO’s policy is to adopt a pragmatic approach to resolving data protection problems because such a pragmatic approach offered more influence with the data controller community. In other words, data protection principles were not fundamental principles to be held inviolate on every processing occasion.
Although the DIC accepted that this pragmatic view was seen by others (presumably other European Privacy Commissioners) as “a sign of weakness”, the approach found acceptance with the Government’s spokeswoman. Dogmatism in data protection was something for those Europeans to have in their law (but not ours!).
The lasting impression is that these statements comprise a public admission that the future development of data protection policy in Europe is split at the highest level. If this is true, any Regulation or Directive is impossible to draft as there appears to be a rift between privacy fundamentalism on the one hand and data protection pragmatism on the other. The only outcome can be an agreement to disagree – especially in the areas of law enforcement.
One can therefore predict that harmonisation of European data protection law may well be a pipe-dream.