House of Commons - The Committee's opinion on the European Union Data Protection framework proposals

The Committee's opinion on the European Union Data Protection framework proposals - Justice Committee Contents

2 The draft Regulation

The basis for, and aims of, reforming the Data Protection Directive 1995

17. The draft Regulation would repeal and replace the existing Data Protection Directive 1995.

The Government's Explanatory Memorandum states:

The objective of the 1995 data protection Directive, to ensure the effective protection of the fundamental rights and freedoms of individuals within a functioning Single Market, remains valid. However when the 1995 Directive was adopted the internet was in its infancy. The Commission believes that a new, stronger and more coherent data protection framework is necessary because rapid technological and business developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. The Commission also considers that existing rules provide neither the degree of harmonisation required, nor the necessary efficiency to ensure the right to personal data protection. The Commission therefore wants greater consistency in the way data protection is implemented across the Union by introducing a single set of harmonised core rules, whilst still ensuring the free flow of personal data within the internal market.[22]

18. Privacy International's written evidence stated:

The fundamental rights to protection of personal data and privacy are specifically mentioned in EU charters and conventions, and have to be complied with by EU member countries signatories of the Lisbon Treaty. Under current legislation these rights are not respected.[23]

The obligations under EU treaties were also commented on by the Information Commissioner in oral evidence, when he said:

the challenges of data protection for citizens and consumers, not just in Europe but across the world, are really significant challenges of the 21st century. [...] unless we get data protection right—and it is a fundamental right under the Charter of Fundamental Rights of the European Union—we are all in trouble.[24]

When giving oral evidence to the Committee, Lord McNally, Minister of State, Ministry of Justice, also highlighted how data protection concerns had changed with developments in technology:

In the two years that I have been in this job I have become aware that we are really at the dawn of a new era in terms of just how much information is in the hands of various organisations, and the possibility and capability of its misuse. [...] The capacity to acquire information about the citizen and to cross-reference it is quite serious. All I can say is that we are alert to that and want to build it into both our domestic and EU legislation because that threat does exist. [...] In the new digital age it is the downside to what is also a very exciting opportunity in terms of exchanging information for the benefit of the citizen.[25]

19. Most of the written evidence we received agreed that new EU legislation for data protection was required, and welcomed the aims of the draft Regulation. For example, the NHS European Office said it "welcome[d] the European Commission's revision of the existing EU Data protection laws, particularly in light of technological developments since the last Directive was implemented",[26] whilst the Association for Financial Markets in Europe stated, "[o]ur members welcome the aims of the Regulation to improve legal certainty through harmonisation, to reduce the administrative burden on companies and to provide effective rights to individuals".[27]

20. One of the key aims of the draft Regulation is to provide harmonisation and clarity of data protection laws across the European Union. David Smith from the Information Commissioner's Office explained how current approaches to data protection regulation differed among Member States:

We have traditionally taken what we would see as a good UK regulatory approach. [...] People don't come to us as an authority to get approval for what they do in advance; they take their business decisions and we step in if things go wrong. We have some strong powers [...] to impose penalties if businesses do get things wrong. But [...] you trust them to get it right and you step in if they abuse that trust [...] whereas some other data protection authorities have to check things in advance and prior approve things. This is particularly true in international transfers. [...] As we try and come together to one harmonised instrument, you see those sorts of tensions emerging. We are critical of this instrument because it will require us to prior approve international transfers, but I have to say that some of our colleague authorities are equally critical of it from the opposite direction because it will allow international transfers through, in some cases without their approval, where they have to give their approval under the current regime.[28]

21. Françoise Le Bail explained why harmonisation would be particularly beneficial for small and medium sized enterprises (SMEs):

The first thing that the SMEs told us was, "What is a problem for us is fragmentation. If I am an SME and I have to deal with 27 different legislations in terms of data protection, it is awful. [...] I cannot cope with it because I don't have a legal service. [...]" The first thing we are doing for SMEs is to stop this fragmentation. We will stop this fragmentation by one single law. This is a huge benefit for an SME because, for a big company, in a way they can cope; they have legal services.[29]

We heard similar views from other witnesses:

The Federation of Small Businesses told us, "there are benefits [to updating the legislation] because data is free flowing [...] so you need harmonised rules on that. [M]ore of our small businesses will use the European market to find new customers. So harmonisation is important".[30]
Privacy International stated, "harmonisation and legal certainty would encourage more SMEs to expand their businesses in other EU countries because they would not need to engage expensive lawyers.[31]

However, Business Software Alliance believed that prescriptive elements of the draft Regulation, such as the imposition of large fines, "could be extremely detrimental to the launch or survival of start up companies and innovative SMEs". They argued "[s]uch a regime would significantly raise the cost and associated risk of introducing new products and services into the market while neither reducing the risks to data being processed nor providing added protection for consumers".[32]

22. Which? believed that a sound framework for data protection could help boost consumer confidence, especially with more business and public services moving online. It argued that whilst growth of the digital economy was important to both the UK and wider EU, a lack of trust and concerns over data protection presented a significant barrier to this growth. A recent Eurobarometer showed that 43% of British consumers were concerned about someone taking/misusing their personal data when shopping or banking online.[33] Georgina Nelson, Lawyer, Information Policy, Which?, highlighted an Office of Fair Trading study that showed 6.27% of UK consumers had never provided their personal financial details online because of privacy and security concerns, which was an estimated loss for ecommerce business of £2.48 billion.[34] Additionally, Privacy International, contended that the lost opportunities due to a lack of consumer confidence online equated to 1.7% of EU GDP.[35]

23. The draft Regulation sets out:

principles governing personal data processing;
rights of individuals to access their personal data, to have it rectified or erased, to object to processing and not to be subject to profiling;
the obligations of data controllers and data processors to provide information to individuals, to report on breaches of data security and to put in place technical and organisational measures;
rules on transfer of personal data to countries outside the European Economic Area (EEA) and to international organisations;
rules relating to national regulators ("supervisory authorities"), and how they will co-operate with each other and the European Commission; and
remedies available to data subjects and the administrative sanctions available to supervisory authorities.[36]

24. Some of the key changes that the Regulation introduces are as follows:

a new definition of consent that requires that consent to the processing of personal data be given explicitly;
new definitions of key terms, and introduction of new terms such as "online identifier", "location data", and "genetic data";
the mandatory appointment of data protection officers for organisations in the public sector and some parts of the private sector;
greater levels of protection for children (defined as those under 18 years of age);
a right for data subjects to be "forgotten", including the right to obtain erasure of personal data available publicly online;
new obligations on data controllers and processors, including mandatory security obligations, an obligation to maintain documentation of their processing operations and an obligation to notify supervisory authorities of data breaches without undue delay and where feasible within 24 hours;
updated rules on transfer of data to countries outside the European Economic Area and to international organisations, including the need for data controllers to obtain prior approval from supervisory authorities in some circumstances;
changes to cooperation and consistency between supervisory authorities, and the establishment of a new regulatory body, the European Data Protection Board; and
a requirement for supervisory authorities to impose prescribed fines of up to 2% of an enterprise's worldwide turnover where there has been a breach of certain requirements of the Regulation.[37]

