The ICO has published its initial analysis of the European Commission’s reform of the EU Data Protection Directive 95/46/EC (“the Directive”). The ICO published its review of the draft Data Protection Regulation and the Directive on data protection in law enforcement (“DP Framework”) on 25 January 2012, but was quick to stress that its review is not a comprehensive analysis, nor will it be the ICO’s last word on the subject.
The ICO views the Commission’s proposals as a “positive contribution” towards updating data protection law in light of the current “patchwork” national laws, and because the existing Directive is “out-of-date”. The ICO, however, would prefer a single comprehensive instrument to the two documents contained in the DP Framework. If two instruments do remain, then the ICO would like to see the EU Parliament ensure as much consistency as possible between them; otherwise, there could be a lack of consistency, which would undermine one of the European Commission’s objectives for revising the existing Directive.
The ICO points to the following concerns:
- Consistency, while welcome, may never be truly possible because of the variations between different member states
- The drive for harmonisation could become a burden on businesses and lead to complexity for individuals
- The DP Framework is more detailed and prescriptive than the Directive and a result could be onerous or disproportionate, whereas a flexible instrument may be more suitable
The ICO reviewed a selection of the 91 articles of the proposed EU DP Regulation, praising the expanded definitions of “data subject” and “personal data” (Art. 4), and the “one-stop shop” provision for controllers and processors established in more than one Member State (Art. 51(2)).
In the ICO’s view, many provisions have been “considerably weakened” when compared with the version that was leaked in December 2011. The ICO calls for the wording to be tightened or provisions to be reinstated to strengthen the level of data protection, which is of particular importance in the police and law enforcement sector, where processing personal data carries a significant privacy risk for individuals. The ICO comments that, at the very least, the basic provisions, definitions and principles within the Framework need to be aligned, such as the inconsistencies between the draft law enforcement Directive and the Regulation relating to profiling (Art 9). According to the ICO, failure to do this is contrary to the Commission’s desire for consistency and will only lead to confusion.
Lastly, the ICO believes that the two-year implementation period is too long, mainly because data protection and privacy are not a new area of law, and many of the provisions are recognised as good practice across the EU already.