Privacy & Information Security Law Blog

On January 11, 2013, the UK Government published its response (the “Response”) to the UK Justice Select Committee’s opinion on the European Commission’s proposed revised data protection framework. The Response highlights a number of concerns expressed by the UK Government regarding the Commission’s legislative proposals.

Choice of Instrument for the General Data Protection Regulation

According to its Response, the UK Government understands why the Commission decided that a regulation was the correct instrument to achieve greater harmonization across EU Member States, but it believes that the proposed General Data Protection Regulation (the “Proposed Regulation”) should be “re-cast as a Directive,” which would permit harmonization in areas of fundamental importance while allowing flexibility to accommodate individual circumstances. The Response notes the potential for harmonization of the fundamental principles, the rights of data subjects, and the rules of the supervisory authorities and the European Data Protection Board. In addition, the Government expresses its support for the consistency mechanism. The Response states that supervisory authorities should be “entrusted” to handle compliance factors, such as fees and processing requiring prior authorization, and to provide guidance. The Government adds that the proposed framework of one directive (requiring implementation in every EU Member State) and one regulation (taking direct effect in every EU Member State) would require the UK’s current data protection legislation, the Data Protection Act 1998, to be split, causing confusion for both data subjects and organizations. However, the Response suggests that if the Proposed Regulation is re-cast as a directive, the two directives could then be implemented by a single, unified piece of national legislation.

Constraints on Businesses

The UK Government emphasizes that the revised framework must secure individuals’ privacy “without placing constraints on businesses[‘] practices that harm innovation and growth.” The Response criticizes the Proposed Regulation for containing “prescriptive obligations” and a “‘one size fits all’ approach” that does not accommodate all types of data controllers or allow them to adopt their own compliance practices suitable for their types of businesses. The Response calls upon the Commission to conduct a full assessment, similar to the UK Government’s own impact assessment, to evaluate the impact of the proposals.

Impact on the UK ICO

In its Response, the UK Government states that it is “sympathetic” to the UK Information Commissioner’s Office’s (“ICO”) assertion that that the Proposed Regulation is “a regime which no-one will pay for.” The ICO has estimated that the additional requirements contained in the Proposed Regulation will cost it between £8 - 28 million per year. Additionally, the ICO will lose its revenue stream (notification fees) as notifications will be abolished under the Proposed Regulation.

Police and Criminal Justice Data Protection Directive

The Response notes that the UK Government does not believe that a case “has been convincingly made” for replacing and repealing the Council of the European Union’s Framework Decision 2008/977/JHA (the “Framework Decision”), and that there is no “pressing need” to update the Framework Decision. As the Framework Decision has not yet been fully implemented in all EU Member States, the Response suggests that implementation and evaluation “should come first before new legislation is considered.”