UK ICO analysis on proposed EU DP Regulation: Too much red tape for companies

29/02/2012

The United Kingdom's Information Commissioner’s Office (ICO) thinks that the proposals for an EU Data Protection Regulation are too prescriptive and may lead to data protection being regarded simply as a form-filling exercise. While the ICO welcomes accountability in principle, it says that the requirements for data controllers to have the necessary documentation in place (Articles 22 and 28) should, if the processing would otherwise be fair and lawful, be promoted as good practice rather than a legal obligation. The proposed provisions that require prior authorisation are disproportionately burdensome and bureaucratic – for both data controllers and supervisory authorities, the ICO says. In addition, the target of 24 hours for notifying data breaches is unrealistic, the ICO says. 

The ICO would like to see just one instrument instead of a general DP Regulation and a separate Directive for the law enforcement area. Given the two different instruments proposed, it is important for there to be as much consistency as possible between these instruments, the ICO said in its analysis published on 27 February. At the moment, there is ‘significant variation between the versions of the Principles that appear in the Regulation and in the Directive’, the ICO says.

The ICO is of the view that the proposed two-year implementation period is too long. “We have doubts as to whether complete harmonisation is possible, or even desirable,” the ICO says. “If taken too far, the drive for harmonisation will lead to burdens on business and complexity for individuals that may achieve harmonisation on paper but will not necessarily deliver sensible and effective data protection in practice.”

The ICO says it may not be helpful to define the possible breaches leading to fines in such detail. ‘Fines should only be imposed for procedural or record keeping breaches of the Regulation where it is possible to demonstrate a clear link between the breach in question and the creation of a significant risk to privacy. ‘

Read more about this topic in the PL&B UK Report, to be published mid-March.

If you are not a subscriber, you can pre-order the March edition, together with the Note to the UK's Ministry of Justice resulting from the ICO Roundtable  on 14th February organised by Privacy Laws & Business's Privacy Officers Network. The Note to the Ministry of Justice on the proposals for an EU Data Protection Regulation identifies the Top 10 issues voted upon by major companies and law firms and represents a consensus of their views. The Note is available now and you can obtain both the Note and the March edition for a fee of £65 by e-mailing glenn@privacylaws.com with "UK March Report" in the subject line.

Comments:

If you would like to comment on this article, please login or register.

Archive

Tag cloud