ICO welcomes proposals for an EU Data Protection Regulation with reservations

The ICO has welcomed the proposals for a general DP regulation, published by the European Commission on 25 January, and says that they go a long way towards the requirements that the ICO had in mind.

The proposals that promote accountability will have many implications for UK businesses, for example, appointing an internal DP officer, securing explicit consent for marketing, breach notification, risk assessment formalities, providing transparency documentation.

The ICO says that in a number of areas the proposal is unnecessarily and unhelpfully over prescriptive. “This poses challenges for its practical application and risks developing a ‘tick box’ approach to data protection compliance,” the ICO said in a statement. The Commissioner thinks that it is unnecessary to retain the concept of sensitive data, and require companies to seek his prior approval for certain types of international transfers. He says the idea of extending the legislation’s scope to non-EU organisations offering services to EU citizens should be revisited as there is no clear indication of how the Regulation’s requirements can be readily enforced outside the EU.

Elements of the proposal that the Commissioner particularly welcomes include:

  • Explicit consent for use of personal data
  • Data portability
  • Important legal obligations for data processors
  • A mandatory data breach notification duty. The Commissioner thinks that this should, however, apply only to serious breaches.
  • Legal recognition for the use of Binding Corporate Rules
  • Data Protection seals and marks
  • Stronger powers for DP Authorities, an including audit power.

The proposal will now be passed on to the European Parliament and the 27 EU Member States within the EU’s Council of Ministers for discussion. The European Commission aims to ensure an agreement by the end of 2012. The UK Commissioner will be contributing to the EU Article 29 Working Party’s consideration of the proposals. When adopted, the Regulations will enter into force within two years.

The ICO’s Deputy Commissioner David Smith will speak about these issues and listen to your concerns and suggestions at PL&B’s Roundtable in London on 14 February.

Read more about this topic in the future issues of PL&B UK and International Reports.