EU data protection proposals – pros and cons
by Gill Montia
Story link: EU data protection proposals – pros and cons
The UK’s Information Commissioner has flagged up a number of problems that could arise from a proposed EU update of data protection rules.
Overall, the Commissioner has welcomed the proposals, which include:
1. Strengthening provisions relating to consent so that when an individual’s consent is relied on for processing personal data it is genuine consent.
2. Making the right to object meaningful by shifting the requirement from one where the individual has to demonstrate compelling legitimate grounds for deletion to one where the controller has to demonstrate compelling legitimate grounds for retention.
3. Introducing the right to data portability enabling individuals to obtain a copy of data held about them in a reusable, electronic format.
4. Placing important legal obligations directly on to processors.
5. Introducing a compulsory data breach notification duty that applies across all sectors (albeit that the Commissioner considers this should be restricted to serious breaches only).
6. Giving legal recognition to the use of binding corporate rules to provide appropriate safeguards for international data transfers.
7. Encouraging incentives for Data Protection compliance in the form of certification mechanisms and Data Protection seals and marks.
8. Strengthening the powers of Data Protection authorities including comprehensive investigative powers.
However, on the downside, the proposals are “unnecessarily and unhelpfully over prescriptive” in some areas and, according to the Commissioner, could result a “tick box” approach to data protection compliance.
On this basis, further though is needed regarding:
1. Retaining the concept of special or sensitive categories of personal data and the inflexible nature of the grounds on which such data can be processed.
2. Requiring organisations to obtain the prior approval of the data protection authority for some types of processing, particularly in relation to international transfers.
3. Extending the scope of data protection obligations to any processing that is directed at individuals residing within the EU without any clear indication of how the Regulation’s requirements can be readily enforced outside the EU.
4. Restricting the ability of public authorities to process personal data even where the processing can only be of benefit to individual citizens.