A brief note: between January 25th (most likely) and January 28th the official draft of a Regulation is expected to be published; it eventually result in changes to the UK's Data Protection Act. I will do an analysis of it for the blog in the following weeks. Also, our UPDATE session on March 26th in London will be revised in order to have at least a half day devoted to the Regulation and what it means for data controllers. Our guest speaker is Jonathan Bamford from the ICO; he will be speaking on – yes you have guessed – the Regulation.
As you know the draft was leaked and thankfully it is being revised in order for it to be released. How the text will emerge from the shadows is yet unknown – but this is what I am hoping for.
First, the Commission should trust the Data Protection Authorities to get it right. There is no need for a Regulation to say when “consent” is needed or mandate what should appear on a fair processing notice or with a subject access request or say anything about data loss except to say, for example, that significant losses of personal data in a non-protected form should be reported to the Data Protection Authority who can order, if need be, the necessary corrective action (e.g. contact with the data subjects). In other words, make sure the Regulation leaves most of the interpretative detail of broad Principles to the Data Protection Authorities and give them full powers to enforce the Principles.
These Authorities can determine common standards via their meetings (e.g. A.29WP); they should be trusted to arrive at a collective view that possesses the right balance. Note that if decisions are collective, then there is little risk of a rogue Authority holding sway. Also, the involvement of broad Principles can deal with changes in technology. In other words, less Regulation is more individual protection – so long as each Data Protection Authority is fit for purpose.
You also need the ability of a Member State to refer a collective decision of the Data Protection Authorities to the Council of Ministers for debate. This protects the interests of Member States and removes the argument that they have no say in the matter. If Member States have a collective view that is different to the Data Protection Authorities, and that alternative view is supported by national and European Parliaments, then I would argue that the alternative view should prevail.
This is different to the current structure that has resulted in, for example, the UK's surveillance state and PNR Agreements that have minimal data protection: this arises when Member States enact laws that trampled over the Principles.
The fine level and offences should be left to Member States. But if a Member State enacts meagre penalties, the Commission could order a corrective measure, following a report from the Data Protection Authorities.
What you do legislate for is a strong data protection corrective mechanism that ensures consistency across Europe; so when a Member State gets out of line, the Data Protection Authorities can start the ball rolling for a correction. The fact that the changes are led by the Data Protection Authorities means that corrections are based on data protection grounds and not on the vested interests of a Government or a commercial sector.
It might take 7 years to get to consistency across Europe, but as readers know this is about the length of time it has taken to half find out what is wrong with the UK’s Data Protection Act!
See comments about the leaked Regulation: http://amberhawk.typepad.com/amberhawk/2011/12/draft-data-protection-regulation-leaked-doubtful-whether-it-will-get-enacted-in-this-form.html
What is wrong with the UK Act and infraction proceedings: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html
Details of UPDATE: go to www.amberhawk.com