The European Commission introduced far-reaching proposals to amend Europe's data protection laws on 25 January 2012. We first reported on those proposals, which stretched to some 119 pages, in our initial Alert the same day and our update on 16 February 2012.
Much as was anticipated then, the proposals have turned out to be something of a political hot potato, with many of the proposals receiving political attention throughout Europe.
Laws like this in Europe need the consensus of three separate bodies to become law:
The European Commission (in this case, the proposer of the new laws), The European Parliament and The Council of the European Union ("the Council"). In addition, the data protection regulators of each of the EU member states have also analyzed the proposals in detail. Last week, the UK data protection authority, the Information Commissioner Christopher Graham, published a letter he wrote to The Right Honourable Chris Grayling MP, Secretary of State at the Ministry of Justice, reminding the UK Government of some of his concerns. The Information Commissioner felt that it was timely to remind the UK government of some of the flaws in the proposals ahead of the Council's meeting to discuss these issues.
The Information Commissioner's conclusions are not entirely positive. He says:
"As things currently stand, for all the recent talk about proportionality and risk, I see real problems ahead with the practical delivery of a Regulation that is still so detailed and specific as to the processes DPAs [Data Protection Authorities] shall undertake in almost all circumstances."
Mr. Graham lists a number of concerns, including:
The requirement for all data breaches to be notified to the DPA, rather than just those which pose significant risk (a concern that we reported on in our original Alert in more detail). The fact that prior authorization is to be required for international transfers where this is not required under the current regime (only some countries require prior notification of a transferit may be hard to foresee how introducing this requirement across Europe could be said to be meeting one of the European Commission's stated intentions of reducing bureaucracy when this would in fact increase it). Limited discretion of DPAs over administrative sanctions, which are imposed on the basis of process failures rather than on privacy risks. Mr. Graham also expresses concern that the regime is bound to be very costly. He says...