Concerns over the EU Data Protection Reform Proposals


The Information Commissioner (the IC) himself has published a letter addressed to the Justice Secretary detailing the burdens that the current Proposals would impose on data protection authorities (DPAs) and the impact that this would have on their ability to uphold information rights in practice.


The Proposals, which were published in January 2012, aim to create a higher standard of data protection and promote legal harmonisation throughout the EU. Proposals include increased protection for individuals' rights, clear responsibilities on data processors and the introduction of accountability for data controllers.

However, the Proposals have received continued criticism throughout the reform process including in several responses from the UK - the report by the House of Commons Justice Committee, the response by the UK Government, the analysis published by the ICO, the report commissioned by the ICO and the recent letter from the IC. Further, the ICO's report (published last month) found that there is a lack of understanding of the Proposals across businesses, with some 40 per cent of companies admitting that they don’t fully understand any of the 10 main provisions being proposed.

The Commissioner's letter

The IC's letter details his principal concerns about how the reforms may work in practice. These concerns are widely shared by other commentators and are the areas of the Proposals that are attracting the most debate:

the emphasis on punishment and sanction at the expense of awareness raising and education;
the requirement for all data breaches to be notified to DPAs, rather than just those that pose significant risk;
the requirement for prior authorisation for international transfers where this is not required under current regime;
limited discretion for DPAs over administrative sanctions which are imposed on the basis of process failures rather than privacy risks; and
participation in a consistency mechanism that is insufficiently risk based and contains unrealistic time-limits.

The next stage of the debate

The IC is now urging the European Commission to take his comments on board and hopes that "a way can be found to finalise a data protection regime that is fit for purpose – modern and effective, and delivering for citizens, consumers, and the enterprise economy".

With 27 Member States involved in the negotiation of the Proposals, few people expect the parties to have reached an agreement by June 2013 as planned. With the European Parliament and the European Commission due for re-appointment in May 2014 however, it is hoped that the reforms will be adopted by then.

For now, the topic will remain under debate and can be followed on the ICO's website.