At the UK DMA’s fifth Annual Data Protection Conference, the keynote speech by Information Commissioner Richard Thomas gave useful insights on the watchdog’s future strategies and priorities.
Topic: Data protection
Who: Richard Thomas, Information Commissioner
Where: The Direct Marketing Association's Annual Data Protection Conference
When: March 2003
Richard Thomas, who as "Information Commissioner" heads up the UK's data protection watchdog, gave a keynote speech at the annual Direct Marketing Association Data Protection Conference.
He talked about the 2004-2007 corporate plan of the Information Commissioner's Office ("ICO"). The data protection strand of this would be focusing on four areas. These were the promotion of good practice, running an efficient notification and case reception service (a new initiative designating a specialist unit to process complaints), providing remedies to individuals with legitimate grievances and taking purposeful regulatory action, focusing on wilful and persistent disregard of the rules.
Data protection "scary and complicated"
Looking at the state of things today, the Commissioner reported a widespread perception that data protection is "scary and complicated". This undermined public confidence, placed disproportionate burdens, undermined effectiveness and discredited the underlying importance of the principles.
It was this situation which triggered the "Make Date Protection Simpler" project launched in July 2003, designed to make it easier in practice to achieve effective protection for individuals. Aspects of the project included the simplification of the process of notifying with the Information Commission. (all those handling personal data, unless they are doing it exclusively on behalf of others, are date controllers and should in most cases be notifying with the Commission). Standardising subject access request forms is also a priority (by which individuals can ask data controllers what information about them is being held) and there is also a push for greater enforcement powers and more robust use of the ICO's current powers.
No imminent EU review of dp laws
The Commissioner also confirmed to a relieved audience that there did not appear to be any major EU review of data protection law currently in prospect. He also mentioned that the use of the legalistic phrase "data subject" (denoting any individual about whom data is held) had been banned within the ICO.
Intra group data transfer
On a separate aspect, the Commissioner reported progress towards the introduction of binding corporate rules on the export of personal data within a group of companies, from within the European Economic Area (the EU plus Iceland, Liechtenstein and Luxembourg) to countries whose data protection laws are not regarded by the EC as "adequate."
Digital marketing rules update
Focusing then on the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Commissioner reported that since their introduction on 11 December 2003 the bulk of the 300 complaints that the ICO had received related to unsolicited text messaging to mobile phones. He called on the direct marketing industry here to act as "whistleblowers" on irresponsible text messaging companies, to avoid this medium of commercial communication becoming discredited altogether. Ominously he concluded this section with the words "Watch this space."
As regards the numbers of complaints received, the Commissioner commented that 300 complaints was not necessarily a deluge. He also said that for the first few months following introduction of the regulations at least, the ICO would take an "indulgent view" of transgressors, but would be less understanding when it came to those who failed to respond to opt out requests.
More powers plea
Mr Thomas rounded off with spam and a plea for greater enforcement powers. Top of his shopping list were faster injunctive powers and powers to compel third parties to provide relevant information, which the ICO could not do at this time.
On the topic of spam, the Commissioner reported great efforts to achieve joined up enforcement by relevant authorities across the various jurisdictions affected. He also underlined the message that spam cannot be stamped out by regulation alone. He mentioned global initiatives such as the operation "secure your server" (http://www.ftc.gov/bcp/conline/edcams/spam/secureyourserver/index.htm). There was also a new page on the ICO website with hints on avoiding spam (http://www.informationcommissioner.gov.uk/eventual.aspx?id=5801).
New EU members query
One question from the floor related to the ten new EU members coming on board from 1 May 2004. Concern was expressed as to whether they were up to speed on their data protection law. The Commissioner replied that all ten new members were well on stream and representatives from each of the new members had sat as observers for the last 18 months on the EU Data Protection Watchdog super-group, the Article 29 Working Party.
Why this matters:
The Information Commissioner continues his quietly effective performance of the role which he took up getting on for two years ago now. The honeymoon is over and we have yet to see any real dividends from his "Make Data Protection Simple" initiative. But the will is clearly there and if greater enforcement powers do come his way, those who take the trouble to take advice and ensure compliance with data protection laws will hopefully have less experience of watching their competitors flout the same laws with impunity.