ICO Warns European Data Protection Framework Needs More Work

The proposed European Data Protection Framework (EDPF) leaves lots of problems unresolved, said Britain’s deputy Information Commissioner today.

Deputy Commissioner David Smith gave the the EDPF a mark of 3.5 out of five, warning that it is too detailed and prescriptive, at a Westminster eForum event in London today,  where the European data protection supervisor Peter Hustinx had set out the case for the Framework.

New world, new rules

The EDPF aims to resolve some of the data protection issues raised by the digital economy, which are often exposed by events such as the Leveson enquiry into newspaper phone hacking, and the loss of personal data by councils and the NHS.  Google is at odds with European regulators about its privacy policy changes while online advertisers are trying to find a way to earn back customer trust, without losing revenue.

The EDPF is supposed to supersede the existing Data Protection Directive of 1995, which predates widespread Internet use, and will apply to all 27 European member states, replacing various national laws, and creating legal certainty.

The new framework places more emphasis on enforcement than the previous regulations, and seeks to make organisations proactive in their treatment of customer data through fines and penalties, said Hustinx

Under the new proposals, the Article 29 Working Party, which drafted the framework, will be replaced with a Data Protection Board, which will become the ultimate arbitrator in all data protection questions, able to fine SMEs up to €1 million (£839,000) and penalise multinational organisations by up to two percent of their annual worldwide turnover. Another framework suggestion would require organisations to report data breaches in the space of 24 hours.

Other critics at the event criticsed the Framework, arguing that it might cause additional costs and burdens on organisations, especially SMEs, which is at odds with current Digital Economy plans. The framework’s proposed “right to be forgotten” was unrealistic, said minister of state Lord McNally.

Healthcare, law enforcement, the media and organisations in other fields, such as credit check agencies, would need to be exempt from the rule, as access to personal information in these fields is essential, he said:  “These are not techie issues, but political issues.”

Hustinx defended the “right to be forgotten”, describing it as a “welcome overstatement”,  used by Viviane Reding to draw attention to the Framework. People with a particular interest in “being forgotten” might be disappointed by the final implementation of this feature, he said.

Getting it right

In its current form, the framework is too detailed and prescriptive, said Smith,  “importing the German model of data protection officer” into the rest of the EU states. Lord McNally compared the new data protection rules to the attempt to introduce Esperanto, saying we should look to better understand each other and our respective laws, rather than reworking current principles and introducing a “one size fits all” policy.

Smith criticised the lack of focus on real privacy risks and real danger to Internet users, and warned that the pressure on national regulation authorities would increase dramatically. He confirmed that the ICO is already preparing for the new directive implementation. “We want a legal instrument that would enable us to continue to do what we see as a proper job as a supervising authority, helping businesses get it right, but with a sting in our tail, and action taken against those who deliberately or negligently don’t get it right. We want to be a privacy authority, not a red tape authority.”

“The use of personal data should be local, fair and secure. And the data itself should be kept for no longer than is necessary. These are the principles that formed the basis of the first data protection laws in the UK, some 30 years ago. I believe they are still pertinent today,” added McNally.

The regulation and directive will be negotiated by EU member states and the European parliament before becoming law. The timing is not an exact science, said Hustinx, but the directive is likely to launch next year. After that there will be a period of two years for implementation, after which the regulation will come into full effect.

Do you know enough about data security? Take our quiz!