PL&B UK E-news, Issue 64

1. Lords recommend data breach notification law

The House of Lords recommends that the Government start consultation now regarding data breach notification rules, rather than wait for direction from the European Commission. A report by the Lords Science and Technology Committee from August says that a security breach notification law should incorporate the following key elements:

  • Workable definitions of data security breaches
  • A mandatory and uniform central reporting system
  • Clear rules on form and content of notification letters.

Read more about UK developments, and how companies in the US comply with their breach notification laws, in the September issue of the PL&B UK Newsletter.

2. EU finds several problem areas in the DPA

The European Commission says that UK’s implementation of the EU Data Protection Directive has problems regarding 11 of the Directive’s articles, reports A response to its FOI request reveals failings in the implementation of the following: the definitions (in particular that of personal data); the scope of the Directive’s application to manual files; the conditions for processing sensitive data; fair processing notices; data subject rights; the application of exemptions from these rights; remedies for individuals; the liability of organisations for breaches of data protection law; the transfer of personal data outside of the European Union; and the powers of the Information Commissioner. The corresponding articles are 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28.

A statement released to by the Ministry of Justice on 14 September said: “We are in discussion with the Commission about these issues. We believe that the UK has properly implemented the Data Protection Directive via the Data Protection Act 1998 and other relevant provisions of UK law.”

3. Thomas launches critique of EU DP Directive

The EU Data Protection Directive is “highly confusing and overly prescriptive”, and the European Commission’s review was “deplorably complacent”, said Richard Thomas, Information Commissioner at the Data Protection Forum’s 15th Anniversary event in London on 6 September. He said that it was time to start a debate on changing the directive.
The EU Data Protection Supervisor, Peter Hustinx, responded by expressing some support for the direction of these comments.

The European Commission’s review published in March this year stated that some Member States should implement the directive better. It also said that the directive was fulfilling its objectives and that its rules were “substantially appropriate”. From Hustinx’s perspective, focus on better implementation is encouraged by infringement procedures against seven Member States before the European Court of Justice.

For the future, Hustinx said that some changes are unavoidable but that the process would be time consuming as any amendments proposed by the European Parliament would need a co-decision by the Council of Ministers and the European Parliament. He supported the need for a clear date for review of the directive in the next three to five years. In addition, he favours more global privacy standards to include Binding Corporate Rules as an important part of the menu.

For further details on the Privacy Laws & Business UK Newsletter, please click here.

Copyright Privacy Laws & Business 2007