This post was written by Cynthia O’Donoghue.
The UK Justice Committee has laid out its concerns in its opinion on the European Commission’s legislative proposals (the Proposal) for reform of the European Data Protection Framework. In forming its judgement, the Justice Committee heard evidence from: the Ministry of Justice, the Information Commissioner’s Office, the EU Commission, the police, and representatives of UK small and medium enterprises (SMEs) and global businesses.
Whilst accepting that the proposed Regulation is necessary to update the original 1995 Directive to take into account technological change and to confer on individuals their new rights and freedoms, the Committee criticized its “over-prescriptive” nature and called for changes to be made.
A fundamental concern for the Committee was the division of the Proposal between a Regulation for all, and law enforcement which would be governed by national implementing legislation stemming from the proposed Directive. The Committee felt that this could “cause confusion for data subjects and in particular for organisations within the criminal justice system”, as well as a lack of consistency resulting from a weakness in the proposed Directive as compared with the proposed Regulation. The Committee strongly urged the Commission to choose between either focussing on elements essential to harmonisation under a Regulation, or using a Directive to allow implementation by Member States which would provide greater flexibility in implementation and enforcement at the cost of harmonisation and consistency.
The Committee also opined on a number of crucial provisions within the framework, broadly supporting the “right to be forgotten” but warning that using the word "forgotten" could create unrealistic expectations, especially for users of social media. Individuals’ right to access their own data was also a point of contention, with the Committee recommending that the proposed Regulation should ban any fee for data access requests. Furthermore, the Committee has suggested that the requirement to appoint a Data Protection Officer for those organisations with more than 250 employees should be changed to take into account the type of business and the sensitivity of data that is handled, rather than the number of employees.
The Justice Committee agreed with the criticism levelled at the Commission’s Impact Assessment, which failed to account for additional compliance costs that may be incurred by organisations, although the Committee acknowledged that the new Data Protection Framework had the potential to increase competitive advantage through increased consumer confidence.
Overall the Committee agreed that the Regulation does give data subjects essential rights and has the potential to make data protection compliance easier for businesses, especially SMEs, after EU Justice Commissioner Viviane Reding recently announced that she is prepared to offer them some concessions under the framework. However, the Committee does not believe that in its current form it will produce a proportionate, practicable, affordable or effective system of data protection in the EU.