Arguments for and against a Regulation

25. We received a mixed response to the Commission's decision to use a Regulation as the instrument to update the 1995 Directive. The Newspaper Society said "[t]hat the proposals are put forward by way of a proposed Regulation is itself a major disadvantage. This deprives the UK Government of any flexibility in implementation or enforcement".[38] However, RSA Insurance Group stated, "We support the new proposals being in the form of a Regulation rather than a Directive. As a multinational insurance group we welcome the European Commission's aim of creating a level playing field".[39]

26. In oral evidence to the Committee, the Federation of Small Businesses argued, "you need some form of prescription if you want to harmonise" and therefore they were happy with a Regulation instead of a Directive.[40] Microsoft added, "[w]hat is very good with this reform is that it is supposed to bring the maximum of harmonisation, which is really key. [...] Today I think we all agree that 27 different regimes is 27 risks, 27 good reasons not to make business".[41]

27. This view was not shared by the Information Commissioner's Office, and David Smith told us that it would have been easier to achieve an outcome driven approach, favoured by the UK, through a Directive. However, he acknowledged:

that wouldn't meet the Commission's desire for harmonisation or would put that at risk. The Commission are very much, we think, driven [...] by the likes of Microsoft, the big multinational internet businesses, who say, "Above all else, we want the same rules throughout Europe so that we know what the rules are for Europe." There is an element that the Commission see that as necessary for economic progress and making Europe a good place to do business, and clearly there is some merit in that. But driving this harmonisation does lead to these detailed prescriptive rules that everybody has to follow, which are not necessarily good for, say, the people that the Federation of Small Businesses represent, who don't necessarily need the same regime in every country in Europe. What they just need is a sensible regime, from their point of view, in the UK. If the price of that is extra detail and extra prescription, because that is what you have to have to reach agreement among all 27 member states, maybe that is too high a price to pay.

He concluded, "[i]t does not matter too much whether it is a Regulation or a Directive, but we would favour lightening up on the detail".[42]

28. Which? believed that a certain level of prescription was required,[43] and told us that if the Regulation was to focus on outcomes, "[t]here needs to be clear steps about how those outcomes would be achieved. Just to focus purely on outcomes without that guidance would mean that it would be left up to the different Member States to provide that guidance, and that is when you would get differences in interpretation and fluctuation".[44]

29. When Lord McNally appeared before us, he set out the Government's view, and described the impression garnered from the early negotiations:

We think the Regulation is too heavy-handed and prescriptive in an approach to something that would be much better dealt with by a Directive that leaves a great deal more flexibility to domestic implementation. [...] From what I understand, the balance of the discussions so far has been much more about what's in the Regulation and whether it could be better handled in a Directive.[45]

30. Bringing EU data protection legislation up-to-date is necessary and could provide benefits to both individuals and businesses. Many of these benefits are only attainable if there is effective harmonisation of laws across Member States, and therefore we can understand why the European Commission decided that a Regulation was the correct instrument to achieve their objective. However, by setting out prescriptive rules there is no flexibility to adjust to individual circumstances. We believe that the Regulation should focus on stipulating those elements that it is essential to harmonise to achieve the Commission's objective, such as the consistency mechanism and the establishment of the European Data Protection Board. Member States' data protection authorities should be entrusted to handle factors associated with compliance, such as the level of fees or when it should be informed about a data protection impact assessment, whilst also being a source of guidance. Consistency of approach should then be delegated to the European Data Protection Board.

Impact assessment

31. The Commission's impact assessment explains that whilst strengthened data protection rules are expected to give rise to some additional compliance costs for organisations, it could also offer a competitive advantage for the EU economy, as the higher level of protection and expected reduced number of data protection incidents and breaches may increase consumer confidence. Requiring companies to adopt high standards of data protection could also lead to long-term improvements for European businesses, which could become world leaders in privacy-enhancing technology or privacy-by-design solutions, drawing business, jobs and capital to the European Union.[46] When, for example, we asked Microsoft what weight was given to data protection legislation when the company was making investment decisions, Jean Goni, Director of Privacy EU Affairs, told us, "I would say that this is in between the top and bottom in the list because, as you can imagine, we also have other incentives like tax regimes, skills employability and so on to determine investment. But, definitely, if we have coherent clarity in a data protection regime, this will really help".[47]

32. The Commission also considers that the enhanced harmonisation will make the cross-border processing of personal data simpler and cheaper. This is expected to provide considerable incentives for businesses to expand across borders and reap the benefits of the internal market, with beneficial effects both for consumers and the European economy as a whole.[48] The Commission claims that the reforms are expected to achieve benefits and savings of about €2.3 billion in administrative burden per annum.[49]

33. The Commission's opinion was not shared by the MoJ. Its Summary of Responses contains its own Regulation - Checklist for analysis on EU proposals, which states:

The overall impact is likely to be substantially negative. Though it is difficult to place a figure on the scale of net costs, the positive benefit to individuals of strengthened data rights are judged to be likely to be outweighed by negative impacts on small businesses, third sector, the ICO and wider justice system.[50]

We address some of the aspects of the Regulation that have raised concerns that burdens will be imposed later in this Report.

34. In its written evidence, the MoJ stated:

Our initial assessment suggests that the Commission's impact assessment does not provide a credible foundation to underpin the proposals. We have noted three issues in particular.

the quantified impacts have not been thoroughly investigated. In particular, there are significant weaknesses with the widely publicised €3bn benefit from reducing "legal complexity";[51]
the impact assessment has focused on quantifying benefits without corresponding assessment of costs;
the impact assessment exhibits many issues in relation to the method used to compile the analysis, for example: lack of a clear baseline; failure to consider impacts over time; absence of sensitivity testing to account for uncertainty; lack of Member State level analysis; multiple statistical errors; and no explicit consideration of winners and losers.[52]

Furthermore, in oral evidence, Glenn Preston, Deputy Director for Information and Devolution, Ministry of Justice, explained:

We are committed to doing our own impact assessment of the Commission's proposals. The aim is for us to make that publicly available [...] before the end of this calendar year. That is proving challenging, partly because we are trying to get information out of the Commission on the basis of the methodology that was used for their own impact assessment, which is taking slightly longer than we hoped it would. [...] The purpose of producing that is to have a public discussion [...] about a proper analysis of the costs and the benefits, which we think was slightly lacking in the impact assessment provided by the Commission.[53]

35. Microsoft agreed that the draft Regulation would be more burdensome than the Commission estimated, and said, "[w]ith this figure of €2.3 billion we have difficulties, to be candid, because we have no real details regarding the impact assessment. We have just a few pages at the end of the text. We would like to have more information to understand better what these €2.3 billion savings really represent".[54]

36. More positively, Glenn Preston, Ministry of Justice, explained that as the UK Government sought to change the content of the Regulation substantially, the Ministry would look at the different options that may exist, and added "[w]e would expect the final instrument, whether it is a Regulation or a Directive, to be considerably different and to be less burdensome and prescriptive. Therefore, it could well have a more beneficial impact if that is the case".[55]

37. We call on the European Commission to work with the UK Government, the governments of other Member States, and other stakeholders, and to pool resources, expertise and information, so that a full assessment of the impact of the proposals can be produced.

