Deputy UK Information Commissioner David Smith discusses his concerns about the EU's proposed plans for Data Protection reform
When I last wrote about the EU data protection reform proposals, it was to outline the process that the reforms would go through across 2013. It was clear that there was much work to be done discussing the precise content of the reforms, and so this blog takes a closer look at those areas of the proposals that are attracting the most debate.
You’ll recall that the European Commission produced the initial proposal, which will now evolve through input from the European Parliament and the Council of the European Union. With that in mind, where better to start in looking at the proposal’s content than with the thoughts of Commission itself, namely the Director General of its Justice Directorate Francoise Le Bail.
Ms Le Bail spoke at the ICO’s recent annual conference for data protection officers (DPOs) when the focus of her presentation was on dispelling any concern that the new legal framework would be too prescriptive. The initial proposal had appeared to suggest that businesses would have significant hoops to jump through in order to abide by the law, but Le Bail was keen to reassure the audience that the Commission was listening to the response to the proposal, and was willing to adopt a more risk-based approach. This would, she said, mean less emphasis on a local butcher having to draft a data protection policy before compiling a customer list, but a greater focus on how a health clinic stores personal details of patients.
It’s an approach that should reduce any disproportionate impact on SMEs, and one I welcomed in my response to Ms Le Bail’s speech. As I’ve said previously, there is much for us to welcome in the content of the proposals. The current law needs modernisation, and these reforms should bring that about. Crucially, the changes will enhance individuals’ rights, not least by ensuring that where data is processed on the basis of consent that consent is genuinely given. Such rights will also be enhanced through a shift in the balance of proof in the individual’s right to object to the processing of their data – one element of the so called ‘right to be forgotten’.
We do have reservations about some of the proposals’ content, and it is these areas we’re keen to focus the debate on. We’re concerned, for instance, about the additional flexibility currently being proposed for the public sector, and the increased role of data protection authorities in signing off arrangements for the protection of personal data when it is being transferred internationally. Closer to home, we’re also unsure about the potential impact of the changes on the way data protection authorities will be funded.
These concerns are shared by many of our colleagues across Europe, not least in the Article 29 Working Party. Our views, alongside those of other European data protection authorities, have been pulled together in a recent statement produced by the group.
Another key issue discussed both in the Article 29 statement and in Ms Le Bail’s speech is pseudonymisation. The concept is very much the current hot-topic of debate around the proposed reform. It essentially offers a way forward in any move towards a more risk-based approach, suggesting that by disguising identities, data relating to an individual could be collected and analysed without a person’s true identity being revealed. In this way, the information would not be readily identifiable, and so businesses could potentially avoid some of the pressures of any new legislation.
It’s worth noting that this is not about changing what we define as personal data. This suggestion briefly reared its head, but Viviane Reding, the Commissioner in charge of the European Commission’s proposals, was quick to dismiss it. Instead, it is to see how using pseudonymous data might allow lighter obligations for data controllers, for instance in areas such as privacy by design or notification of data breaches.
As it’s a step towards a risk-based approach it follows that we’re in favour. It’s also a technique we encouraged in our Anonymisation Code of Practice published last November. Not everyone is on quite the same wavelength though. We think this may be, in part, due to a problem over exactly what we mean by the term ‘pseudonymise’. It’s important to remember that a pseudonym is a way of disguising identity. Where an identifier – whatever form it takes – is used to treat individuals differently then the rules of data protection should apply. It is misleading to think of an IP address, for instance, as a pseudonym.
While this topic remains one of many currently under debate, events are nonetheless moving extremely fast. The European Commission seems publicly confident that it can do a deal working with the Irish Presidency for a political agreement in June this year. That confidence, though, must be seen in the context of a European Parliament vote on the file being rescheduled to 29 May, to allow more time for political compromises on the 3000 plus proposed amendments. We nevertheless remain hopeful that an improved Regulation will emerge towards the end of the year. Until that point, we’ll continue developing the above thoughts and others as our contribution to achieving such an outcome.
8 April 2013