The Justice Committee of the House of Commons has published a new report on the EU data protection framework proposals. According to the Justice Committee, the European Union Data Protection proposals ‘need to go back to the drawing board’. The Report follows a request from the House of Commons European Scrutiny Committee and evidence sessions in September when the Committee heard from nine witnesses and took in masses of written evidence.
Sir Alan Beith MP, Chairman of the Justice Committee, said:
‘The current data protection laws for general and commercial purposes need to be updated, as they do not account for the digital world. However, we agree with the Information Commissioner’s assessment that the system set out in the draft Regulation “cannot work” and is “a regime which no-one will pay for”. Therefore, we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive’.
The processes and procedures that are specified within the proposals do not allow for flexibility or discretion for businesses or other organisations which hold personal data, or for data protection authorities. The Committee therefore concluded that the proposals should focus on those elements that are required to achieve the Commission’s objectives, whilst compliance should be entrusted to Member States’ data protection authorities.
Despite its criticisms, the Committee welcomes the potential benefits that an updated law could bring. For individuals, their rights would be strengthened, and in particular the new framework would guard against some of the more unwelcome and often criticised aspects of digital data processing. For example, the draft Regulation sets out the rights of individuals to access their personal data, to have it rectified or erased, to object to processing and not to be subject to profiling. From a business perspective, the benefits would mainly accrue through the effective harmonisation of laws. Sir Alan Beith MP said:
‘We understand that multinational firms have been lobbying heavily for greater harmonisation. We can also see how harmonisation will also aid small and medium sized companies who wish to offer their goods and services across borders. Currently a firm would have to deal with 27 separate sets of domestic legislation, and may be put off by the potential legal costs of complying with each. Whilst multinationals can take on this burden, small firms cannot. If the draft Regulation is passed, this worry will be removed as the law in Romania will be the same as in Sweden, and indeed within the UK itself’.
Whilst the draft Regulation would cover general data protection, the draft Directive is specifically concerned with data protection for law enforcement purposes. Sir Alan Beith MP said:
‘We have been told that the draft Directive does not apply to domestic processing by law enforcement agencies within the UK. This needs to be placed beyond doubt. Additionally, it needs to be made clear that the Directive must not impact on the ability of the police to use common law powers to pass on information in the interests of crime prevention and public protection’.
The full conclusions of the Committee are as follows:
The approach to reforming the current data protection framework
1. We are concerned that the approach taken by the European Commission, introducing two instruments, will lead to a division of the UK law, set out in the Data Protection Act. We believe that this could cause confusion, both for data subjects, and for organisations within the criminal justice system in particular, as they will have to consider which law applies in their given circumstance. We are also concerned that this twin-track approach might also lead to inconsistencies in application, both due to differing provisions in the instruments and over time, due to court decisions under each instrument. If this is still to be the approach, we recommend that there is consistency between the two instruments from the outset, to mitigate the future divergence in their application. Furthermore, the UK Government and the Information Commissioner’s Office will be required to work effectively together in order to produce and disseminate effective guidance so that data subjects know their rights and organisations know their responsibilities under each law. (Paragraph 13)
The draft Regulation
Arguments for and against a Regulation
2. Bringing EU data protection legislation up-to-date is necessary and could provide benefits to both individuals and businesses. Many of these benefits are only attainable if there is effective harmonisation of laws across Member States, and therefore we can understand why the European Commission decided that a Regulation was the correct instrument to achieve their objective. However, by setting out prescriptive rules there is no flexibility to adjust to individual circumstances. We believe that the Regulation should focus on stipulating those elements that it is essential to harmonise to achieve the Commission’s objective, such as the consistency mechanism and the establishment of the European Data Protection Board. Member States’ data protection authorities should be entrusted to handle factors associated with compliance, such as the level of fees or when it should be informed about a data protection impact assessment, whilst also being a source of guidance. Consistency of approach should then be delegated to the European Data Protection Board. (Paragraph 30)
Impact assessment
3. We call on the European Commission to work with the UK Government, the governments of other Member States, and other stakeholders, and to pool resources, expertise and information, so that a full assessment of the impact of the proposals can be produced. (Paragraph 37)
Impact on the information Commissioner’s Office
4. We regard as authoritative the UK Information Commissioner’s assertion that the system set out in this draft Regulation “cannot work” and is “a regime which no-one will pay for”, and we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive, particularly in the processes and procedures it specifies. (Paragraph 43)
General comments on the draft Regulation
5. We note that both the Government and the Information Commissioner believe that the necessary changes in the Regulation and the Directive can be agreed through negotiation, and we support them in their efforts to achieve this. (Paragraph 55)
The “right to be forgotten”
6. The right of citizens to secure the erasure of data about them which is wrongly or inappropriately held is very important, but it is misleading to refer to this as a “right to be forgotten”, and the use of such terminology could create unrealistic expectations, for example in relation to search engines and social media. (Paragraph 63)
Subject access rights
7. An individual’s right of access to their own personal data is a fundamental right; and individuals should not be required to pay a fee to make a subject access request. We urge the Government to change its negotiating position to one which accepts that subject access rights should be exercisable free of charge. (Paragraph 77)
Obligation to appoint Data Protection Officers
8. We believe that if the requirement to employ a Data Protection Officer is retained it should be based on the type of business and the sensitivity of data that is handled, rather than the number of employees. (Paragraph 81)
Sanctions