IMPACT ON THE INFORMATION COMMISSIONER'S OFFICE

Resources

38. Respondents to the MoJ's Summary of Responses questioned whether the Information Commissioner's Office (ICO) would be able to meet the Regulation's requirements given the breadth of the processing activities that the Regulation applies to. The general perception was that the ICO would be unable to keep up with the demand to respond to requirements such as receiving breach notifications, approving international transfers of personal data and reviewing the results of data protection impact assessments. The ICO confirmed that the Regulation would have considerable resource implications for all supervisory authorities, and that Member States would be committed to the adequate funding of these.[56]

39. Françoise Le Bail, explained:

In the EU Regulation we ask the Member States to make sure that their data protection authorities are staffed with the right amount of people and also have the necessary financial backing. The picture we have around the EU is of course very different. [...] Therefore [...] in the Regulation [...] is an obligation to make sure they have both the necessary finance and staff. The reason for this is that the data protection authorities will have to continue the work they are doing now, but they will also have to participate in the consistency mechanism [the European Data Protection Board].[57]

She added that data protection authorities would also be relieved of a number of duties. The Commission had requested from all data protection authorities a cost estimate, but she believed the main issue was with new Member States.

40. In oral evidence, Christopher Graham, Information Commissioner, shared with us his office's assessment of the impact the draft Regulation would have on resources:

I accept [it] may change, but it raises the question of whether any of this is actually doable, because, if we were to do the least that we can identify as being down to the ICO under these proposals, our funding would have to increase from the current £15 million for data protection—from the notification fee, which itself is under a question mark—by a further £8.4 million: that is a 56% increase.

It isn't going to happen, Chairman. But if we were to do what is frankly the more realistic role of what we think we ought to be doing, given the legislation that is set out, the figure is even more scary and, frankly, unbelievable. It is £15 million at the moment; we would need a further £28 million. Is anyone going to vote an additional 187% to the ICO, excellent though it is? No, they are not.

So you then have to say, "This system cannot work." They are certainly not going to vote 56% either. This system cannot work because you are describing a regime that nobody will pay for. We are about the best funded of the data protection authorities within the European Union. If we can't do it, and we particularly can't do it when the notification fee on which our funding is based is abolished, how is anyone going to be able to do it?[58]

41. We put these figures to Françoise Le Bail, who responded:

First of all, we don't know these figures yet. [...] My first reaction is that it seems a huge amount. Certainly, in the reflection we have had, we never envisaged that it would be as much as that. So we need to have a look at these figures in detail. My guess is that it will be much less.

Secondly, when he says, for example, that he will need to look at details, dealing with every single complaint that the Regulations, they believe, oblige them to do, this is a subject of discussion among Member States. This is also the subject of discussion with the data protection authorities. [...] They say there are too many cases to deal with [...] and we cannot, as we do now, concentrate on the main cases. This we are discussing and we are confident we will find a solution for this. [...] [W]e are engaged in this process with Member States, DPAs and national Parliaments, and we are gathering all information that we have. But, coming back to the figures, they seem a lot.[59]

42. Lord McNally, Ministry of Justice, emphasised that this was not a problem for the UK alone, stating:

Our Information Commission Office is well resourced compared with other parts of Europe. [...] [T]hat is why one of the things we will be pointing out in the nicest possible way to the Commission is that having a wish list of extra responsibilities and tasks for the Information Commissioners across Europe is going to be genuinely wishful thinking because the resources simply won't be there in the present circumstances to fulfil this wish list.[60]

43. We regard as authoritative the UK Information Commissioner's assertion that the system set out in this draft Regulation "cannot work" and is "a regime which no-one will pay for", and we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive, particularly in the processes and procedures it specifies.

Relationship with data controllers

44. The Association of Chief Police Officers' written evidence stated that the current healthy relationship between data controllers and the Information Commissioner's Office would not be able to continue under the draft Regulation. It argued that the "possessively descriptive approach" the EU Commission takes will result in Information Commissioners identifying failure and imposing fines, rather than being a source of advice and guidance, and a promoter of good practice.[61]

45. The Information Commissioner's Office were sympathetic to this assessment, and David Smith, Deputy Commissioner and Director of Data Protection, told us:

If we lose discretion, all we will be able to do is punish and not advise and assist. We believe very strongly that advising and assisting people to get it right, as well as punishing those who fail in their responsibilities, is the duty of a rounded, proper, effective regulator.[62]

Christopher Graham, Information Commissioner, added:

I want discretion, and in the negotiations [...] a very important victory would be to change that bit that has all the lists of what the data protection authority "shall" do and amend that to "shall be empowered to" or "may do" so that we have the discretion to go after the bad guys, understand where things may have gone wrong and where there are mitigating circumstances.[63]

European Union Data Protection Board

46. The Government's Explanatory Memorandum on the draft Regulation commented on the establishment of a new regulatory body, the European Data Protection Board. It stated "In general, the Government supports cooperation between supervisory authorities but wants to take care to ensure the continued independence of the Information Commissioner and flexibility of national supervisory authorities".[64]

47. Christopher Graham, Information Commissioner, told us that increasingly the data protection authorities within the European Union were cooperating, partly due to pressure from the big international companies who want greater consistency in the application of the current Directive. The Article 29 Working Party was the mechanism for this work, which under the new proposals would be formalised as the European Data Protection Board. He added that the trend towards greater consistency among Member States would continue because it was clearly demanded, and said, "[t]hat makes me wonder whether we need to impose all these restrictions, particularly on the smaller players, in the name of achieving something that the dynamic of the marketplace and good sense is achieving anyway".[65]

48. We asked Françoise Le Bail, European Commission, if there was a danger that the Data Protection Authorities of some Member States could be weaker than others. She replied:

Let's imagine, for example, that there is a huge problem in a particular member state. The other data protection authorities can raise it in the framework of the European data protection board [...] and there can be a cooperation that can be put in place between the strong data protection authorities and the weaker data protection authorities.

