ICO expects much more certainty on EU DP Regs by the end of 2015

The Trilogue negotiations on EU Data Protection draft Regulation will continue in September, and the ICO says that the planned timetable runs until December. ‘If all goes according to that plan, then we’ll know pretty much what’s going to be in the Regulation by the end of this year’, David Smith, Deputy Information Commissioner writes in the ICO blog on 26 August.

Smith says in his blog: ‘September not April may turn out to be the cruellest month. That’s when it is likely the going will start to get tougher, as the Trilogue will be looking at key principles including the extent to which the processing of personal data can be based on a data controller’s ‘legitimate interests’, and how far ‘incompatible processing’ is permissible. There’s been much criticism of the Council’s text in this area, but the Parliament’s text has its problems too, so it would be foolish to try to predict just what will emerge.’

The ICO has now published its commentary on the latest EU Council position of 15 June. The ICO says that separate national arrangements must be kept to the minimum to avoid eroding the principle of harmonisation. ‘This has been a contentious issue during the Council negotiations. However, there is a danger of different data protection regimes developing.’

The ICO’s paper states that ‘We believe that we need a single, high standard of consent and that should be either ‘explicit’, ‘unambiguous’ or both, but not one or the other depending on context. In reality, supervisory authorities are likely to focus on whether consent if of a sufficiently high standard in the round, not solely on whether it is ‘explicit’ or ‘unambiguous’. We reiterate our view that there must be realistic alternatives to consent – for example ‘legitimate interests’ where the data processing is necessary to provide the goods or services that an individual has requested.’

Data Breach Notification will definitely be included in the new law but there is still no firm agreement as to timeframes when notification has to be made or in which cases. The ICO is concerned about the possibility of receiving a large number of notifications of trivial or inconsequential data breaches. It would like to see a reference to ‘high-risk’ breaches, also applicable to informing the data subject directly.

The Council has stated that Data Protection Officers should not be mandatory. The ICO supports this view – each country would have discretion and therefore the appointment of a DPO could be mandatory in Germany but not in the UK.