Privacy Advisor

UK—ICO Calls for Changes to Draft Data Protection Regulation

March 1, 2013

By Brian Davidson, CIPP/E

The UK data protection authority (the ICO) has published further views on the reform of EU data protection rules, following the release of the European Parliament LIBE Committee's report on the regulation.

Whilst recognizing that the efforts from the European Parliament are “on the right track,” it highlights that the current proposal is “too prescriptive” in terms of the administrative measures organizations, particularly SMEs, will have to undertake to demonstrate accountability. The ICO encourages the regulation to focus more on outcomes instead of processes and to adopt a “truly risk-based approach to compliance.”

The ICO also identifies that, whilst individuals have to be in control of their information, the “right to be forgotten” will lead individuals to expect a degree of protection that “cannot be delivered in practice.” Although the ICO supports a high level of consent in order to minimize doubts as to whether individuals have agreed—or not agreed—to their personal data being processed in a particular way, the ICO also stresses the need for alternatives to consent to exist—especially in situations where consent may not be viable.

Finally, the ICO highlights the need for European data protection law to be “outward-looking” to facilitate greater interoperability beyond EU borders, and criticizes the impracticality of linking fines to percentage of turnover; highlighting that fines are not always the best option and that data protection authorities should instead work together towards a risk-based approach with more discretion over the use of sanctions.

Brian Davidson, CIPP/E, is a privacy and information advisor at Field Fisher Waterhouse, LLP.