Conclusions and recommendations
The approach to reforming the current data protection
1. We are concerned that the approach taken by the European Commission, introducing two instruments, will lead to a division of the UK law, set out in the Data Protection Act. We believe that this could cause confusion, both for data subjects, and for organisations within the criminal justice system in particular, as they will have to consider which law applies in their given circumstance. We are also concerned that this twin-track approach might also lead to inconsistencies in application, both due to differing provisions in the instruments and over time, due to court decisions under each instrument. If this is still to be the approach, we recommend that there is consistency between the two instruments from the outset, to mitigate the future divergence in their application. Furthermore, the UK Government and the Information Commissioner's Office will be required to work effectively together in order to produce and disseminate effective guidance so that data subjects know their rights and organisations know their responsibilities under each law.
The draft Regulation
Arguments for and against a Regulation
2. Bringing EU data protection legislation up-to-date is necessary and could provide benefits to both individuals and businesses. Many of these benefits are only attainable if there is effective harmonisation of laws across Member States, and therefore we can understand why the European Commission decided that a Regulation was the correct instrument to achieve their objective. However, by setting out prescriptive rules there is no flexibility to adjust to individual circumstances. We believe that the Regulation should focus on stipulating those elements that it is essential to harmonise to achieve the Commission's objective, such as the consistency mechanism and the establishment of the European Data Protection Board. Member States' data protection authorities should be entrusted to handle factors associated with compliance, such as the level of fees or when it should be informed about a data protection impact assessment, whilst also being a source of guidance. Consistency of approach should then be delegated to the European Data Protection Board.
3. We call on the European Commission to work with the UK Government, the governments of other Member States, and other stakeholders, and to pool resources, expertise and information, so that a full assessment of the impact of the proposals can be produced. (Paragraph
Impact on the information Commissioner's Office
4. We regard as authoritative the UK Information Commissioner's assertion that the system set out in this draft Regulation "cannot work" and is "a regime which no-one will pay for", and we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive, particularly in the processes and procedures it specifies.
General comments on the draft Regulation
5. We note that both the Government and the Information Commissioner believe that the necessary changes in the Regulation and the Directive can be agreed through negotiation, and we support them in their efforts to achieve this.
The "right to be forgotten"
6. The right of citizens to secure the erasure of data about them which is wrongly or inappropriately held is very important, but it is misleading to refer to this as a "right to be forgotten", and the use of such terminology could create unrealistic expectations, for example in relation to search engines and social media.
Subject access rights
7. An individual's right of access to their own personal data is a fundamental right; and individuals should not be required to pay a fee to make a subject access request. We urge the Government to change its negotiating position to one which accepts that subject access rights should be exercisable free of charge.
Obligation to appoint Data Protection Officers
8. We believe that if the requirement to employ a Data Protection Officer is retained it should be based on the type of business and the sensitivity of data that is handled, rather than the number of employees.
9. We believe that data protection authorities should have more discretion as to the sanctions that they can impose in order to effectively punish the worst behaviour. We are aware that this could result in different approaches being taken in each Member States, and therefore recommend that, where there is evidence that such differences are having a deleterious effect on compliance, the European Data Protection Board be entrusted to provide guidelines on the type of sanction that may be appropriate in given situations.
Concerns raised by specific groups
10. The Government have told us that some organisations who submitted written evidence to us have not shared their concerns with them. We call on the Government to consider the points raised in paragraphs 90 to 100, and in more detail in written evidence, and inform us as to how, where necessary, they will be addressed in negotiations.
The Committee's opinion
11. The Regulation is necessary, first to update the 1995 Directive and take into account past and future technological change; and secondly to confer on individuals' rights that are necessary to protect their data and privacy as stipulated in the Lisbon Treaty and the EU Charter of Fundamental Rights.
12. However, the Regulation as drafted is over-prescriptive as to how businesses and public authorities should comply to ensure these rights are upheld. We have been told that the Information Commissioner's Office will require substantial extra resources, and businesses have argued that many administrative burdens will be imposed on them.
