EU Data Protection Reforms: How the Process Works, and What the ICO Is Doing

January 30, 2013

The preamble to the 1995 Data Protection Directive makes clear that the progress made in information technology makes the processing and exchange of personal data considerably easier.  This era of easy data exchange, we are told, may bring economic and social benefits but these cannot come at the cost of the individual’s right to a private life.  Well, if that were true in 1995, when many people had yet to open an e-mail, it is even more the case today.  Smartphones, vehicle telematics, Automatic Number Plate Recognition cameras, biometric identifiers, Big Data, Midata, Location Data – the list of recent technological advancements which involve the ability to process increasing amounts of personal information is a long one.  The recent proposal to update the EU framework of data protection law should, therefore, be seen as an attempt to ensure the protection of private life in the context of this data-driven world, giving citizens greater control over their personal information. 

It Really Matters – Engage with the Process 

Blogging on our web site recently, David Smith, Deputy Commissioner of the ICO, suggested the EU’s proposals ‘could prove to be one of the biggest changes to data protection this country has ever seen’. It is difficult to disagree with that position. The proposals will affect everyone from village newsagents to City bankers, and will likely be felt by every one of us in one way or another.  

A key change then, but with discussions on reform having already taken more than three and a half years it is little surprise that many people have disengaged from the debate. Now is the time for them to re-engage, as the process is picking up pace, and 2013 promises to be a crucial year. 

In particular, the technology sector needs to start thinking about how current and future practice can meet the standards likely to become law. There are several important areas here, including how we define ‘personal data’, the impact and limitations of the ‘right to be forgotten’ and the new rules on data breach notification. You can read our views in more detail by reading the briefing we produced for MEPs at 

Briefly though, the sector needs to build future compliance into current plans.  If the definition of personal data clearly includes information that there may be doubt about under the current law, what impact could this have on activities such as web analytics?  While we welcome the clarification of the meaning of consent in data protection law, are companies thinking of the ways in which they can gain a valid consent from a consumer accessing services on a smartphone where terms and conditions and tick-boxes are often cumbersome and confusing? 

The proposals introduce the concept of data portability, where an individual is entitled to their information in a common, reusable format.  There are future challenges here but in the UK this is already happening.  The government’s midata initiative is aimed at allowing consumers to make better informed decisions about whose services they use and how they use them.  Is now the time to start developing the technical means by which this can be achieved? 

Similarly, the concepts of Privacy by Design and Privacy Impact Assessments are currently good practice.  The proposals will see this good practice become a legal requirement in some areas.  Adopting good practice now – incorporating data minimisation and privacy protection into systems design, assessing and mitigating privacy risks at the earliest stage possible, implementing processes that identify emerging threats to privacy and security – can only help reduce the pain.  Technology which allows accurate targeting and profiling might well give rise to exciting business benefits but it could prove expensive to have to start over again if the new law renders such techniques unacceptable. 

And of course getting ready early can be a competitive advantage; the scramble for compliance by those who are not prepared rarely leads to good practice or positive news stories.    

Progress, Next Steps and the ICO Role 

So, where are we in the process?  What began as a European Commission public consultation on revisions to the European data protection framework in May 2009 has so far prompted two sets of documents. One set – the original proposals published early last year – consists of a draft general Regulation and a draft Directive specifically for the criminal justice sector and comes from the European Commission’s Vice President Viviane Reding. The second, more recent set consists of draft reports on the proposals from European Parliament MEPs Jan Philipp Albrecht (on the draft Regulation) and Dimitrios Droutsas (on the draft Directive).  

To understand why there are separate sets of documents from different bodies, it is worth briefly looking at how the process of an idea becoming a law works in the EU. 

The European Parliament is home of MEPs, voted in to represent their constituents on European matters. There are 736 of them and, much like our own Parliament, they will each sit on several committees. There are five committees directly involved in looking at the data protection reforms, with the civil liberties group taking the lead.  

The Council of the European Union is made up of relevant ministers of each member state with responsibility for the issue at hand, although for practical purposes much of the work is done by government officials. For the data protection reform, the UK’s Ministry of Justice takes charge of the regulation, but works closely with the Home Office on the issue of the directive that will apply to law enforcement agencies, the police and judiciary.  

Both the European Parliament and the Council of the European Union look at the reforms separately, before coming together to negotiate what the final law will look lie. 

So far the European Parliament is the most advanced. Its committees are well advanced in considering their compromise amendments on the reforms, and are expected to come together to negotiate a consolidated Parliament view by the end of April. 

The Council is a little behind that timetable, and its first round of amendments is not finished yet, but the issue is now being treated as a top priority. More meetings are scheduled to ensure that the negotiations can be completed as quickly as possible, to try to keep everything on track.  

Once both the Parliament and Council each have their settled views, they will meet to come to a compromise between the two. Some of that negotiation will be around whether the reforms are in the form of a regulation, which will apply directly in every EU Member State, or a directive, which will need to be transposed in a more flexible way into national law.  

Our focus at the moment is influencing the debate from both sides, to ensure that the final product works well for the UK. We have a key role in advising the Ministry of Justice, and have attended recent meetings in the Council alongside the MoJ. 

With regard to the European Parliament, we have recently sent a note to UK MEPs and other related stakeholders, outlining our views on what we see as the key issues. 

Our view, broadly speaking, is that the reforms are a great opportunity to update data protection law to reflect the way personal information is used today. But clearly it is key that we get it right first time around, as history suggests the next generation of data protection law will be in place for many years to come – the first EU data protection directive has formed the basis for data protection law in Europe since 1995. 

The key to success will be consistency. Any substantive inconsistency will doubtless cause confusion, and it is for that reason that we are nervous about a hybrid of regulation and directive. Similarly, any move to create a separate instrument governing processing in the public sector should be resisted. 

We feel that one of the great successes of the current system is the ability for the ICO, as regulator, to take sensible views on how organisations should meet the Data Protection Act’s legal obligations. With that in mind, we feel the current reform proposals are too prescriptive in dictating administrative detail and the processes organisations will have to undertake to demonstrate accountability. This could be a particular problem for SMEs.  

Getting it Right First Time 

There’s still a long way to go until these reforms start to affect our day-to-day life but, by the time they are implemented, it will be far too late to start complaining that they don’t work. That is why we’re working so hard to influence the debate. It is extremely important that we, as the responsible regulator, pay attention at this crucial point in negotiations to what the proposals say, understand how they might affect the UK and use what influence we have to achieve a sensible outcome for individuals and businesses alike.  Early and constructive engagement by the technology sector is equally important. 

Dave Evans is Group Manager – Business and Industry at the Information Commissioner’s  Office.