Commissioner sets out future for EU data protection

Clarity, certainty and balance form the basis for the future of UK data protection, according to Deputy Information Commissioner David Smith.

In a new blog published on the Information Commissioner's website, Mr Smith argues that Regulation which is hard to understand and even harder to apply will not be followed in practice and does not serve the interests of those data protection is trying to protect.

His comments come ahead of a proposed new EU Data Protection law which is due to be published at the end of January 2012.

Speculation is rife that Commissioner Viviane Reding (pictured below) favours a regulation over another directive because  it allows for more flexibility. Given how quickly technology and the way it is used is constantly changing, a regulation may be the preferred instrument by being directly applied into UK law almost instantly; typically a directive can take up to three years to transpose into national law.

Mr Smith also points out that speculation is also rife as to whether there will be one new legal instrument or two; one to replace the current Directive and one to cover the former third pillar areas of crime and justice.

Two instruments would fit with the UK Government’s right to opt out of new EU measures covering the former third pillar, but might make it harder to achieve our objective of a single, overarching framework applying to all the processing of personal data carried out in the EU.

It's important that any new data protection regime does not put unnecessary burdens on businesses and leaves enough flexibility to allow the freedom to decide how the standards expected are achieved. A much more risk-based approach towards data protection which encourages using the law for competitive advantage as well as for targeting enforcement in sectors deemed high risk is one way suggested.

It will be interesting to see, as Mr Smith suggests, whether the position of the individual is strengthened simply by changing the existing right to object to processing from one where the individual has to provide compelling legitimate reasons for deletion to one where it is the data controller who has to provide the compelling legitimate reasons for retention.

Making organisations account for how they deliver data protection in practice may still require them to do a data privacy risk assessment to provide evidence that compliance has been taken seriously. That way, any challenges to an organisations's approach to data protection, for example  their decisions on “adequacy” in international transfers of personal data can be defended.

The European Commission has indicated they will publish their proposal early in 2012. This is the start of the process towards a change in the law which will be negotiated in the European Council and Parliament. Changes to the law are likely to take at least a couple of years after this date to agree and a timetable for implementation will then be required.

E RADAR Data Protection Audit™  has introduced a brand new Data Protection Audit Service to help organisations get peace of mind when complying with their legal and regulatory requirements under the Data Protection Act.

For further information about the audit, please click here.