13. We believe that the European Commission has a choice: It can continue to pursue the objective of harmonisation through a Regulation by focusing on the elements that are essential to achieve consistency and cooperation across Member States, whilst entrusting the details on compliance to the discretion of data protection authorities and the European Data Protection Board; alternatively, it can use a Directive to set out what it wants to achieve in all the areas contained in the draft Regulation, but then leave implementation in the hands of Member States, and forgoing an element of harmonisation and consistency.
14. To answer the European Scrutiny Committee's specific question to us:
As currently drafted, the Regulation does give data
subjects essential rights that must not be compromised during
negotiations, and it has the potential to make data protection
compliance easier for businesses, especially small businesses,
which trade across the European Union. However, we do not believe
that in its present form it will produce a proportionate, practicable,
affordable or effective system of data protection in the EU. (Paragraph
The draft Directive
The basis for, and aims of, reforming the Data
Protection Framework Decision 2008
15. We are not convinced that there is a pressing need to alter EU law in this area, given that the Framework Decision 2008 was only recently implemented. However, it is arguable that since the general 1995 Directive requires updating, the corresponding legislation which deals with criminal matters should also be updated so that the principles in each instrument are consistent.
Perceived weakness in comparison to the draft
16. We agree with the Information Commissioner that data protection principles should be consistent across both the draft Regulation and the draft Directive. We recommend that during the negotiations on the legislation, the Government seek to amend the draft Directive so that this consistency is achieved.
Application to the United Kingdom
17. It needs to be clear beyond doubt that exchange of information between UK law enforcement agencies is not covered by the Directive, and the Government's negotiating stance should seek to ensure that the exemption of the UK from provisions relating to domestic processing is written into the Directive. In order to clarify the position, the Ministry of Justice should provide an impact assessment of the draft Directive on the basis that domestic processing does not apply to the UK.
Practical impact on competent authorities
18. We understand that the Directive does not apply to domestic processing by law enforcement agencies within the UK, and it should be placed beyond doubt that this is the case. We have noted the evidence of the Association of Chief Police Officers, that the Directive might nevertheless impact on the ability of the police to use common law powers to pass on information in the interests of crime prevention and public protection, and we believe that it needs to be made clear beyond doubt that it must not have this effect. We also agree with ACPO that the Directive, like the Regulation, is unnecessarily prescriptive about the structures and processes for securing data protection compliance.
19. The Government argues that the current lack of EU legislation on domestic processing has not obstructed cooperation between Member States, but the European Commission argues that it does cause difficulties for a number of Member States. We call on the Government to explain further why they are opposed to domestic processing for other Member States, given the current position that it will not apply to the UK, and to clarify what impact the changes would have on cooperation with the UK.
The Committee's opinion
20. From the point of view of the data subject, the draft Directive provides a weaker level of data protection in comparison to the draft Regulation. We recognise the significant differences in the handling of sensitive personal data by law enforcement authorities, but in a number of respects this lower level of protection does not appear justifiable. During negotiations, the Government should seek to amend the draft Directive so that data protection principles are as consistent as possible across both EU instruments. This will additionally ensure that the rights set out in the Lisbon Treaty are upheld.
21. The Government's position is that the Directive will have limited application to the UK, due to Article 6a of Protocol 21 of the Treaty on the Functioning of the European Union. If this is the case, we believe it will be beneficial to the UK as law enforcement authorities will not be bound by over-prescriptive measures contained within the Directive. This would also mean that EU law will not apply to the domestic processing of data, such as between police forces. Domestic processing for criminal justice matters will continue to be covered by the Data Protection Act 1998.
22. To answer the European Scrutiny Committee's specific question to us:
As currently drafted, the Directive does not sufficiently protect personal data. In particular, the level of data protection is not to the same standard as that contained in the draft Regulation which covers general data protection matters. We are concerned that it should be clear that domestic processing of data within the UK by law enforcement agencies will not be covered or restricted by the Directive, and it should also be clear that Member States have the flexibility to implement the Directive in ways which achieve its purposes through processes which are appropriate and proportionate in the national context.