This post was written by Cynthia O’Donoghue.
Back in January of this year, the European Commission published its proposed framework to replace the Data Protection Directive (95/46/EC). Shortly after, the UK Ministry of Justice (MOJ) issued a Call for Evidence, which sought information on the potential impact of the draft EU Data Protection Regulation and accompanying directive for law enforcement (‘Framework’). At the end of June, the MOJ published a summary of the responses. The MOJ received input from 143 organisations from various sectors, including advertising, financial services, technology and telecoms, media and the legal field. The responses will be used to help the UK Government reach an informed view on the Framework.
The majority of respondents recognised the need for change to the current data protection law and were positive about the change being in the form of a regulation. Members of the public and certain rights groups particularly felt that the Framework did a good job of addressing key consumer concerns and gave individuals more rights to control how their personal data is processed.
However, a large number of public and private sector organisations took a different view, commenting that the proposed Data Protection Regulation would increase the administrative burden because of its overly prescriptive nature and that it lacks balance between individual rights and the legitimate needs of data controllers. Key concerns focused on the ‘right to be forgotten’, the requirement that data breaches be reported within 24 hours where possible and the imposition of large fines for failing to comply with the Regulation.
Some respondents were of the opinion that the Regulation did not go far enough to take into account important technological changes, such as the growth of the internet and the increased use of social networking sites and geo-location data. Some commented that requirements were “overly-ambitious”, used a ‘one size fits all’ approach and failed to understand the needs of certain types of businesses in relation to specific personal data and the flexibility required to provide a range of services to customers. In particular, social media companies and e-commerce businesses argued that the proposed Regulation would have a negative impact on their core business. Another key comment from the private sector related to the complexity of the Regulation which would most likely require specific guidance from outside counsel.
Others suggested that the Regulation poses a threat to cloud computing and its future development. Respondents stated that ideally what they were looking for is a piece of legislation that is compatible with future technological advances, but at the same time protects an individual’s right to data protection.
In the MOJ’s view the European Commission’s impact assessment did not properly quantify the compliance costs imposed on business and potentially over-estimates the benefits of introducing harmonised legislation.
The UK Government’s stated aim is a legal instrument that does not overburden businesses, public sector or otherwise, and that encourages economic growth and innovation while still protecting individuals’ personal data. The UK Government supports the requirement for transparent processing and the requirement to proactively provide additional information to data subjects in response to subject access requests. The UK intends to push for an overhaul of the proposed ‘right to be forgotten’ due to it being impractical, costly and confusing, although it does support the individual right to delete their personal data where it is appropriate. Most importantly, and what is good news for business, is that the UK Government plans to resist any provisions it feels are bureaucratic and burdensome, such as mandatory data protection impact assessments.