At 82 pages in length, some people will be grateful that the ICO has just decided to publish in full its views on the proposed General Data Protection Regulation. Many more people will hope that someone else will read it for them, and produce a note summarising the highlights.
(Top tip – if you can’t stomach all 82 pages, there are a 2
pages of similar stuff elsewhere on the ICO’s website.)
Well, this blog is not a note about any of the highlights.
But it does cast some light into the debate about two of the
controversial areas – one of which I suspect that many Data Protection Officers
will not have been unduly concerned about. However, the issue still deserves
careful thought by Member States. It concerns the structure of the European
Data Protection Board. This is evidently what enough members of the Article 29
Working Party are planning to call themselves, although I’ve recently heard that not
all members of the Article 29 Working Party could agree on a new name for that
august body.
Anyway, the issue concerns the European Data Protection Supervisor, and
the role that person has to play in future. As we all know, the EDPS
is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice
in the EU institutions and bodies. He does so by monitoring the EU
administration's processing of personal data; advising on policies and
legislation that affect privacy; and cooperating with similar authorities to
ensure consistent data protection.
And, as we
all know, Article
2.2(b) of the proposed Regulation does not apply to the processing of personal
data by the Union institutions, bodies, offices and agencies;.
So why
should the proposed European Data Protection Board have to include someone who is not tasked
with regulating any relevant institutions? The concept is hard for some people to accept.
But, it gets
better.
Article 69 of the Regulation provides that: “The European Data Protection Board
shall elect a chair and two deputy chairpersons from amongst its members. One
deputy chairperson shall be the European Data Protection Supervisor, unless he
or she has been elected chair.”
The ICO has
commented: “We are not clear how this can provide for an election if one of the
deputy chairpersons has to be the EDPS.”
I commend
the ICO for its restraint. Others may well protest at the absurdity of a
situation where a democratic election may need to be “fixed” to guarantee the
election of a regulator who is responsible for institutions that are exempted
from the regulation he is supposed to be supervising.
If this is
European democracy in action, then I’m a banana.
In the UK, rotten
boroughs in Parliamentary elections were abolished in the 19th
Century. The most notorious borough was Old Sarum in Wiltshire. At one
election, the electorate comprised 3 houses and just 7 voters, yet they had the
responsibility of electing 2 Members of Parliament. It would be deeply ironic
if the Regulation were to effectively propose their reintroduction.
The second
controversial area I want to highlight in this blog are the ICO’s very wise
comments on Article 63, which provides that: “For the purposes of this Regulation,
an enforceable measure of the supervisory authority of one Member State shall
be enforced in all Member States concerned.”
In a
masterpiece of understatement, the ICO has suggested that: “We need to think
through the implications of this degree of harmonisation. It could lead to the
prohibition of a processing operation which is acceptable to the citizens of
the UK – or – on the other hand – to unacceptable processing being legitimised
on the basis of a simple majority vote.”
Just wait
until those gentle folk in UKIP get to hear about this one. Other commentators
might have preferred to shout “Keep your towels off our lawns.” We Brits don’t
mind harmonisation when it makes sense, but we do bristle when we are required
to adopt practices that go against the grain of our culture and national
identity.
Sources:
.
Posts
