Last week, we had the European Parliament saying that the Commission’s proposed Data Protection Regulation and Directive should be strengthened; this week we have a publication that identifies the extent of the UK Government’s opposition to both.
The document which expresses the nature of the opposition is the Government’s Response (“the Response”) to the Justice Select Committee’s opinion on the European Union Data Protection Regulation (and Directive in the field of law enforcement and judicial cooperation); its text shows what the Government wants to change and why (link at end).
This blog essentially comprises two sets of quotes from the Response, one set relating to the Regulation and the other to the Directive. The quotes more or less speak for themselves and I make very little commentary. One gets the gist very quickly! Note, however, that the UK Government’s opposition to the Directive is almost absolute.
Quotes in relation to the Regulation
- “The UK Government’s position with regard to the proposed Regulation is that it should be re-cast as a Directive”. Comment: this is to allow flexibility for Member States to implement the data protection rules in their own way. The Response states that “the Government’s position that the proposed Regulation should be re-cast as a Directive would allow for harmonisation in the areas where it is advantageous and flexibility for Member States where it is required”. Please note that the UK Government is not the only Member State that prefers an implementation by Directive (see references).
- “If the proposed Regulation were to be changed to a Directive and the proposal for a Directive were to be taken forward, then there would be two Directives, one for the general data protection framework and one for processing in the area of police and judicial co-operation in criminal matters. An advantage of this approach would be that the two Directives could then be implemented in a single piece of domestic legislation to help avoid confusion and support consistency where necessary”. Comment: note that the phrase “support consistency where necessary” infers that the data protection principles, rights, enforcement etc that apply to the police in the proposed law enforcement Directive might not be the same as in the Regulation.
- “The Government wants to see EU data protection legislation which protects the civil liberties of the individual whilst allowing for proper public protection and economic growth and innovation. These should be achieved in tandem, not at the expense of one or the other”. Translation: the Government believe that the higher protection for the individual is at the expense of public protection and economic growth.
- The Government states that “the proposed Regulation places prescriptive obligations upon data controllers as to how they will comply with the proposed Regulation, such as completing data protection impact assessments and hiring data protection officers. This is a ‘one size fits all’ approach which does not allow data controllers (from small online retailers to multinational Internet companies) to adopt their own practices in order to ensure compliance with the legislation”.
- Instead “the European Commission’s proposal should focus on regulating outcomes, not processes”. Under the risk-based model that the UK is advocating, “it would be for data controllers to put measures in place in order to comply with the outcomes prescribed in the legislation”.
- “The Government is seriously concerned about the potential economic impact of the proposed Regulation. At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States. It is therefore difficult to justify the extra red-tape and tick box compliance that the proposal represents”.
- “At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States. It is therefore difficult to justify the extra red-tape and tick box compliance that the proposal represents”. For example, “we estimate the costs for UK small businesses of simply demonstrating compliance with the proposals to be around £10 million” (in 2012–13 earnings terms) and in terms of the “whole economy of £100–£360 million per annum (in 2012–13 earnings terms)”. Comment: warning! There are some dodgy numbers about (see references).
- “Whether or not a DPO is appointed could depend on the quantity and the sensitivity of the data that is being handled”. Comment: this is at odds with the Regulation which says that it is the size of the organisation that determines when a data controller needs a Data Protection Officer (DPO), and the European Parliament’s amendment which says the number of data subjects is the important consideration when having a DPO.
- “The Government believes that the supervisory authorities should have more discretion in the imposition of fines and that the proposed removal of discretion, combined with the higher levels of fines, could create an overly risk-averse environment for data controllers”. It adds “ere there to be divergence in terms of the use or the levels of fines, and if those differences had a negative effect on compliance, the Government considers that the provision of guidelines by the European Data Protection Board could be useful”. Comment: note that the UK sees the role of the Board is to provide Guidelines (which, of course, could be ignored in the same way as many Working Party 29 Reports are ignored at the moment).
- “The Government agrees with the Committee’s view that the proposed Regulation as drafted is over-prescriptive in terms of how data controllers comply with the draft Regulation. Under the risk-based model that the UK is advocating, it would be for data controllers to put in place and regulate the obligations in order to ensure compliance with the legislation”.
- “We want to achieve protection for individuals whilst ensuring that data controllers can process data without having to comply with expensive and bureaucratic measures which do not enhance data protection and which prevent businesses from growing".
Quotes in relation to the Directive
Before starting there is a reference in the quotes below to “domestic processing”; to avoid confusion the term is a reference to how the law enforcement agencies work within the UK (e.g. how they process personal data already just within UK borders). It is not a reference to Section 36 of the current DPA!
- “The Government shares the Committee’s view that there is not a pressing need to update the Framework Decision 2008/977/JHA on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. The Framework Decision has yet to be fully implemented across all Member States, or evaluated. Implementation and evaluation of the current legislation should come first before new legislation is considered”.
- The Government believes that the inclusion of domestic processing in the draft Directive is at odds with the principle of subsidiarity. Under this principle, the form of Community action should be as simple as possible, and leave as much scope as possible for national decision. Furthermore, there is no evidence to demonstrate that the lack of EU rules in this area has had a detrimental impact on law enforcement activity or the protection of individuals. Comment: this can be shortened to “hands off our internal approach to policing”. Given the political agitation on the Conservative back benchers, I can’t see the current UK Government implementing it at all.
- “It is our view that introducing prescriptive requirements for domestic processing may instead have a detrimental effect on law enforcement operations, placing onerous burdens on data controllers and huge costs on public authorities – without delivering better data protection for individuals”.
- “On the issue of common law, the Government shares the view of ACPO and the Committee that the Directive should not undermine the use of common law powers in the UK or other countries with similar systems”. Comment: this shows that the Government believes that the proposed Directive would, in its current form, undermine the common law powers of the police.
- “The Government therefore does not consider that full harmonisation of police and judicial co-operation in criminal matters is necessary or desirable”. Comment: can’t be clearer than that.
The Response of the UK Government to the Justice Select Committee Report: Download Blog UK Government response to Justice re eu-data-protection-proposals
Blog covers some dodgy numbers: “Data Protection Regulation cost of compliance. Has the UK published suspect numbers?” http://amberhawk.typepad.com/amberhawk/2012/11/data-protection-regulation-cost-of-compliance-has-the-uk-published-suspect-numbers.html
Blog specifies which countries want the Regulation implemented as a Directive: http://amberhawk.typepad.com/amberhawk/2012/11/uk-government-opposed-to-the-commissions-data-protection-regulation.html
Blog discusses the Report to European Parliament on the Data Protection Regulation; enhanced protection for data subjects and fettering of Commission’s powers. http://amberhawk.typepad.com/amberhawk/2013/01/european-parliament-mauls-the-data-protection-regulation-enhanced-protection-for-data-subjects-and-fettering-of-commission.html
Details of our half day workshop on the Data Protection regulation can be downloaded here: http://www.amberhawk.com/uploads/Brochures/Amber_Regulation%20half%20day%20workshope.pdf