The Information Commissioner’s Office (ICO) has published a briefing on the future of data protection in the European Union, setting out the ICO’s views on the scope and expected content of the new EU data protection legal framework. The briefing outlines what the ICO would like to see in future legislation.
BACKGROUND
The Data Protection Directive 95/46/EC (the Directive), regulates the processing of personal data in the European Union. Since its implementation, technological developments have changed the landscape in which the Directive operates, resulting in questions over its fitness for purpose. In November 2010, the European Commission published a communication entitled “A comprehensive approach on personal data protection in the European Union”, which sets out the Commission’s concerns over whether the Directive, in its current form, could bear the strain of technological change. The communication stimulated debate over the scope and content of a revised Directive, with EU Justice Commissioner Viviane Reding calling for an overhaul of the current regime. The briefing is the latest contribution to that debate.
SCOPE
The briefing states that an effective new data protection framework must be “overarching, clear in scope and easy to understand and apply, consisting of high-level principles with the detail in implementing measures, codes of practice and other mechanisms.” In addition, the framework should place responsibility on, and require accountability from, those processing personal data throughout the information life cycle. This includes applying obligations directly to data processors.
Equally, there should be clearly defined exemptions for domestic purposes and journalism, taking account of changes such as social networking sites and blogs.
RIGHTS
The framework should strengthen an individual’s right to object to and block processing and to have their data deleted, and reverse the burden of proof so the organisation has to provide compelling grounds for continuing to process the data. The ICO suggests that the Commission should not introduce a stand-alone “right to be forgotten” since, in its view, this could “mislead individuals and falsely raise their expectations, and be impossible to implement and enforce in practice”. However, it should be easier for individuals to exercise their rights by using technology to provide subject access and giving individuals the ability to move their data around and have it in a reusable format.
OBLIGATIONS
The ICO wants the new framework to be less prescriptive in terms of the processes organisations are expected to adopt, but clearer in terms of the standards they are expected to reach. Organisations should carry out a privacy impact assessment where processing has, or could have, a significant or adverse impact on the individual, or where the purpose of the processing creates a particular risk. The briefing acknowledges that “any explicit provisions to compel privacy by design would be difficult to implement and enforce in practice”.
Information provided to regulators by organisations should be “meaningful” and “demonstrate compliance and accountability”. In the first instance, assessing the adequacy for international transfers of data should be the responsibility of the organisation, not data protection authorities.
DATA PROTECTION AUTHORITIES
The ICO insists that data protection authorities should supervise, enforce, advise, and not give prior approval or authorisation to organisations’ activities. Furthermore, the authorities should have powers to take action against any organisation, regardless of the role the authorities take in the stewardship of the personal data. These powers should include the ability to audit all organisations. In addition, authorities should cooperate and share information with each other, but “remain independent”.
COMMENT
The Commission’s principal objectives regarding revision of the Directive were to strengthen individuals’ rights, revise data protection rules in the area of police and criminal justice, ensure high levels of protection for data transferred outside the European Union, and provide more effective enforcement of the rules. The ICO is broadly in agreement with the Commission’s objectives, but differs in some respects over how they should be achieved.