Out-Law News 3 min. read

UK business and research groups worry about 'prescriptive' data protection reforms

UK business groups are concerned that reforms to EU data protection laws will be too "prescriptive", according to a new report.

The concerns are contained in the UK government's published summary of the responses to its balance of competences review on information rights (87-page / 628KB PDF). The government said every respondent to the review, which includes the British Bankers’ Association, Direct Marketing Association, the Internet Advertising Bureau and Federation of Small Business, had referenced the proposed new General Data Protection Regulation that is currently being negotiated by EU law makers.

"Most saw [the Regulation] as an opportunity to update data protection law to reflect these new concepts and developments," the report said. "However, on the whole, respondents concluded it was too process-driven and prescriptive to succeed in this goal. Above all, respondents emphasised the need to have legislation that is future-proof, principle-based, and flexible enough to cover diverse and unpredictable uses of data in the future."

RSA Insurance Group said that an example of the excessively prescriptive proposals were the rules on data breach notification, contained under the draft Regulation. It said that "a requirement to report even trivial breaches would become a considerable administrative burden" and that overly detailed legislation could lead to "tick-box compliance instead of good practices", according to the report.

The government said that respondents had raised a number of other concerns about the proposed data protection reforms, including the potential "negative impact on research" it could have, "particularly in the health sector".

Groups including the Medical Research Council and the NHS European Office warned that the European Parliament's proposed version of the Regulation, if introduced, "would make ‘much research involving personal data at worst illegal, and at best unworkable'". Particular concern was raised about the rules on consent to the processing of personal data that the Parliament has given support to, it said.

Advertising industry bodies also outlined concerns with the proposed consent rules. The Advertising Association said that imposing a requirement on advertisers to obtain consumers' explicit consent to process their personal data "could lead to desensitisation for consumers".

"For example, consumers online would see constant pop up prompts demanding consent for every single ad which placed a cookie on their computer to track the ad’s success," the report said. "The British Bankers’ Association agreed and felt this could lead to confusion and unnecessary worry for the consumer, particularly given the level of detail required for each notice. There was also the opposite risk according to the Advertising Association: consumers may become de-sensitised to these prompts and take them less seriously, undermining the meaningfulness of consent."

Some respondents also said that the proposed new data protection regime could stand in the way of anti-fraud efforts and other economic crimes, which rely on data sharing and profiling.

In its report, the UK government reiterated its support for a new EU Data Protection Directive instead of a new Regulation. An EU directive is implemented into individual national laws by each EU country and provides an element of freedom over the wording of those national laws. An EU regulation applies unilaterally across the EU.

Many of the respondents to the review, including those from the technology and financial services sectors, said that the EU's existing Data Protection Directive, which is to be replaced by the new Regulation, had "struck the right balance between protecting individuals’ data protection rights and allowing for economic growth", but most said they felt the legislation has been "outpaced by new technologies and new trends of data use".

"The British Computer Society gave evidence that many technology companies felt the Directive was out of date and could not be applied effectively to new situations," according to the government's report. "Despite being intended to be technology-neutral, the Directive’s definitions for concepts such as ‘data controller’, ‘data processor’, and ‘consent’ could not always effectively be adapted to fit cloud computing or online activities such as social networks, media, and marketing[, it said]."

The government said that respondents to its review had identified the challenge policy makers face in "finding the balance between unlocking the full potential of big data and protecting personal data", and said that other technological changes, including in relation to cloud computing and the 'internet of things' (IoT), raised data protection compliance issues.

"The cloud is often spoken of as borderless," the report said. "In its evidence, the British Bankers’ Association stated that the EU’s focus on geographical restrictions to [personal data] transfers was at odds with the nature of how information moves in the cloud."

"In its evidence, the Law Society expressed a concern that some IoT devices used by individuals may intrude on the privacy of others. They suggested that in order to avoid the users of the device being deemed data controllers and regulated, policy-makers should investigate ways of regulating privacy into the design of these products," it said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.