Privacy & Information Security Law Blog

On June 28, 2012, the UK Ministry of Justice outlined its negotiating position on the proposed EU Data Protection Regulation (the “Proposed Regulation”) in its published “Summary of Responses - Call for Evidence on Proposed EU Data Protection Legislative Framework” (the “Summary”).

The Call for Evidence sought to gain perspective and solicit feedback on how the Proposed Regulation would impact organizations and individuals in the UK. The responses received from the private sector were the most significant, which is not surprising given the potentially huge impact on business.

In its Summary, the Ministry of Justice has reassured organizations that it will seek to negotiate a legislative framework that “does not overburden business” and that “encourages economic growth and innovation.” The Ministry has warned, however, that “this must be achieved at the same time as ensuring that people’s personal data is protected.”

The UK, among other things, will seek to negotiate at EU level as follows:

• seek an “overhaul of the proposed right to be forgotten” to clarify its scope and the cost implications;
• “resist new bureaucratic and potentially costly burdens on organisations which do not appear to offer greater protection for individuals” (e.g., mandatory data protection impact assessments, prior authorization from supervisory authorities and mandatory data protection officers);
• support the provisions on data breach notification, in principle, as long as they “reflect the timescales needed to properly investigate a breach” and if a “sensible and proportionate threshold is provided;”
• support administrative penalties for serious breaches of data protection requirements, but urge a “more proportionate level of maximum fines” that gives greater discretion to supervisory authorities in applying their available enforcement powers; and
• “push for the removal of many of the powers for the European Commission to make delegated and implementing acts,” especially where there is scope for the European Commission to substantially alter fundamental requirements.

The Summary also states that the Ministry of Justice does not consider the impact assessment produced by the Commission on the Regulation to “properly quantify the costs which would be imposed on business through compliance with the proposals while potentially [underestimating] the benefits achieved through having a harmonised [approach].”

The Ministry of Justice noted that the UK Government may well seek additional evidence from stakeholders as the negotiations and EU level proceed.