9. We believe that data protection authorities should have more discretion as to the sanctions that they can impose in order to effectively punish the worst behaviour. We are aware that this could result in different approaches being taken in each Member States, and therefore recommend that, where there is evidence that such differences are having a deleterious effect on compliance, the European Data Protection Board be entrusted to provide guidelines on the type of sanction that may be appropriate in given situations. (Paragraph 88)
Concerns raised by specific groups
10. The Government have told us that some organisations who submitted written evidence to us have not shared their concerns with them. We call on the Government to consider the points raised in paragraphs 90 to 100, and in more detail in written evidence, and inform us as to how, where necessary, they will be addressed in negotiations. (Paragraph 101)
The Committee’s opinion
11. The Regulation is necessary, first to update the 1995 Directive and take into account past and future technological change; and secondly to confer on individuals’ rights that are necessary to protect their data and privacy as stipulated in the Lisbon Treaty and the EU Charter of Fundamental Rights. (Paragraph 102)
12. However, the Regulation as drafted is over-prescriptive as to how businesses and public authorities should comply to ensure these rights are upheld. We have been told that the Information Commissioner’s Office will require substantial extra resources, and businesses have argued that many administrative burdens will be imposed on them. (Paragraph 103)
13. We believe that the European Commission has a choice: It can continue to pursue the objective of harmonisation through a Regulation by focusing on the elements that are essential to achieve consistency and cooperation across Member States, whilst entrusting the details on compliance to the discretion of data protection authorities and the European Data Protection Board; alternatively, it can use a Directive to set out what it wants to achieve in all the areas contained in the draft Regulation, but then leave implementation in the hands of Member States, and forgoing an element of harmonisation and consistency. (Paragraph 104)
14. To answer the European Scrutiny Committee’s specific question to us:
As currently drafted, the Regulation does give data subjects essential rights that must not be compromised during negotiations, and it has the potential to make data protection compliance easier for businesses, especially small businesses, which trade across the European Union. However, we do not believe that in its present form it will produce a proportionate, practicable, affordable or effective system of data protection in the EU. (Paragraph 105)
The draft Directive
The basis for, and aims of, reforming the Data Protection Framework Decision 2008
15. We are not convinced that there is a pressing need to alter EU law in this area, given that the Framework Decision 2008 was only recently implemented. However, it is arguable that since the general 1995 Directive requires updating, the corresponding legislation which deals with criminal matters should also be updated so that the principles in each instrument are consistent. (Paragraph 114)
Perceived weakness in comparison to the draft Regulation
16. We agree with the Information Commissioner that data protection principles should be consistent across both the draft Regulation and the draft Directive. We recommend that during the negotiations on the legislation, the Government seek to amend the draft Directive so that this consistency is achieved. (Paragraph 121)
Application to the United Kingdom
17. It needs to be clear beyond doubt that exchange of information between UK law enforcement agencies is not covered by the Directive, and the Government’s negotiating stance should seek to ensure that the exemption of the UK from provisions relating to domestic processing is written into the Directive. In order to clarify the position, the Ministry of Justice should provide an impact assessment of the draft Directive on the basis that domestic processing does not apply to the UK. (Paragraph 128)
Practical impact on competent authorities
18. We understand that the Directive does not apply to domestic processing by law enforcement agencies within the UK, and it should be placed beyond doubt that this is the case. We have noted the evidence of the Association of Chief Police Officers, that the Directive might nevertheless impact on the ability of the police to use common law powers to pass on information in the interests of crime prevention and public protection, and we believe that it needs to be made clear beyond doubt that it must not have this effect. We also agree with ACPO that the Directive, like the Regulation, is unnecessarily prescriptive about the structures and processes for securing data protection compliance. (Paragraph 133)
Domestic processing
19. The Government argues that the current lack of EU legislation on domestic processing has not obstructed cooperation between Member States, but the European Commission argues that it does cause difficulties for a number of Member States. We call on the Government to explain further why they are opposed to domestic processing for other Member States, given the current position that it will not apply to the UK, and to clarify what impact the changes would have on cooperation with the UK. (Paragraph 143)
The Committee’s opinion
20. From the point of view of the data subject, the draft Directive provides a weaker level of data protection in comparison to the draft Regulation. We recognise the significant differences in the handling of sensitive personal data by law enforcement authorities, but in a number of respects this lower level of protection does not appear justifiable. During negotiations, the Government should seek to amend the draft Directive so that data protection principles are as consistent as possible across both EU instruments. This will additionally ensure that the rights set out in the Lisbon Treaty are upheld. (Paragraph 149)
21. The Government’s position is that the Directive will have limited application to the UK, due to Article 6a of Protocol 21 of the Treaty on the Functioning of the European Union. If this is the case, we believe it will be beneficial to the UK as law enforcement authorities will not be bound by over-prescriptive measures contained within the Directive. This would also mean that EU law will not apply to the domestic processing of data, such as between police forces. Domestic processing for criminal justice matters will continue to be covered by the Data Protection Act 1998. (Paragraph 150)
22. To answer the European Scrutiny Committee’s specific question to us:
As currently drafted, the Directive does not sufficiently protect personal data. In particular, the level of data protection is not to the same standard as that contained in the draft Regulation which covers general data protection matters. We are concerned that it should be clear that domestic processing of data within the UK by law enforcement agencies will not be covered or restricted by the Directive, and it should also be clear that Member States have the flexibility to implement the Directive in ways which achieve its purposes through processes which are appropriate and proportionate in the national context. (Paragraph 151).
- Report: The Committee’s opinion on the EU Data Protection framework proposals
- Inquiry: The Committee’s opinion on the EU Data Protection framework proposals