Her colleague, Marie-Hélène Boulanger, Head of the Data Protection Unit, added:

If you look at the text in detail, you will see that there are a lot of [...] safety measures in the provisions [...] to avoid that risk. [For example as] the data protection authority of one member state, if you feel that [another] authority in charge does not have enough staff to deal with the specific case, you have the possibility to send your own staff in support and the competent data protection authority for the specific case cannot refuse the support. [...] That is one of the mechanisms. [...] There are many possibilities to ensure that there are no discrepancies between data protection authorities. In addition, the European Commission always has the possibility to intervene in such cases.[66]

General comments on the draft Regulation

49. As has been alluded to already in this Report, the vast majority of the written evidence we received argued that the draft Regulation is over prescriptive, and imposes unnecessary administrative burdens. During our oral evidence sessions, the Federation of Small Businesses told us:

We think the rules are too prescriptive indeed. [...] [W]e think you can also make legislation on the basis of principles instead of prescription, because prescriptive rules also prevent innovation. If you prescribe in too much detail, you don't leave room for industry to develop their own standards or find their own solutions. In that sense, prescription goes against harmonisation because you stifle growth and trade in Europe.[67]

Microsoft told us they were very happy to see a proposal that gave maximum protection to the data subject. However, from an industry perspective they were very surprised to find that a lot of new burdens were imposed on them, without receiving any new rights and new incentives. They concluded that because they were very much in favour of harmonisation, they were expected to take on these new burdens.[68]

50. When the proposed Regulation was published, the Information Commissioner described it as "unnecessarily and unhelpfully over prescriptive" in a number of areas.[69] During oral evidence he expanded on this, stating:

[T]he proposed legislation, in the name of consistency across the European Union, [is] very specific about processes, whereas our approach has been much more to focus on outcomes and to go for the better regulatory approach of risk-based proportionate intervention. We are really quite worried that it will be very difficult to operate this regime. It will turn the ICO from, on a good day, a Better Regulation regulator into a vast administrative machine processing a lot of forms, permissions and ticking boxes.[70] [...]

[W]e believe that [an] overall obligation to comply, in general, doesn't then need to be broken down by, "This happens to you if you do this; this happens to you if you don't do that; and that happens if you don't do the other." Quite apart from the fact that it is going to tie the data protection authority up in knots, it would be much better to have a general obligation to comply rather than specific steps which have been derived from what has been developed as good practice.[71]

David Smith, Deputy Commissioner and Director of Data Protection, said that the level of prescription was a factor of the attempt to achieve harmonisation, "[b]ut that just gets you to undesirable, unintended consequences and unmanageable regulation". He continued:

In our view, you have to lighten up. You have to take the risk that there won't be complete harmonisation. It doesn't actually matter whether the fine is exactly the same or not, and we do have the European Data Protection Board, which is there to try and ensure consistency. Equivalence as an approach is much better than harmonisation, in our view.[72]

51. Privacy International's written evidence was more positive towards the draft Regulation. It contended that the Regulation did achieve the right balance between the rights of individuals and the obligations of controllers and administrations, and that considerations of possible burdens to businesses had to be counterbalanced by growth opportunities provided by furthering consumer trust.[73] It stated that the proposed Regulation, "on the whole, goes some way towards [...] [making] data protection law fit for the 21st century".[74] It also argued that the draft Regulation redressed current imbalances, such as extensive data mining and profiling (use of algorithms or other techniques that allow the discovery of patterns or correlations in large quantities of data) without individuals' awareness; difficulties for people to stay in control; different rights in different EU countries; authorities without clout and weak enforcement; and difficulties in getting redress.[75] It stated:

Claims of stifling burdens, possibly affecting economic growth and innovation are not justified in this case. It is important to ensure that individuals are adequately and effectively protected: as […] lack of trust and concerns over data protection are significant barriers to the growth of the digital economy.[76]

52. In oral evidence, Anna Fielder, Trustee and Company Secretary, Privacy International explained how the Regulation provided balance between burdens and rights:

[T]he bulk of these administrative burdens [are] particularly in the sections that concern data subject rights. [...] [T]he reason they have been put in there is because, precisely, the current legislation does not respect those rights and it was felt that you need a bigger degree of prescription and administration in order to ensure that that happens.

In addition, she argued that technological solutions and off-the-shelf e-commerce packages would greatly alleviate administrative burdens imposed on businesses. However, she did conclude, "there are some provisions in the Regulation that could be streamlined and reduced. We are not saying everything is perfect, but what we are saying is don't throw the baby out with the bath water".[77]

53. Georgina Nelson, Lawyer, Information Policy, Which?, told us "there should [not] be any fettering [...] of [data subject] rights due to administrative burdens. It is getting that balance right, and obviously any administrative burden which is superfluous to those rights should be lightened". She added that the debate on the proposals had focussed on shortterm administrative burdens, whilst the legislation would be in place for a generation. Furthermore, she emphasised the opportunities that the reforms would bring, stating:

The Regulation is trying to open up this very competitive market of personal data so that it is not sat on by the few big players but it can be utilised by everyone for the greater good, whether that is business or consumers. That is really important to bring into the economic analysis; it is that future scope.

Also, with regard to SMEs, the evidence previously was that at the moment cross- border trade is not something that they engage in, but obviously this is because it is hugely complicated. They probably can't afford the legal advice and the benefits don't justify the pain in getting there. But, if we do move towards this harmonisation, they will then hopefully have the confidence and it will be a far easier procedure to open up a whole new market for them, and then again you would seek to reap the benefits.[78]

54. Lord McNally, Minister of State, Ministry of Justice, stated that the Government intended that the draft Regulation which eventually emerged from the legislative process would have an entirely beneficial effect. He explained how the Government would negotiate for this result:

Just as the single market gives us access to a market of 500 million, so legislation that will give some kind of harmony to the workings of this sector of the economy could and should be entirely beneficial. Why we are being, for want of a better term, awkward in these negotiations is that we do see that there are real threats to business if we allow the Regulations to emerge in such a way as to put an extra burden on business.

We are also very aware that small businesses could be particularly affected by some of the suggestions. [...] We are trying to get a proportionality into the structure of the Regulations that we don't feel is there at the moment in what the Commission are putting forward.[79] [...]

We are not negotiating for failure. We believe that we have allies. [...] The Commission come up with ideas and proposals and then others say, "No, thank you." Although the negotiations have been slow, we are not in a position where we feel that we can't achieve our objectives. [...] We want something that is proportionate, flexible and that doesn't impede entrepreneurship by either large or small companies but does get the balance right in protecting the privacy of the citizen.[80]

The Information Commissioner told us that there was scope for changes to the proposals, stating:

I suspect there is a lot about this draft Regulation and Directive which can be easily changed with an appropriate negotiating stance from the UK and others. The big mistake we make is to say, "We hate this; we hate this; we hate this—we're not going to play", whereas, with a little bit of diplomacy, we could achieve a much better result.[81]

55. We note that both the Government and the Information Commissioner believe that the necessary changes in the Regulation and the Directive can be agreed through negotiation, and we support them in their efforts to achieve this.

Specific aspects of the draft Regulation

56. We highlight here some specific aspects of the Regulation as it is currently drafted that witnesses have particularly commented on.

