As already reported on marketinglaw. Brussels is planning a radical overhaul of EU data privacy laws and has published a proposed Regulation. The UK’s data protection watchdog, the Information Commissioner’s Office, has mulled the draft Regulation and made its views known. Are they all favourable? Ciaran Price reports.
Who: Information Commissioner's Office
When: 25 January 2012
Law stated as at: 8 March 2012*
As readers of Marketinglaw will no doubt be aware, on 25th January 2012 the European Commission published its working draft of the proposed new Data Protection Regulation. The Regulation is designed to replace the raft of outdated legislation which currently deals with data protection in the EU, and will (as a Regulation) have direct effect in all Member States once enacted.
Evidently, this will have a profound effect on the law surrounding data protection in the UK, and looks set to raise both the burden on organisations regarding their processing of data, and the penalties that could be incurred for non-compliance with the new regime. In particular, the proposed changes to consent requirements and retention of data will impact upon the fields of advertising and marketing, with consumers likely to have far more awareness of and control over the use of their data.
On the same day that the draft Regulation was published, the UK's Information Commissioner gave his initial view on the proposals. Unsurprisingly given the current piecemeal state of EU law in relation to data protection, the ICO broadly welcomed the proposals to modernise and standardise the rules.
The Information Commissioner has in particular expressed agreement with the proposals regarding:
- strengthening the requirements for individuals' consent to processing personal data;
- giving individuals more rights to object to the retention of their personal data, including a shift in emphasis to the controller having to provide compelling reasons for retention;
- introducing rights for individuals to obtain their data in accessible, reusable formats;
- placing legal obligations directly on to processors;
- the introduction of a duty for data controllers/processors to notify authorities of data security breaches within 24 hours;
- giving legal recognition to the use of binding corporate rules to provide appropriate safeguards for international data transfers;
- encouraging compliance with the data protection regime through the use of certification mechanisms and data protection seals and marks; and
- strengthening the powers of data protection authorities, including comprehensive investigative powers.
Could do Better
The Information Commissioner did not expressed unqualified support for the current draft however, citing parts of the legislation which in his view remain out of touch with modern commercial realities ad need some further thought. Among these are the retention of the concept of certain 'sensitive' categories of personal data and the limited grounds on which these can be processed, and requiring organisations to obtain prior consent for some forms of processing, most notably 'international' transfers of data.
The Information Commissioner also criticised the proposed moves to make the data protection obligations apply to controllers located outside the EU, where there is no clear explanation of how these obligations will be enforced. Dissatisfaction was also expressed regarding the restriction on the ability of public authorities to process personal data, even where the processing is solely for citizens' benefit.
The Next Stage
Now that the draft Regulation is a working draft, consultation will continue at an EU level. The Information Commissioner will of course be involved, give further comment and also be part of the Article 29 Working Party considering and developing the draft Regulation going forward.
Why this matters:
The new Data Protection Regulation will change fundamentally the law in this area across the whole of the EU, and have undoubted consequences for advertisers and marketers. Given the limited room for manoeuvre once a Regulation is in force, any adjustment at this stage will be vitally important, and the views of the Information Commissioner and his counterparts in other Member States will go a long way towards shaping the legislation. Marketinglaw will of course therefore be providing regular updates on the development of the draft Regulation in order to keep readers fully informed.
*Footnote: since this article was written, ICO has published further views on the draft Regulation dated 28 February 2012. They can be found at this link.