Feeds

ICO Deputy exposes Data Protection law wish list

Harmonisation of EU data protection law may be a pipe-dream

Boost IT visibility and business value

Comment Last Friday, data protection day, was commemorated with a meeting organised by the Ministry of Justice in Whitehall. At that meeting, David Smith, the Deputy Information Commissioner (DIC), reviewed the Information Commissioner’s wish list of changes to data protection law. This blog reports on the content of that list.

Regulation or new directive?

Speaking to “very well informed sources” at a break in the meeting it became clear that the UK government wants the changes to data protection law to be implemented by a Directive (unlike the EDPS, who wants a Regulation). If this is the case, Directive negotiations will take an age, and one can assume that any prospect of a new Data Protection law in the UK will be booted into the long grass (five to eight years at least – well into the next Parliament).

So if the Commission decides on a Regulation, I think it will have to give Member States a considerable degree of subsiduarity (eg, Member States have flexibility in the area of national security or law enforcement). Otherwise, some Member States (eg, the UK) will ensure that any internal discussion about a Regulation will become protracted because, in the UK, law enforcement and national security agencies are used to relying on generous exemptions from the data protection rules. I got the sense at the meeting that this position will NOT substantially change.

Also lurking in the background is the “Protocol on the Position of the United Kingdom and Ireland in Respect of the Area of Freedom, Security and Justice”. Article 6a of this Protocol to the Lisbon Treaty states that:

The United Kingdom and Ireland shall not be bound by the rules laid down on the basis of Article 16 of the Treaty on the Functioning of the European Union which relate to the processing of personal data by the Member States when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title IV of Part Three of that Treaty where the United Kingdom and Ireland are not bound by the rules governing the forms of judicial cooperation in criminal matters or police cooperation which require compliance with the provisions laid down on the basis of Article 16.

Let’s cut the legalese. The above means the UK can opt out in areas of judicial co-operation and serious crime especially where data protection rules impacts in these areas. This is another legacy of New Labour, over-anxious that Europe would not be able to interfere with Surveillance Britain.

It is interesting to note that no one has challenged the Coalition Government as to whether it agrees with this opt-out – I suspect it does agree.

In addition, those who support a Regulation want a Regulation to be a harmonising measure so that all Europe’s data protection laws provide the equivalent standard of data protection. They also support a Regulation as Member States will be obliged to translate its provisions into national data protection laws.

However, if Member States can go their own way – as the UK can in these sensitive areas – then the rationale for supporting a Regulation is lost. To put it bluntly, I can see many Member States saying: “Well if the UK can do it, so can we,” (or “Yes we can,” for American readers).

Accountability and pragmatism

The ICO, like all European Commissioners, supports the idea of a prominent Accountability Principle. For instance, the DIC indicated that the ICO favours details about data protection compliance appearing in Annual Reports and in published Privacy Impact Assessments. However the D. I. C. did not support a statutory appointment of a data protection officer as that might not be appropriate for all Small to Medium Enterprises. What the ICO wants senior management of all endeavours to formally identify someone as being responsible for data protection compliance. So expect this to form part of the UK’s implementation of any new Accountability Principle.

Similarly, the Commissioner is lukewarm with respect to a statutory data breach notification requirement because he considers the requirement to notify data subjects of a breach depends on the circumstances of the breach. He is content with the current UK situation where personal data loss is first notified to the Commissioner.

All this leads to the concept of “pragmatism in data protection”. At the meeting, the DIC stressed that ICO’s policy is to adopt a pragmatic approach to resolving data protection problems because such a pragmatic approach offered more influence with the data controller community. In other words, data protection principles were not fundamental principles to be held inviolate on every processing occasion.

Although the DIC accepted that this pragmatic view was seen by others (presumably other European Privacy Commissioners) as “a sign of weakness”, the approach found acceptance with the Government’s spokeswoman. Dogmatism in data protection was something for those Europeans to have in their law (but not ours!).

The lasting impression is that these statements comprise a public admission that the future development of data protection policy in Europe is split at the highest level. If this is true, any Regulation or Directive is impossible to draft as there appears to be a rift between privacy fundamentalism on the one hand and data protection pragmatism on the other. The only outcome can be an agreement to disagree – especially in the areas of law enforcement.

One can therefore predict that harmonisation of European data protection law may well be a pipe-dream.

Build a business case: developing custom apps

Next page: A question of harm?

More from The Register

next story
Hello, police, El Reg here. Are we a bunch of terrorists now?
Do Brits risk arrest for watching beheading video nasty? We asked the fuzz
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
UK government accused of hiding TRUTH about Universal Credit fiasco
'Reset rating keeps secrets on one-dole-to-rule-them-all plan', say MPs
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Yes, but what are your plans if a DRAGON attacks?
Local UK gov outs most ridiculous FoI requests...
Felony charges? Harsh! Alleged Anon hackers plead guilty to misdemeanours
US judge questions harsh sentence sought by prosecutors
This'll end well: US govt says car-to-car jibber-jabber will SAVE lives
Department of Transportation starts cogs turning for another wireless comms standard
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
UK fuzz want PINCODES on ALL mobile phones
Met Police calls for mandatory passwords on all new mobes
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.