DELEGATED ACTS

57. The draft Regulation includes 26 provisions conferring power on the Commission to adopt delegated acts. Françoise Le Bail, explained how these could help keep the legislation up-to-date with technology:

[O]ne thing we wanted to do when designing this Regulation was to make sure it will be technology-proof, [and] this Regulation [...] leaves flexibility in the form of delegated Acts. It is not that all Member States see with great enthusiasm delegated Acts for the Commission, but we leave this possibility to adjust to future developments. [...] Leaving it to secondary law, it is not that we are doing this without any control. For secondary law, we do that under the supervision of both the Council and Parliament. So it is not that the Commission itself is going to decide what is going to happen on these matters. [...] [T]he choice was either to put everything in great detail in the Regulation or to leave flexibility. We chose to leave flexibility.[82]

58. The extent and scope of the provision for delegated acts attracted significant criticism in written evidence. The Information Commissioner's Office has called on the Commission to provide a schedule of all the opportunities for delegated acts and their intentions in respect of each of them.[83] Microsoft argued that the provision for delegated acts should be significantly reduced because many of them dealt with essential elements of the law, and should be addressed in the Regulation itself. Additionally, other delegated act provisions gave the Commission power to prescribe technical formats, standards and solutions, which threatened to replace industry innovation with regulatory intervention.[84] In oral evidence, Jean Gonié, Director of Privacy EU Affairs, explained that some Articles of the draft Regulation threatened technology neutrality and said, "[i]t is very important to have text that is future-proof and goes with no specific standard or format".[85]

THE "RIGHT TO BE FORGOTTEN"

59. Article 17 of the proposed Regulation gives individuals the right to request that organisations delete their personal data in certain circumstances. Where an individual makes such a request and the personal data has been made public, data controllers are responsible for taking all reasonable steps to inform any third parties that process that personal data that the individual wishes them to erase that data and any subsequent links to the data.[86] Concerns regarding this aspect of the draft Regulation were expressed by almost all those who submitted written evidence.

60. The Information Commissioner's initial analysis paper stated:

This is one of the more interesting parts of the Regulation. […] However, given [the] derogations, the various qualifications to the right and the technical difficulties surrounding online deletion, we are unclear how the right to be forgotten will be delivered. […] There is a risk that if individuals are led to believe they have a 'right to be forgotten' they will be disillusioned if they find that the right is strictly limited in practice. It might be preferable if this right was presented in less ambitious terms.[87]

During oral evidence, the Information Commissioner explained that whilst there had been a lot of attention on the "right to be forgotten", the Justice Commissioner Viviane Reding had said that it was more of a political slogan:

I was sitting next to her when she said it. This was at a European Parliament briefing attended by many witnesses. Rather to my surprise, about six months after she had said this was the big idea, she said she couldn't understand why everyone was getting so excited about the right to be forgotten because it wasn't anything we didn't have already, and so everybody should relax. Because there are so many exclusions and derogations, we don't see it as very much of a threat because we don't see it as very much of a right either. You can't put the genie back in the bottle.

David Smith, Deputy Commissioner and Director of Data Protection, added:

There was always going to be something in here that was called the right to be forgotten because of political statements that have been made and pressure, particularly from the French, to introduce this sort of approach. When you unpick it, much of what is there of the right to be forgotten is just a restatement of existing provisions—data shan't be kept for longer than is necessary; if it has been processed in breach of the legal requirements it should be deleted, which goes without saying.

What is [...] important is the new Article 19, and it is the right to object. [...] [The] balance of proof has changed in these new proposals. I can go along to any data controller and say, "I want you to delete my data", and they have to come up with the compelling legitimate grounds for keeping that data. Of course in many cases they are able to do that, but shifting the balance of power in the relationship a bit towards the individual seems to us to be important.[88]

61. When addressing the right to be forgotten in their written evidence, Privacy International said "[p]erhaps the title is a misnomer, but clearly an effective advertising tool",[89] and "we are not married to the name but we are married to the extra provisions".[90] Which? agreed, saying "[w]e realise that the term is a bit misleading"[91] and "our general position is that, if we can find something that wouldn't lead to that sort of consumer expectation of a wholesale full right, then that would be great".[92]

62. The MoJ's written evidence stated:

the "right to be forgotten" should be resisted on the basis that it would raise expectations amongst individuals whose data is being processed that would be very difficult to fulfil in practice—in many cases it will prove impossible to delete data which has been disseminated across global networks.[93]

Lord McNally told us that the use of slogans such as "right to be forgotten" created a danger that expectations would be unduly raised. He said:

That is why, even from the very early stages of this, we have suggested that "right to be forgotten"—which is a great headline and a good soundbite—is not practical. Anyone who knows how information goes round the world in this technology knows that. What we are hoping to do, again, is to make it clear that the individual citizen does have rights to get data expunged or changed, but what we don't want is to give particularly young people the idea that they can put things on social networks and that somehow they can recall it at will because they can't.

There are a number of problems with the provision. For example, it creates a somewhat misleading right that may encourage reckless posting of information in the mistaken belief that it can be recalled. The UK supports strong deletion rights, but the term "right to be forgotten" is unhelpful given the details of the provision. We might suggest a change in the name in order that it better reflects the rights that are actually given.[94]

63. The right of citizens to secure the erasure of data about them which is wrongly or inappropriately held is very important, but it is misleading to refer to this as a "right to be forgotten", and the use of such terminology could create unrealistic expectations, for example in relation to search engines and social media.

Notifying third parties

64. A further issue of concern arising from the "right to be forgotten" is that the draft Regulation would oblige data controllers to notify third parties of any requests from a data subject that they wished their data to be erased. Georgina Nelson, Lawyer, Information Policy, Which?, emphasised the benefits to online consumers that the changes would bring. Investigations by Which? found that some consumers who accepted third party marketing found that their details had been passed on to up to 2,000 different companies. Currently, if a consumer wanted to contact them, they would first contact that original company and ask for a list of the other companies that data had been passed on to. They would then have to contact each individual company.

65. Many organisations who responded to our call for evidence expressed concern that data controllers were responsible for informing third parties The Federation of Small Businesses' written evidence stated:

This article is the crux of the whole data protection framework. […] We have no problem notifying third parties we have given data to, but a business' responsibility should stop there as they would be unable to ascertain that the party in question really deleted the data. Businesses need protections in circumstances when they may have taken 'all reasonable steps' to erase data but cannot be aware of any additional copies with third parties that they were not informed about. We would also like to see a general provision in the Regulation that people should be mindful of what personal data they put online themselves.[95]

Additionally, Microsoft told us that it welcomed the "right to be forgotten", and would comply with it as they currently do with the right to erase data, contained in the 1995 Directive. However, Jean Gonié, Director of Privacy EU Affairs, raised the problem that "[i]t is totally possible to retrieve any kind of data where, as a data controller, you have control of the data. [...] The problem is that it is not possible to retrieve all kinds of data because of the openness of the internet and the worldwide architecture of the web".[96]

66. David Smith, from the Information Commissioner's Office, agreed that it was unclear how informing third parties to delete data from the internet could work in practice. He said:

Where information has been passed on directly to a third party, then we would expect a business to have a record of that and be able to inform them that that information should be deleted. If they have allowed or can find links into their sites, they should be able to trace that. But, if information has gone out on the internet, it has been accessed from their site, taken and posted elsewhere, it is very hard to see what can be done.[97]

67. Anna Fielder, Trustee and Company Secretary, Privacy International, told us that in her assessment of the "right to be forgotten" there was a provision of endeavour on the part of the data controller to inform third parties about erasing data. She said:

It tells them to try. What they have to prove is that they make a good stab at it—not that they actually did it. [...] [I]f you look for example at social networking sites like Facebook, they have contractual agreements with app providers, and these contractual agreements include privacy provisions. If they have contractual provisions with all these companies, they can easily [...] notify them of the need to erase.[98]

68. Georgina Nelson, Which?, agreed that contracts could aid in the retrieval of data from the internet:

We obviously understand the limitations [...] and we are not saying that we should expect 100% erasure. [...] But, [...] on a website you are going to have terms of service with your users. If you are a social networking site, you also have terms of service with your account holders. It should not be too much of a jump to say in those terms of service you have, if there is a notification on this website that someone has [...] exercised their right to be forgotten, then you need to do the following steps and we expect that of you. I would hope that the big noise about the impossibility and the costs could be possibly broken down into easy, possibly legal solutions through those contracts. [...] The focus needs to be on efforts rather than the results. There needs to be some elaboration on the right as it currently stands so that people clearly understand their obligations and guidance is provided on what they would expect in those scenarios.

