Out-Law / Your Daily Need-To-Know

Out-Law News 7 min. read

Regulators may not be able to enforce data protection regime outside of EU, ICO says

Regulators will not be able to hold companies based outside the EU accountable to proposed new data protection laws unless current enforcement mechanisms are changed, the Information Commissioner's Office (ICO) has said.

The European Commission should not suggest to citizens that the new laws offer them protection that "in reality, it cannot deliver," the ICO said.

The ICO has also said that it is "unrealistic" to expect organisations to report personal data breaches within 24 hours and that not all breaches should be reported to the public.

The Commission last month published a draft General Data Protection Regulation that, if enforced, would introduce a single data protection law across all 27 EU member states. Companies whose processing of the personal data of EU citizens takes place outside the borders of the trading bloc would also be subject to the rules.

However, in its 'initial analysis' (35-page / 433KB PDF) of the Commission's proposals the ICO said that non-EU companies could not be forced to comply with the regime under current rules.

"While we can see the desirability of extending the territorial scope of EU regulation and recognise this should at least encourage non-EU organisations to adopt good practice and meet European standards for processing personal data – particularly when targeting services at EU citizens – in practice there may be little that European supervisory authorities and others can do in terms of enforcement unless effective cross border enforcement mechanisms can be provided," the ICO said.

"This means that, in reality, non-EU data controllers’ compliance with the Regulation would be voluntary. The Regulation should be realistic about this and should not lead EU consumers to believe that the law offers them a degree of protection that, in reality, it cannot deliver," it said.

The ICO also said that the Commission needs to clarify the instances when companies would be said to be "offering goods or services to consumers in Europe". It is currently "unclear" whether merely non-EU based firms that make goods and services available on websites would come within the scope of the Regulation, it said.

The ICO said it generally welcomed the proposed new rules on consent. Organisations operating in the EU would generally have to obtain explicit, freely given, specific and informed consent from individuals in order to be able to lawfully process their personal data under the proposed new laws.

Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given.

"The issue of whether consent has or has not been given, and whether it can be implied by a particular action (or inaction), has long been a cause of difficulty for the ICO. Therefore we are pleased that it has been put beyond doubt that for consent to be valid, the individual has to do something to indicate consent," the ICO said.

Under current EU data protection laws, as well in the Commission's draft revisions, in some cases consent does not need to be given in order for personal data processing to be lawful. The ICO said that an "explicit recognition" should be written into the new Regulation that allows processing to take place "where it is clearly in the data subject’s interests and does not override his or her fundamental rights and freedoms". It said this would enable "reasonable evolution in the delivery of public services that might otherwise be unhelpfully constrained".

The current draft Regulation also does not make clear that some personal data on the internet will be considered exempt from the new rules, the ICO said.

The draft Regulation contains a particular provision that exempts the rules laid out in the text from applying to "the processing of personal data ... by a natural person without any gainful interest in the course of its own exclusively personal or household activity". The Commission recently said that 'friends'-only postings on social networking sites would be among the categories of personal data posted online that would fall into this exemption.

The ICO also expressed concern about the impact giving individuals a general 'right to be forgotten' could have on freedom of expression. It also said the way the rules are currently drafted may lead individuals to think information can be deleted when, in reality, it cannot.

"We are unclear how the right to be forgotten will be delivered in practice. There is a risk that if individuals are led to believe they have a ‘right to be forgotten’ they will be disillusioned if they find that the right is strictly limited in practice. It might be preferable if this right was presented in less ambitious terms," the watchdog said.

"We do think that individuals who choose to post information about themselves – typically on a social networking site – should generally be able to secure its removal easily. We would welcome this being made a legal requirement – albeit that once cached and published elsewhere it may be impossible to remove the information entirely from the internet. We also believe that where a third party publishes information about an individual, the publishing should cease in certain circumstances – however this seems to be provided for adequately in the [rules drafted that detail the] right to object to processing," it said.

The ICO said that giving individuals a right to force companies to transfer personal data they hold about them to other firms was a good idea, but said it was concerned that the wording of the draft might allow organisations to avoid doing this by storing data in "non-standard" formats.

Rules requiring all organisations processing personal data to document all the categories of information required under the draft Regulation are too prescriptive, the ICO said. "It is not necessary for the achievement of high data protection standards that all controllers and processors maintain precisely the same documentation," it said.

The ICO said it was "unrealistic" that companies should have to report all personal data breaches within 24 hours. It said "a simple requirement for notification ‘without undue delay’ would be preferable" and that it was not always appropriate for individuals to be told about breaches after they have been reported to regulators. It said though that companies should only have to issue data breach notifications after certain 'triggers', such as financial loss, have occurred.

"If, in practice, few if any breaches can be notified within the 24-hour period, then data controllers will be faced with unnecessary administrative burdens of providing a justification when they should be focusing on dealing with the breach," the ICO said.

The watchdog also said that it should not be "mandatory", as the Commission proposes, for organisations involved in large-scale personal data processing or risky processing to employ a specialist data protection officer. It should not be a requirement providing those companies "have effective processes in place for ensuring data protection compliance," the ICO said.

The Commission has proposed that all business with more than 250 permanent staff should also be forced to have a dedicated data protection officer, but the ICO said that it was wrong to judge the need for such a person based solely on company size.

"A better approach might be to assess any requirement to have a data protection officer according to the number of data subjects the organisation processes data about and / or the nature of the data concerned," it said.

Under the Commission's plans regulators will have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation. Organisations not engaged in economic activity can be fined up to €1 million for serious breaches. However, the ICO said that the ability to fine should be more limited than is currently proposed.

"The purpose of the Regulation is to protect the privacy of personal information and proportionality requires there to be a demonstrable link between any fine and a failure by an enterprise to achieve this. Fines should only be imposed for procedural or record keeping breaches of the Regulation where it is possible to demonstrate a clear link between the breach in question and the creation of a significant risk to privacy," it said.

"Furthermore, the possibility of disproportionately high penalties for a failure to report a data breach to the supervisory authority or a failure to consult the supervisory authority when carrying out risky processing will drive over-reporting. This will place unnecessary burdens on supervisory authorities and divert them from addressing areas of genuine and significant risk," the ICO said.

The Commission should also explain when 'online identifiers' relating to individuals will be considered to be personal data relating to an individual, it said.

"There is currently considerable uncertainty over the status of IP addresses, cookie identifiers and similar information generated online," it said. The watchdog suggested that the Commission outline that "where IP addresses or similar identifiers are processed with the intention of targeting particular content at an individual, or otherwise treating one person differently from another, then the identifier will be personal data and, as far as is possible, the rules of data protection will apply".

The ICO also expressed reservations about whether certain categories of personal data deserve extra legal protection. It said plans to class information relating to "religion and beliefs" as sensitive personal data should be qualified so that only "similar beliefs" to that which are religious merit special protection.

The ICO expressed concern that the duties that the Regulation, as drafted, would require regulators to undertake may not be appropriately funded. It also said that there were many uncertainties about how the rules set out in the Regulation would work in practice because so many "delegated and implementing acts" still had to shape out the detail of certain provisions.

The ICO said that the new data protection regime should be more "flexible" than currently proposed and said that organisations were more likely to adhere to measures that they actually could see contributing to improvements in privacy.

It is proposed that the draft regime would come into effect two years after it is approved, however the ICO said it was "sceptical" whether such a delay was necessary.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.