UK ICO analysis on proposed EU DP Regulation: Too much red tape for companies

The United Kingdom's Information Commissioner’s Office (ICO) thinks that the proposals for an EU Data Protection Regulation are too prescriptive and may lead to data protection being regarded simply as a form-filling exercise. While the ICO welcomes accountability in principle, it says that the requirements for data controllers to have the necessary documentation in place (Articles 22 and 28) should, if the processing would otherwise be fair and lawful, be promoted as good practice rather than a legal obligation. The proposed provisions that require prior authorisation are disproportionately burdensome and bureaucratic – for both data controllers and supervisory authorities, the ICO says. In addition, the target of 24 hours for notifying data breaches is unrealistic, the ICO says.

The ICO would like to see just one instrument instead of a general DP Regulation and a separate Directive for the law enforcement area. Given the two different instruments proposed, it is important for there to be as much consistency as possible between these instruments, the ICO said in its analysis published on 27 February. At the moment, there is ‘significant variation between the versions of the Principles that appear in the Regulation and in the Directive’, the ICO says.

The ICO is of the view that the proposed two-year implementation period is too long. “We have doubts as to whether complete harmonisation is possible, or even desirable,” the ICO says. “If taken too far, the drive for harmonisation will lead to burdens on business and complexity for individuals that may achieve harmonisation on paper but will not necessarily deliver sensible and effective data protection in practice.”

The ICO says it may not be helpful to define the possible breaches leading to fines in such detail. ‘Fines should only be imposed for procedural or record keeping breaches of the Regulation where it is possible to demonstrate a clear link between the breach in question and the creation of a significant risk to privacy. ‘