69. We asked Françoise Le Bail, what could be considered 'reasonable steps' to inform third parties of a request to delete data. She answered:

They have to inform, for example, the search engines and all this to a possible, reasonable extent so that this is deleted. They must prove that they are making a real effort, but we are not asking them something that is impossible to realise. [...] There is no guarantee of this and this is why we said "all reasonable steps". The message we want to pass to these big companies that are running these social networks and search engines is that they need to demonstrate that they are making a real effort. We cannot exclude it resurfacing at some stage, but we would not like them to say, "Not for us. This is nothing to do with us".

The final solution is that they have to participate [...] in creating trust in the internet. Creating trust means that you can have an influence on it—an influence which is not rewriting your life but an influence on these things that are on the net that you have not posted yourselves or you have posted at an age when you were not conscious of the damage it can do and you want to see it disappear. It is a very important element for trusting the internet.[99]

70. However, David Smith, Information Commissioner's Office, questioned how the "right to be forgotten" could apply to search engines:

To put it simply, if there is information about me on a website that has been published that I do not like, and maybe I have even obtained an injunction to stop that information being published but it is in a foreign country and I can't do that, can I go to Google—as an example of search engines people usually use—and say, "Google, stop returning that information in a search"?

It is unclear how or if this Article would apply to that, and clarification on that would be welcome.[100]

SUBJECT ACCESS REQUESTS

71. The proposed Regulation would make subject access requests free of charge. Françoise Le Bail, explained:

[T]he right of access is a fundamental right; it is part of the fundamental rights that should exist. We have looked at what exists in the Member States and again it is a very varied picture. In some Member States it is free; in other Member States it is not. We believe that for simple access it should be free. At the same time we say in this Regulation that, if the demands are excessive or repetitive, you can put a fee on this. You will have seen also that we say that, if necessary, there will be a delegated Act from the Commission in order to make sure that the conditions are not too different from one member state to the other.[101]

72. Currently in the UK, data controllers may charge a fee of up to £10 when a subject access request is made. The majority of written evidence submissions which addressed this point wished to retain a fee for subject access requests. The Federation of Small Businesses told us:

Previous feedback from FSB members indicated that the Subject Access Request (SAR) fee, although in some senses only a token fee of £10 given the amount of time and resources taken to follow up such requests, was actually quite helpful for businesses in a) preventing time wasters and b) actually recouping some costs. We would prefer that this fee, albeit token, is reinstated. […] Abolishing the fee for a subject access request will in fact mean a net burden increase for small businesses. Also, people could misuse this right by massively asking for their data in the same way cyber attacks are carried out. This could lock up business systems and overload businesses.[102]

73. The MoJ's Summary of Responses states:

[B]usinesses and other organisations have not welcomed the removal of the ability to charge a fee. These groups have predicted an increase in the volume of subject access requests they receive if the fee is abolished, which would have detrimental effects on resource capabilities and budgets. Public sector organisations in particular have commented that they currently feel under strain with the amount of subject access requests they receive. They suggest that the proposal to abolish the fee will leave them stretched and possibly prioritising subject access requests over other similarly important pieces of work, so as to avoid the substantial administrative penalties. [...] Many of the responses which covered Article 12 asked the European Commission to clarify the term 'manifestly excessive' and 'repetitive character' in this context.

The MoJ have set out their negotiating position on subject access requests:

[The UK Government will] support the requirement for additional information to be provided to data subjects both proactively and in response to subject access requests (subject to consideration of the additional costs), but resist the proposal that subject access rights be exercisable free of charge.[103]

74. Which? are strongly opposed to the Government's position to "resist that subject access rights be exercisable free of charge". They argue consumers have a right to know what data an organisation holds about them and should not have to pay to access their data. They state:

We fully understand the need to protect companies from vexatious requests, but such safeguards already exist in the proposal which states that "where requests are manifestly excessive, in particular because of their repetitive character, the controller may charge a fee for providing the information or taking the action requested, or the controller may not take the action requested". […] A £10 fee is likely to deter consumers, especially vulnerable consumers, from obtaining this information. We also think such a fee goes completely against the spirit of the Government's midata programme which aims to give consumers access to their personal data in a portable, electronic format.[104]

Georgina Nelson, Lawyer, Information Policy, Which?, questioned whether the removal of a fee would have any impact on organisations stating:

From Which?'s own experience, when I first arrived, [a fee] system in place as standard and we removed it. We didn't suddenly see a flood of subject access requests hit us. I would question this call from business that, "We are going to be inundated. These are the costs that we're going to experience." I would actually question that. When we have done a recent poll on this area, only half of people knew that they had the right; only 7% had ever exercised it, but 76% thought it was completely unacceptable for a company to charge them for their information. [...] It is a barrier, effectively, which companies want, and that barrier will be provided by the exemptions within the Regulation around "manifestly excessive", so they will still have that caveat and getout. For the majority, it should be free.[105]

75. Anna Fielder, Trustee and Company Secretary, Privacy International, described her husband's experience of identity theft. A bank account was opened in his name and goods were ordered from various catalogues. It took over six months, and subject access fees of approximately £200, to access all the companies that had wrong records. She added, "Imagine an elderly vulnerable person who doesn't know the law, having to do that individually with every company. It just wouldn't be possible and it would be excessive as well in terms of charges. There are concrete examples [...] where we need specific, good measures to make sure that people can access their records and correct them".[106]

76. We raised this issue with Lord McNally, Ministry of Justice, who said "the Government currently set a £10 fee for access. It is important to note that many organisations do not charge this fee; instead it serves as a useful filter to deter more speculative requests if those are problematic for the data controller".[107] When we directly asked the Minister 'why should I have to pay to have access to know what information about me is being held?', he responded "That is a very powerful argument". He went on to concede there was an element of unfairness in seeking to charge people to find out what organisations held information about them, and stated, "[t]he concept of 'This is my data' is very fundamental".[108]

77. An individual's right of access to their own personal data is a fundamental right; and individuals should not be required to pay a fee to make a subject access request. We urge the Government to change its negotiating position to one which accepts that subject access rights should be exercisable free of charge.

