They are over-prescriptive, confusing and unrealistic – just a few of the committee’s problems with EC proposals
The UK’s Justice Committee has listed a plethora of issues it has with the European Commission’s data protection framework proposals, and told it to “go back to the drawing board”.
The EC drew up two pieces of legal documentation in January: a data protection directive and a regulation. Both contained different rules organisations across member states would have to follow.
Yet many parts of the proposals have been lambasted. Many see the EC’s ideas as “over-prescriptive”. In particular, opponents have complained of the potential for excessive fines, a stipulation to make companies with more than 250 employees appoint a data protection officer, and the need to implement “privacy by design”.
TechWeekEurope recently learned of the extent to which US bodies have been lobbying in Brussels to have the proposed laws changed. The US Chamber of Commerce has a taskforce of 50 employees working on the issue, and is believed to have the backing of the federal government in its lobbying efforts.
Data protection dilemmas
The committee has now taken up the main issues in its new report, which is itself a response to a request from the European Scrutiny Committee for its opinion on the proposals.
According to the Justice Committee, the very fact that there are two separate pieces of legislation is an issue, that “will lead to a division of the UK law, set out in the Data Protection Act”. Such a “twin-track approach” could breed “inconsistencies in application”, the body argued, saying it needed clarity on whether the directive would even apply to law enforcement agencies in the UK.
The committee also warned about the “right to be forgotten”, as it could create unrealistic expectations amongst citizens. Many believe the right would be technologically infeasible: given the way data is disseminated and stored, it would be impossible to completely delete it. Others have noted how the right to be forgotten might infringe on people’s “right to remember”.
Punishment is also a contentious issue. The EC has recommended that punishments for the most severe data breaches should hit two percent of the guilty organisation’s annual turnover. But the committee said nations’ data protection authorities should “have more discretion” over the penalties they can dish out.
“The current data protection laws for general and commercial purposes need to be updated, as they do not account for the digital world. However, we agree with the Information Commissioner’s assessment that the system set out in the draft Regulation ‘cannot work’ and is ‘a regime which no-one will pay for’,” said Sir Alan Beith MP, chairman of the Justice Committee.
“Therefore, we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive.”
Are you a security expert? Find out with our quiz!