After consulting with stakeholders including the Direct Marketing Association, who levelled extensive criticisms at the draft Data Protection Regulation, the Ministry of Justice has published its views. “Nice try but start again” might be one way of summarising these, as James Mullock pulls out the key findings.
Who: UK Ministry of Justice
When: November 2012
Law stated as at: 5 December 2012
The Ministry of Justice (MoJ) has for the first time publicly set out clear details of the position which it will take in Brussels in negotiations on the European Commission’s proposed Data Protection Regulation. Challenging the level of fines to be introduced, the requirement to appoint data protection officers and the proposed data security breach notification rules are all notable inclusions. The details are included in the MoJ’s summary of the results of its consultation on the draft Regulation conducted between February and March 2012.
Points highlighted for negotiation by the MoJ include:
• Support for a system of fines and other penalties for serious breaches of the Regulation, but “push for a more proportionate level of maximum fines, which allows supervisory authorities greater discretion in applying the powers available to them”;
• Resist new “bureaucratic and potentially costly burdens on organisations which do not appear to offer greater protection for individuals”. Examples given include mandatory privacy impact assessments, seeking prior authorisation from regulators for certain processing operations and the mandatory designation of independent data protection officers;
• Support for the introduction of data breach notifications both to regulators and affected individuals, but only “if the provisions reflect the timescales needed to properly investigate a breach and if a sensible and proportionate threshold is provided which excludes minor and trivial breaches from the scope of the requirement” (this in response to the draft Regulation’s proposed 24 hour timescale for notification seen by many as impossible to achieve);
• Support for the requirement for organisations to proactively provide individuals (including in response to subject access requests) additional information about data usage, but resistance to the proposal that subject access rights be exercisable free of charge;
• An overhaul of the proposed ‘right to be forgotten’ to be requested given the practicalities and costs and the potential for confusion about its scope for both organisations and individuals. But, the MoJ has reaffirmed the Government’s commitment to the right for individuals to be able to delete their personal data where appropriate;
• Support harmonisation of European Union member states’ data protection laws and regulatory authority enforcement action, whilst allowing independent national authorities flexibility in how they use their powers; and
• Resist the extension of powers of the European Commission to make delegated and implementing acts, “particularly where these have the potential to make a big difference to fundamental requirements and principles (for example, the legitimate interests upon which data controllers can rely to make their processing lawful or the safeguards that must be established to allow profiling to take place).“
Why this matters:
The proposals will be put by the MoJ as negotiations over the draft Regulation enter the Council of the EU and the European Parliament in 2013. They are likely to face strong push back from the European Commission. There have recently been indications from Brussels that they may be prepared to make changes to the draft Regulation in some areas, but nothing as extensive as will now be suggested by the UK.
For a copy of the MoJ’s Summary of Responses to its consultation as well as its costs/benefits assessment of the Regulation see here.