Privacy & Information Security Law Blog

On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK.  The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly.  Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.

The MoJ invited organizations, members of the public and all interested parties to provide their views on the impact of data protection legislation in the UK and “whether the current data protection laws are working in light of social and technological changes.”  The purpose of the Call for Evidence is to help inform the UK’s position on the negotiations to revise EU data protection laws.  In its response, the Group concluded that, “the fundamental principles of the Directive remain sound but the overly bureaucratic manner in which many of them are reflected in local law renders data protection regulation in Europe unnecessarily complex and, in some cases, ineffective.”  Although the Group considers that, in the UK, the Directive has been implemented and interpreted in a pragmatic way, they proposed the following:

• Simplified Notification Procedures — The Group advocates for the implementation of a simplified central notification system across the EU to enable multinational organizations to submit a single notification to a central EU body.
• Simplified International Data Transfer Mechanisms — The Group believes that each of the current arrangements is inadequate to accommodate the everyday reality of global data flows.  The Group supports the concept of Binding Corporate Rules (“BCRs”) as the most effective mechanism for managing international data transfers, but also considers BCRs too expensive and time consuming for most companies to implement. The Group proposes a new binding global code, which incorporates the elements of a  checklist approved by the Article 29 Working Party but without the need to negotiate and receive approval of the code from the individual data protection authorities.
• Explicit Accountability — The Group supports the recommendations of the Article 29 Working Party paper for data controllers to be held accountable for the way in which they comply with their obligations under data protection laws.  The Group supports an approach where data controllers have flexibility in how they fulfill their obligations under the UK Data Protection Act but are required to demonstrate how they achieve legal compliance.

The Group also rejected proposals for mandatory notification of all breaches.  The Group drew a parallel between an EU mandatory breach notification system and the U.S. regime where mandatory notification has resulted in “notification fatigue.”  In the Group’s experience, notification can be an expensive waste of resources where the breach is trivial, or unlikely to result in harm to individuals.  Instead, the Group supports a system where organizations must notify individuals only when there is a real risk of individuals suffering significant harm as a direct result of a breach.  This approach is consistent with current breach notification guidance issued by the Information Commissioner’s Office.

The MoJ intends to publish a summary of the received responses to the Call for Evidence.  View the full copy of the response submitted by Acxiom and Hunton & Williams (and others).