Privacy & Information Security Law Blog

Following up on the UK Information Commissioner’s Office’s (“ICO’s”) positive reaction to the European Commission’s proposed General Data Protection Regulation (the “Proposed Regulation”), the ICO has now published additional thoughts on the European Commission’s proposed revised data protection framework, reacting to the recent draft report prepared by the rapporteur to the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs, Jan Philipp Albrecht. In February 2012, the ICO released an initial analysis of the Commission’s package of proposals, which included the proposed Police and Criminal Justice Data Protection Directive (“Proposed Directive”).

Highlights of the ICO’s latest analysis include:

• The ICO calls for consistency between the Proposed Regulation and the Proposed Directive, as any substantive inconsistency between the two instruments would be “a source of difficulty and confusion for years to come.” For the same reason, the ICO does not support the introduction of a separate instrument governing the processing of personal data in the public sector.
• As stated in its earlier analysis, the ICO considers the Commission’s proposals to be too prescriptive and suggests that the emphasis should be on “outcomes rather than processes,” reflecting a “truly risk-based approach to compliance.”
• The ICO calls for clarification of the definition of “personal data” and the status of pseudonymized data, in particular in the context of non-obvious identifiers such as IP addresses.
• The rights of data subjects must be deliverable in practice, and the ICO is concerned that the right to be forgotten will lead data subjects to “expect a degree of protection that cannot be delivered in practice.”
• The ICO also raises concerns regarding the purported extraterritorial reach of the Proposed Regulation, calling for a “need to be realistic about the limited power EU data protection authorities may have over non-EU data controllers.”
• The ICO calls for greater respect for the different legal traditions of EU Member States and is concerned by the proposal to significantly narrow the “legitimate interests” legal ground for processing personal data, which is heavily relied upon by UK data controllers.
• The ICO highlights the additional resources likely to be required by data protection authorities to carry out their extended functions.
• The ICO welcomes the European Parliament’s proposal that the European Data Protection Board should be responsible for the consistency mechanism.

In addition to the ICO’s further thoughts on the Commission’s proposals, the Parliament's recently released draft report also has prompted comments from the French data protection authority and the German Federal Commissioner.