Is 'Data Protection Regulation' really too much of a burden?

Professor Douwe Korff gives his thoughts on the ICO's letter to the Ministry of Justice on the 'Data Protection Regulation'

Image: data table vis by Jason Brackins CC BY-NC-SA 2.0

 The "Data Protection Regulation" is currently being discussed by European policy makers. We think it could offer better privacy protection and give people more control over their data, which is much needed. The Ministry of Justice and the Information Commissioner's Officer have both expressed concerns about the proposals, however, suggesting the new law could be too burdensome. The Information Commissioner recently wrote to the Secretary of State Chris Grayling at the Ministry of Justice setting out his overarching concerns.  

 Here, Professor Douwe Korff gives a quick, off-the-cuff immediate commentary on the letter.

(You can read the ICO's letter here )

 

After paying some lip service to the importance of data protection, this is a typically negative attitude by the ICO to any worthwhile data protection regime. Here are my specific comments on his main points of criticism:

"...too much emphasis on punishment in stead of awareness raising and education"

 Read: the ICO wants to continue with its useless "lets sort this out between friends" approach to big business (just like the HMRC deals with big corporations).  It is not totally toothless, but basically refuses to bite (other than in one or two show cases against local authorities losing millions of records repeatedly).

"only data breaches that pose 'significant risk' should have to be reported to the ICO, otherwise it would cause too much work"

 Comment: This would leave it to businesses themselves to assess if there is such a serious risk that they should report their own failures.  It would result in most security breaches still going unreported and undetected.  How much work is it for the ICO to quickly sift through reports of minor breaches, to fish out the more serious ones?

 The ICO is against "prior authorisation" for some international data transfers.

 Comment: this is a crucial safeguard that should remain in the regulation.  again goes to show the ico doesnt really care about our data protection rights and interests.

 The Information Commissioner doesnt want to be forced to impose administrative sanctions for mere "process failures" which did not lead to real privacy risks.

 Comment: He basically doesnt like enforcing the law, but he ought to! what is he there for?!

 He doesnt like having to take part in the "consistency mechanism"; it is "insufficiently risk-based" and "contains unrealistic time-limits".

 Comment: The consistency mechanism is essential to ensure that the regulation is applied the same throughout the EU, and interpreted strictly (rather than arbitrarily and loosely, as is the case with the ICO's approach to the UK DPAct and the current DP Directive)!  it again goes to show that he really wants to keep the UK as a country where data protection is not seriously enforced, even by the national DPA.

 Oh, and of course he isn't asking for serious money to uphold our fundamental rights:

 "... given the state of public finances across the EU and the more obviously higher priority causes competing for public funding, it is surely questionable that there will be more money available for DPAs than there is now."

 Comment: At the moment, the ICO costs only £16 million a year, which is about 25p per citizen ...

 

To learn more about the Data Protection Regulation and how to contact your MEP, see the campaign website Naked Citizens.