OBLIGATION TO APPOINT DATA PROTECTION OFFICERS

78. Another issue that has been subject to a large number of comments in written evidence is the requirement placed on organisations to appoint a data protection officer (DPO). Françoise Le Bail, European Commission, explained how the Commission decided which organisations were mandated to employ a DPO:

We say, if you are a big company with more than 250 employees, then you need a data protection officer. But, if you are a small company, unless you specialise in dealing with very sensitive data, you do not need one. I can tell you that I dealt with that one personally. If you take Germany, for example, if you are a company with 10 employees, you need a data protection officer. Of course we discussed this question very openly. Should we say above 10 employees that you need a data protection officer? We took the right decision, which is to avoid the obligation of having a data protection officer if you have less than 250 employees.[109]

We asked her if it would be more effective to look at the sensitivity of the data that the organisation was handling, rather than the number of employees, to which she replied:

It is a possibility. [...] We chose the European definition of an SME, which is 250, for simplicity. Everybody knows the definition; either you are above or below. It was for reasons of simplicity. But, again, if there are better ideas to reduce the burden for SMEs, we will look at them, because one of the essential elements of this Regulation was to take into consideration the admin burden. So we are prepared to look at it; if there is a better idea, if it is as simple, why not?[110]

Additionally, we asked if, for example, it might be better for a company to have heads of departments with data protection responsibilities on a scale dependent on how much data their section handled. She answered:

We specify data protection officers again for big companies because, from the consultation we had, we gathered that most big companies already have a data protection officer. The only difference is that, sometimes, somebody is only doing that and sometimes it is a member of the legal service doing something else. This is the information we collected. It seems to us that, to have one point of reference dealing with data protection for the company, wherever they are organised, means they can liaise and coordinate all the services, and all this is up to them, not to us. But to have one point of reference—one person who can be the contact point, for example, of the data protection authority and the Information Officer in the UK—would be a simple solution. This is why.[111]

79. The Federation of Small Businesses told us:

We think that a data protection officer should not be mandatory at all for SMEs. Of course we are happy with the exemptions. It should be assessed by the business itself if you need a data protection officer because it is very expensive to have one. We would advocate it for businesses that are data-centric and monitor data on a daily basis. We think it is a matter of assessing yourself, based on the risk you run.[112]

80. Lord McNally agreed with this view, and stated:

We are also very aware that small businesses could be particularly affected by some of the suggestions, such as an absolute commitment to appoint a data protection officer [...] which might be easily absorbed by one of the data giants but which a small enterprise would find difficult. However, we don't want to do it by a simple cut-off. It may be a relatively small business that is dealing with very highly sensitive data and we wouldn't want them just to escape their responsibility simply by size. We are trying to get a proportionality into the structure of the Regulations that we don't feel is there at the moment in what the Commission are putting forward.[113]

81. We believe that if the requirement to employ a Data Protection Officer is retained it should be based on the type of business and the sensitivity of data that is handled, rather than the number of employees.

BREACH NOTIFICATIONS

82. The Government's Explanatory Memorandum on the draft Regulation supported the principle of notification of data breaches to the supervisory authority, but questioned the general requirement for notification within 24 hours where feasible, stating that this could delay necessary work to mitigate or remove the data breach and ensure the data was protected again as quickly as possible. The Government suggested the revised E-privacy Directive 2002/58 could provide a useful precedent for consideration. This Directive sets out that, when a personal data breach occurs, the provider has to report this to a specific national authority without undue delay.[114] The majority of written evidence we received concurred with this position.

83. Which? told us there was also an obligation to notify data subjects of a breach without undue delay. They argued:

Last year there were a vast number of high street breaches that hit the press. Consumers often didn't hear about it from the high street themselves; they heard about it through social networking sites or through the media, and that again really shook trust. What the Regulation is proposing to do is put an obligation on data controllers so that, if they do suffer a breach that adversely affects consumers, then they have to notify them. [T]hat would really build trust.[115]

However, some respondents to our call for evidence raised the issue of 'notification fatigue'. The Direct Marketing Association (UK) Limited explained:

If every data breach has to be reported, regardless of its nature or importance, there is a strong possibility of "notification fatigue" setting in - there is evidence of this effect in the USA where most states have this obligation. There is then a risk that consumers may ignore the notification of a serious breach, where they need to take action in order to prevent identify theft.[116]

SANCTIONS

84. Article 79 of the draft Regulation introduces the power for supervisory authorities to impose fines of up to €1m, or in the case of an enterprise up to 2% of its annual worldwide turnover.[117] In the UK the Information Commissioner currently has the ability to impose a Civil Monetary Penalty of up to £500,000 for the most serious breaches of the principles set out in the Data Protection Act where there is likely to be harm to an individual. The Government's Explanatory Memorandum states "the proposed provisions in the Regulation appear to be very prescriptive, leaving little flexibility for supervisory authorities".[118]

85. Microsoft commented in their written evidence, "the Regulation takes a 'one-size-fits-all' approach, [applying] the same sanctions to deliberate, flagrant violations of the rules as it does to violations that are merely accidental. [...] To be balanced and effective, the Regulation should ensure that the most punitive sanctions are reserved for truly bad actors".[119]

86. The Information Commissioner told us he wanted the discretion to use the experience and judgment of his team to judge behaviour, judge the circumstances and consider mitigating actions, which is what happened currently with civil monetary penalties. He added that he did not favour a one-size-fits-all approach, whereby sanctions were imposed on every occasion and a fine for a particular sum of money was imposed, as he thought this would have no impact on compliance.[120]

87. Françoise Le Bail, European Commission, explained the rationale for the sanctions, stating, "for the first time we are proposing fines that matter, which make you think twice. [...] That was very important because the fines that exist now currently in Member States are minimal and you can ignore the Directive [...] or the national law that implemented it; it doesn't matter".

In addition, she explained that there was a staggered approach to the level of sanctions:

You will also see that in the fines we are proposing there are steps to be taken. If you forgot about it, you didn't remember the provision and didn't do it intentionally, you get a warning, if I remember correctly. Then, if it is a repetitive pattern where it starts to become obvious that you intentionally don't respect the Regulation, these fines are implemented to the full.

Her colleague, Marie-Hélène Boulanger, Head of the Data Protection Unit, added:

If you look at the provision purely from a legal point of view, you will see that [...] there is a clear requirement to take into account the nature, the gravity, the duration of the breach, the intention and the negligent character of the infringement and so on. [...] Then, if we go to the other paragraph, it is a maximum. It is "up to". So there is a margin for discretion in the way you apply the fines.[121]

88. We believe that data protection authorities should have more discretion as to the sanctions that they can impose in order to effectively punish the worst behaviour. We are aware that this could result in different approaches being taken in each Member States, and therefore recommend that, where there is evidence that such differences are having a deleterious effect on compliance, the European Data Protection Board be entrusted to provide guidelines on the type of sanction that may be appropriate in given situations.

