On January 25, 2012, the UK Information Commissioner’s Office (“ICO”) published an initial statement welcoming the European Commission’s proposed new General Data Protection Regulation (the “Proposed Regulation”), and commended the Commission’s efforts to strengthen the rights of individuals, recognize important privacy concepts such as privacy by design and privacy impact assessments, and include accountability requirements.
On February 27, 2012, the ICO released an initial analysis of the Commission’s package of proposals (including the proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”)). The ICO stated that its analysis is not intended to be comprehensive, but rather provides an overview of the most significant components. The ICO may follow up with further comments.
Highlights of the ICO’s Analysis
- The ICO recognizes that the Commission’s proposals are necessary, and that any attempt to revise existing national data protection laws would not suffice.
- The ICO would have preferred to see one comprehensive instrument, and is concerned that having two instruments -- a Regulation and a Directive -- will adversely impact harmonization. The ICO conceded that a reasonably consistent framework can be achieved if the Proposed Regulation and the Proposed Directive adopt a common approach with respect to fundamental principles.
- The ICO considers the proposals to be too detailed and prescriptive, and states that a prescriptive approach will not necessarily result in greater data protection. The ICO suggests that a more flexible approach may achieve greater compliance and result in a higher standard of data protection.
- The ICO has serious doubts regarding whether the territorial scope of the Proposed Regulation can be extended to non-EU organizations in practice (Article 3), as it is unclear how enforcement actions could be taken outside of the EU. The ICO notes that the Proposed Regulation should “encourage” voluntary compliance by non-EU organizations.
- The ICO welcomes the expanded definitions of “data subject” and “personal data.” However, the ICO advises that the Proposed Regulation should make clear when online identifiers (e.g., IP addresses) do or do not constitute personal data (as Recital 24 is unhelpful). The ICO suggests that a better approach would be to establish that, where an online identifier is used to target content at an individual (e.g., behavioral advertising) or otherwise treat one person differently from another, then the online identifier will constitute personal data.
- The ICO welcomes the eradication of the distinction between “ordinary” and “explicit consent” and the transition to only one form of consent. In addition, the ICO welcomes the clarification that, for consent to be valid, the data subject must take some positive action to demonstrate his or her consent.
- The ICO states that the definition of “main establishment” in the Proposed Regulation requires further consideration as it currently assumes that decisions regarding processing all are made in the same place, which is not necessarily the case for many organizations.
- The ICO notes a significant variation between the principles relating to the processing of personal data in the Proposed Regulation and in the Proposed Directive, and it would like to see greater harmonization. Otherwise, the ICO predicts that considerable confusion likely will ensue, particularly for organizations that are required to comply with both the Proposed Regulation and the Proposed Directive.
Rights of Data Subjects under the Proposed Regulation
The ICO particularly welcomes the strengthening of the rights of data subjects under the Proposed Regulation and notes the following key concepts:
- The requirements for transparent and accessible information (Article 11) reflect the ICO’s own approach; providing data subjects with information regarding data recipients (Articles 13 and 14(3)) is particularly key given the increasing prevalence of data sharing; expanded fair processing notices (Article 14) are also welcomed, but data controllers should be permitted to improve on any standard forms that the Commission may draft; data controllers should not be able to circumvent the right to data portability (Article 18) by holding information in non-standard formats; and the ICO welcomes the shift in burden from data subject to controller in terms of the right to object (Article 19).
- The ICO agrees that individuals who publish information about themselves online generally should be able to remove it easily (Article 17); the ICO notes, however, that an insufficiently qualified right to be forgotten “could have serious implications for freedom of expression - particularly the right to publish information - and for the maintenance of the historical record.”
Obligations of Controllers and Processors under the Proposed Regulation
With respect to the obligations of controllers and processors, the ICO notes the following:
- The concept of accountability is welcomed. However, the ICO is concerned that the Proposed Regulation places particular emphasis on documentation, as opposed to the actual conditions of processing personal data.
- In relation to data breach notification, the ICO strongly supports a legal obligation to notify (but only in circumstances where it would be proportionate), and notes that regulators should not be overwhelmed by trivial breaches. In addition, notification to data subjects should be triggered by financial loss and other negative consequences, and not just by adverse effects to data subjects’ privacy.
- With respect to international data transfers (Articles 34 and 40 - 43), the ICO prefers that controllers and processors primarily be responsible for identifying and minimizing risks, and have greater flexibility to make their own adequacy findings.
- The ICO would prefer to encourage the appointment of DPOs, rather than require such appointments. The ICO also argues that a requirement to appoint a DPO should not be linked to an organization’s number of employees.
- With respect to sanctions, the ICO questions whether “specifying in such detail all the possible breaches and the level of fine that follows is either helpful or proportionate.” The ICO states that there should be a link between the failure to comply and the actual consequences of the breach, and “[f]ines should not be imposed for procedural or record keeping failures alone.”
The UK Ministry of Justice is currently operating a Call for Evidence relating to the Commission’s proposals, which will close on March 6, 2012. Responses to the Call for Evidence are expected to shed light on whether the ICO’s views of the Commission’s proposals are shared across the UK.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code