Friday 25 November 2011

The ICO joins the blogosphere

Welcome! A new blogger has emerged to offer thoughts and insights on data protection and freedom of information issues. This is great news – especially as the new entrant is the Information Commissioner’s Office itself. Yesterday marked their first posting – with Deputy Commissioner David Smith doing the honours, writing the historic first entry.

David focussed on an issue close to my heart, the future of data protection law in Europe. And what he had to say heartened me, as it was very much along the lines that I’ve been blogging about recently, too.

On the date of the release of the Commission’s proposals for a new legal framework, David explained why it was unlikely that it would not be before the end of January. I suggested on 26 September that it was more likely to be published after St Valentine’s Day (even though Data Protection Day, 28 January, would have been a good date to reveal all).

On whether the Commission’s proposals would be for another Directive or a Regulation, David explained that “two instruments would fit with the UK Government’s right to opt out of new EU measures covering the former third pillar [which is the area of crime and justice], but might make it harder to achieve our objective of a single, overarching framework applying to all the processing of personal data carried out in the EU.” He didn’t address the issue I raised on 9 October which suggested that Regulations could only be laid if it were demonstrably impractical for a Directive to be agreed. Remember, Regulations have direct effect in that they do not have to be transposed into member states’ laws.

On the content of the new framework, David was very firmly of the view that it must be “clear in what it does and does not cover and is easy for businesses to understand and apply. Regulation that is hard to understand and even harder to apply will not be followed in practice and does not serve the interests of those we are trying to protect.” Great stuff. Just what I said on 21 November.

David also emphasised that individuals need to have rights that are “clear, effective and simple to use.” On the “right to be forgotten” argument he suggested that: “the position of the individual could be strengthened simply by changing the existing right to object to processing from one where the individual has to provide compelling legitimate reasons for deletion to one where it is the data controller who has to provide the compelling legitimate reasons for retention.” This seems like a useful idea, and will encourage data controllers to be clearer about why data is retained (but doesn’t address the issue I raised on 13 September about the ease with which data controllers outside Europe can archive and retain data).

David was also a keen supporter of an “accountability” principle: “The law should be less prescriptive about means but business should be able to account for how they deliver data protection in practice. Concepts like privacy impact assessments and in house data protection officers are important, but should not be mandatory in all cases. This approach should extend to international transfers of personal data so that businesses take their own decisions on “adequacy” but can be challenged if they get this wrong.” I like this principle too, and am sure I have mentioned it once or twice in the 257 posts I have published since January 2010.

On the role of Data Protection Authorities, David was keen to preserve the British model: “We need to be independent, have a clear role and be armed with effective powers but we should supervise, enforce and advise rather than give prior approval or authorisation to a data controller’s activities.”

Interestingly, David also commented that much of the Commission’s current thinking is influenced by “large multi-national, mainly US based, businesses”. There was a relatively low level of engagement from those representing European business and citizens’ interests. Perhaps this is because, given these harsh economic times, European businesses and consumer groups simply have not been able to allocate sufficient resources to enable those who would have liked to have had their say to actually engage more fully in the lobbying process. I expect this may change slightly when the first draft of the Commission’s proposals have been published. I blogged on 8 October about the likely political impact of these proposals, and am amazed that no-one has yet posted that impact assessment on the web. We data protectors are obviously better at respecting confidences than English rugby players (or English rugby administrators, or whoever else it was)!

One thought has just occurred to me – given the similarity of views between yours truly and the Commissioner’s Office, perhaps I ought to apply for the post of Information Commissioner when the present incumbent’s term expires ...

I’ll certainly watch out for future ICO blog postings. But remember folks – don’t stray too far away from my blog. You might read about most of it here, first!