EXEMPTIONS FOR SMALL AND MEDIUM SIZED ENTERPRISES

89. The Government's Explanatory Memorandum on the draft Regulation commented that the proposal was one of several where the scope for a lighter regime for SMEs would be considered in the Commission Communication, Minimizing regulatory burden for SMEs.[122] The Federation for Small Businesses' written evidence noted a number of areas where small businesses will be exempted such as: Article 14 - Information Duties; Article 28 - Keeping Documentation; and, Article 35 - Data Protection Officer. However, it also noted that many of the exemptions for small businesses are only included in delegated acts, rather than on the face of the Regulation.

Concerns raised by specific groups

90. During this inquiry we received a large number of written submissions which raised concerns specific to a particular industry or activity. We highlight some of them here.

Credit Reference

91. Equifax believed that in their current form, there was a significant risk the proposals could restrict the ability of credit reference agencies to provide critical services to the financial services sector, consumers and Government. They argued that the proposals overlooked an important distinction between 'citizen data'—information necessary to make business, Government and the economy work—and 'consumer data' such as a Facebook profile, twitter account or internet history.[123]

92. We raised this with Christopher Graham, Information Commissioner, who said:

I [...] think that all the benefits that come from the online world are benefits for consumers as consumers but also consumers as citizens. [...] But we do need a very strong data protection framework for us to be able to get all the benefits of online without the risks. I don't see any merit in splitting one's persona between, "I am a citizen at the moment, but at the next minute I am a consumer and I therefore deserve less protection".

David Smith, Deputy Commissioner and Director of Data Protection, Information Commissioner's Office, added:

The same arguments are being made about the definition of personal data—that this is cast too wide and it captures things like IP addresses on the internet. But having a rigid definition which captures the right things and doesn't catch the wrong things in a changing technological age [...] is very difficult. It is right that a wide range of information—anything that can be potentially used to affect you in anyway—is caught by the legislation. What we then need to do, whether it is consumer data or citizen data, is to ensure that the provisions apply in a sensible proportionate way, given how that data is being used.[124]

Social Media

93. The Brussels European Employee Relations Group argued that the draft Regulation was overly centred on issues relating to social media business and not the vast number of other types of business. They stated, "It is inequitable and impracticable to lump together the concerns relating to data privacy and new social media with the data processing that every business must do on the employment relationship: hiring people, managing them and dealing with their departure".[125]

94. Lord McNally agreed that some of the proposals seemed to be over-concerned with social media, and said, "what we are really looking for is a coherent set of rules that will apply for all data controllers, which is simple and clear to understand and apply".[126]

Freedom of speech

95. The Newspaper Society highlighted the potential detrimental effect upon freedom of expression which could be wrought by the application of a "right to be forgotten" They quoted the former Justice Secretary, Rt Hon Kenneth Clarke MP, as saying "Other voices than mine have raised concerns over [the right to be forgotten's] ability to impinge on free speech, and to censor information which has been legitimately circulated in the public domain".[127]

96. Lord McNally told us:

On the freedom of speech issue, Article 8 states very clearly that the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression in order to reconcile the right to the protection of personal data with the rules governing freedom of expression should be open to exemptions or derogations.

Glenn Preston, Deputy Director for Information and Devolution, Ministry of Justice, added:

It pretty much replicates what was already there in the existing Directive. There has not been a great call for us to change or amend that. Certainly we don't have any expectations that that is high on the list of things that people have been concerned about.[128]

Health

97. The British Medical Association (BMA) had serious concerns that Article 83 of the draft Regulation appeared to permit the processing of health data, in identifiable form, for research purposes without any reference to consent. Their written evidence explained the only safeguards which appeared in the clause seemed to be that identifiable data had to be kept separate and researchers would use identifiable data only if research could not be fulfilled by using non-identifiable data. The BMA argued that this seemed to significantly lower the existing standard for protection of health data.[129]

98. When we put this to the MoJ, they stated:

We are aware that the individual citizen is very concerned that their medical records are not able to be disseminated in an improper way. Our conclusions are that, with the way the proposals are put, there are sufficient protections for medical records, but it is something that we will keep closely in view. [...] We do think the provisions in the Regulation are relatively strong on this particular point.[130]

99. Lord McNally wrote to us on 27 September, and stated:

I can confirm that the Government did not receive a submission from the BMA [...] during our Call for Evidence. The evidence session was therefore the first time that these issues had been brought to my attention, for which I am grateful to the Committee. Fortunately, MoJ officials are attending a roundtable event on these proposals with the BMA in October. We will use this opportunity to listen to their concerns and factor them into our policy positions and negotiations in the Council.[131]

Fraud detection

100. A number of organisations expressed extreme concern that changes to the EU data protection legislative framework might impact on the ability of organisations to share information to aid fraud detection. The Association of British Insurers stated:

Given the importance of fraud prevention and its benefit to consumers, it should not be left ambiguous or vulnerable to interpretation. It is therefore important that efforts to combat fraud are supported and explicitly recognised in the Regulation. Whilst we believe that Article 6, Clause 1(f) for non-sensitive data, encompasses data sharing for fraud purposes, it is not clear whether there is sufficient flexibility in the Regulation for sensitive data to be shared for these purposes. Of particular concern is the restriction in the use of criminal conviction data, which can be an important component for insurance fraud detection or prevention.[132]

101. The Government have told us that some organisations who submitted written evidence to us have not shared their concerns with them. We call on the Government to consider the points raised in paragraphs 90 to 100, and in more detail in written evidence, and inform us as to how, where necessary, they will be addressed in negotiations.

The Committee's opinion

102. The Regulation is necessary, first to update the 1995 Directive and take into account past and future technological change; and secondly to confer on individuals' rights that are necessary to protect their data and privacy as stipulated in the Lisbon Treaty and the EU Charter of Fundamental Rights.

103. However, the Regulation as drafted is over-prescriptive as to how businesses and public authorities should comply to ensure these rights are upheld. We have been told that the Information Commissioner's Office will require substantial extra resources, and businesses have argued that many administrative burdens will be imposed on them.

104. We believe that the European Commission has a choice: It can continue to pursue the objective of harmonisation through a Regulation by focusing on the elements that are essential to achieve consistency and cooperation across Member States, whilst entrusting the details on compliance to the discretion of data protection authorities and the European Data Protection Board; alternatively, it can use a Directive to set out what it wants to achieve in all the areas contained in the draft Regulation, but then leave implementation in the hands of Member States, and forgoing an element of harmonisation and consistency.

105. To answer the European Scrutiny Committee's specific question to us:

As currently drafted, the Regulation does give data subjects essential rights that must not be compromised during negotiations, and it has the potential to make data protection compliance easier for businesses, especially small businesses, which trade across the European Union. However, we do not believe that in its present form it will produce a proportionate, practicable, affordable or effective system of data protection in the EU.

22 Ministry of Justice, Explanatory Memorandum - Regulation 5853/12, para 3 Back

23 Ev 50 Back

24 Q 36 Back

25 Q 111 Back

26 Ev w25 Back

27 Ev w63 Back

28 Q 38 Back

29 Q 78 Back

30 Q 15 Back

31 Ev 51 Back

32 Ev w54 Back

33 Ev 47 Back