Monday 18 February 2013

ICO fires more shots at the Regulation

At 82 pages in length, some people will be grateful that the ICO has just decided to publish in full its views on the proposed General Data Protection Regulation. Many more people will hope that someone else will read it for them, and produce a note summarising the highlights.  

(Top tip – if you can’t stomach all 82 pages, there are a 2 pages of similar stuff elsewhere on the ICO’s website.)

Well, this blog is not a note about any of the highlights.

But it does cast some light into the debate about two of the controversial areas – one of which I suspect that many Data Protection Officers will not have been unduly concerned about. However, the issue still deserves careful thought by Member States. It concerns the structure of the European Data Protection Board. This is evidently what enough members of the Article 29 Working Party are planning to call themselves, although I’ve recently heard that not all members of the Article 29 Working Party could agree on a new name for that august body.  

Anyway, the issue concerns the European Data Protection Supervisor, and the role that person has to play in future. As we all know, the EDPS is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies. He does so by monitoring the EU administration's processing of personal data; advising on policies and legislation that affect privacy; and cooperating with similar authorities to ensure consistent data protection.

And, as we all know, Article 2.2(b) of the proposed Regulation does not apply to the processing of personal data by the Union institutions, bodies, offices and agencies;.

So why should the proposed European Data Protection Board have to include someone who is not tasked with regulating any relevant institutions? The concept is hard for some people to accept.

But, it gets better.

Article 69 of the Regulation provides that: “The European Data Protection Board shall elect a chair and two deputy chairpersons from amongst its members. One deputy chairperson shall be the European Data Protection Supervisor, unless he or she has been elected chair.”

The ICO has commented: “We are not clear how this can provide for an election if one of the deputy chairpersons has to be the EDPS.”

I commend the ICO for its restraint. Others may well protest at the absurdity of a situation where a democratic election may need to be “fixed” to guarantee the election of a regulator who is responsible for institutions that are exempted from the regulation he is supposed to be supervising.

If this is European democracy in action, then I’m a banana.

In the UK, rotten boroughs in Parliamentary elections were abolished in the 19th Century. The most notorious borough was Old Sarum in Wiltshire. At one election, the electorate comprised 3 houses and just 7 voters, yet they had the responsibility of electing 2 Members of Parliament. It would be deeply ironic if the Regulation were to effectively propose their reintroduction.  

The second controversial area I want to highlight in this blog are the ICO’s very wise comments on Article 63, which provides that: For the purposes of this Regulation, an enforceable measure of the supervisory authority of one Member State shall be enforced in all Member States concerned.”

In a masterpiece of understatement, the ICO has suggested that: “We need to think through the implications of this degree of harmonisation. It could lead to the prohibition of a processing operation which is acceptable to the citizens of the UK – or – on the other hand – to unacceptable processing being legitimised on the basis of a simple majority vote.”

Just wait until those gentle folk in UKIP get to hear about this one. Other commentators might have preferred to shout “Keep your towels off our lawns.” We Brits don’t mind harmonisation when it makes sense, but we do bristle when we are required to adopt practices that go against the grain of our culture and national identity.