Privacy & Information Security Law Blog

On October 24, 2012, the UK Justice Select Committee (the “Committee”), appointed by the House of Commons to examine the expenditure, administration and policy of the UK Ministry of Justice, published its opinion on the proposed General Data Protection Regulation (the “Proposed Regulation”) and proposed Police and Criminal Justice Data Protection Directive (the “Proposed Directive”). In the opinion, the Committee agrees that new proposals are necessary, both to update the existing data protection framework and to “confer on individuals their new rights and freedoms.” The Committee expresses reservations, however, regarding a number of key issues, and concludes that the European Union data protection proposals “need to go back to the drawing board.” The Committee notes that in its present form, the Proposed Regulation will not produce a “proportionate, practicable, affordable or effective system of data protection in the EU.”

Endorsement of the Harmonization Goal

The Committee characterizes the Proposed Regulation as “setting out prescriptive rules” with “no flexibility to adjust to individual circumstances,” a criticism that has previously been made by the UK Information Commissioner’s Office (“ICO”). It endorses the use of a Regulation, however, as the correct instrument for updating the data privacy framework in the EU. While noting that the Regulations’ direct application will lead to greater harmonization, the Committee warns that the potential benefits of harmonization may be lost through the overly prescriptive approach of the current draft.

Criticism of the Use of the Regulation and Directive

The Committee expresses concern that the European Commission proposes to utilize both a Regulation and a Directive, suggesting that this will cause confusion for individuals and for organizations within the criminal justice system. There is particular concern that the “twin-track” approach may result in an inconsistent application of the law, as the two instruments contain inconsistencies.

Impact on the ICO

The ICO previously has asserted that the Proposed Regulation will create “a regime which [no one] will pay for,” and which will cause “considerable resource implications for all supervisory authorities.” The ICO is considered to be one of the most well-funded data protection authorities in the EU. If the notification fee on which its funding is based is abolished, however, the ICO asserts that it will struggle to perform effectively its role as the data protection regulator. Meanwhile, the Committee endorses the ICO’s assertions as “authoritative.”

Rights of Data Subjects

Although it acknowledges that an individual’s right to secure the deletion of his or her data that is wrongly or inappropriately held is crucial, the Committee considers it misleading to refer to this concept as a “right to be forgotten.” The Committee suggests that the use of such terminology could “create unrealistic expectations, for example in relation to search engines and social media.” With respect to an individual’s fundamental right to access his or her own personal data, the Committee believes that individuals should not be required to pay a fee to make a subject access request. The Committee urges the government to “change its negotiating position to one which accepts that subject access rights should be exercisable free of charge.”

The Committee concludes its opinion on a more positive note, stating that it takes some comfort in the fact that the both the UK government and the ICO agree that the necessary changes to the Proposed Regulation and Proposed Directive can be achieved through negotiation.