ICO: Europe's prescriptive approach to data protection won't work in the UK

Deputy Information Commissioner David Smith warns that the new data protection regulation currently going through European Parliament won't suit the UK, and may not even be agreed

The ICO has today warned that the data protection regulation currently making its way through the European Parliament may not suit the UK, and in fact may not even reach the agreement necessary for it to come into force.

David Smith, Deputy Information Commissioner and director of data protection at the UK's data watchdog the Information Commissioner's Office (ICO), made these pronouncements today at Infosec 2013.

He explained that the idea behind the new regulation is to harmonise data protection rules across Europe's 27 member states, explaining the recent difficulty in prosecuting Google when it harvested individuals' Wi-Fi network data as part of its Streetview project was a driver.

"The driver behind this [regulation] is harmonisation, the EC is very driven by demands from multinational businesses, who say we're supposed to have one Europe, but we have 27 different sets of rules in data protection. They want to do business with one set or rules across the EU."

But Smith added that this harmonisation risks being overly prescriptive, with individual countries left constrained by rules that they are unable to tailor to their specific cultures and environments.

"The risk is when you produce one set of rules, they become very detailed and allow little scope for differentiation, and there are huge differences across Europe in terms of laws. Some countries say Google Streetview can't operate due to data protection, but that's not a sensible rule for the UK.

"This drive [to harmonisation] could be counter-productive if it means lots of rules which don't make sense in the UK."

He explained the ICO's preference would be for a risk-based approach to data protection, rather than one of prescription.

"We welcome [the regulation], it will give better rights for individuals and better protection for data with better accountability. Businesses not only have to have compliance mechanisms to ensure protection of people's information, but they need to demonstrate that they're in place and are effective in pratice.

"But then it almost undoes that. You know you need proper documentation and policies and procedures, proper staff with the right qualifications, and we're happy to leave it at that. When we come knocking, you justify how effective you are. But the problem with harmonisation is all those measures are spelt out in detail, so it specifies all the staff you need with specific qualifications, and all the policies and documents you need.

"So it undoes the idea that you're responsible. We're more bothered about addressing risks and outcomes, it's not just about having the right paperwork in place."

[Please turn to page 2]

ICO: Europe's prescriptive approach to data protection won't work in the UK

Deputy Information Commissioner David Smith warns that the new data protection regulation currently going through European Parliament won't suit the UK, and may not even be agreed

He summarised his position by explaining that the draft proposal in its current form would be detrimental to both businesses, and individuals.

"The draft proposal takes the harmonisation principle too far. More consistency is needed, but not 200 rules, all applying rigidly exactly the same all over the EU. That would be detrimental to e-commerce, business, and also to protecting people's personal information.

"It becomes a question of red tape and ticking boxes. I dread being asked why we need these regulations in place, and all I can say is because it says we have to. Some of it I wouldn't be able to justify any other way.

"Tell us the results we need to achieve [not the way to achieve them]," he added.

Smith also voiced concern that the regulation would see the light of day at all, explaining that there are still several processes of negotiation and compromise before any new rules come into force.

"There are 3,000 amendments or so on the table at the moment as the regulation goes through the European Parliament.

"In the parliament, a lot of amendments are driven by a desire for more protection, or improved civil liberties. Whereas the debate in the Council is more driven by member states' concerns, so they want to ease back on prescription, and see looser rules for SMEs. There is no certainty that there'll be an agreement at the end of this. I'll put money on there being an agreement, but not a lot of money."

The Parliament consists of MEPs, whereas the council is made up of representatives from the member states, with the Ministry of Justice attending on behalf of the UK.

A consolidated proposal with agreement from the Parliament, the Council, and the body that originally proposed the regulation is expected by the end of June, assuming such an agreement is reached.