When EU legislation for general and commercial data protection purposes was last agreed in 1995, the digital economy was in its infancy and the boom in social media had not begun. As a result, 17 years on the current EU Directive has been described as an analogue regime for a digital world. Additionally, EU citizens have new rights and freedoms to protect their data and privacy as contained within the Charter of Fundamental Rights of the European Union and the Lisbon Treaty.
In January 2012, the European Commission published detailed legislative proposals for European reform of data protection. These take the form of both a draft Regulation and a draft Directive. We agree that t he draft Regulation is necessary, first to update the 1995 Directive and take into account past and future technological change; and secondly to confer on individuals their new rights and freedoms. We can see why the Commission also wish to update data protection for the purpose of law enforcement as part of an overall package, but we are concerned that the twin-track approach being taken will cause confusion for data subjects and in particular for organisations within the criminal justice system. We are also concerned that the data protection provisions contained in the draft Directive are weaker than in the draft Regulation, and agree with the UK Information Commissioner that data protection principles should be consistent across both instruments. This must be at a high level.
The draft Regulation, through harmonising data protection laws across the 27 Member States, has the potential to make data protection compliance easier, in particular for small business who wish to trade across the European Union. We can understand why the European Commission decided that a Regulation was the correct instrument to achieve harmonisation, but by also setting out prescriptive rules there is no flexibility to adjust to individual circumstances. We believe that the Regulation should focus on stipulating those elements that it is essential to harmonise to achieve the Commission's objective, and that Member States' data protection authorities should be entrusted to handle factors associated with compliance. We are also concerned that the impact assessment has been heavily criticised, and believe that further work, with the input of all stakeholders, is required to produce a full assessment of the impact of the proposals. The UK Information Commissioner has asserted that the system set out in this Regulation "cannot work" and is "a regime which no-one will pay for". We regard this as authoritative, and believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive, particularly in the processes and procedures it specifies.
We understand that the draft Directive does not apply to domestic processing by law enforcement agencies within the UK, and it should be placed beyond doubt that this is the case. Additionally, we believe it needs to be made clear that the Directive must not impact on the ability of the police to use common law powers to pass on information in the interests of crime prevention and public protection. Member States need to have the flexibility to implement the Directive in ways which achieve its purposes through processes which are appropriate and proportionate in the national context.
However, we take some comfort from the fact that both the Government and the Information Commissioner believe that the necessary changes in the Regulation and the Directive can be agreed through negotiation, and we support them in their efforts to achieve this.
|