It is no secret that the UK government has concerns about the EU Regulation as it now stands. The purpose of the Regulation is to provide a uniform approach to data protection throughout the European Union by strengthening citizens’ data privacy rights and removing ambiguity from industry’s responsibilities. On Thursday last week the Ministry of Justice held the first of a series of panel discussions to gauge public and industry feeling on the issue.
The meeting was held under Chatham House rule (that is, who says what within the four walls remains within the four walls). Nevertheless, Jim Killock, attending the meeting for the Open Rights Group, has attempted to provide a feeling for what happened without breaking that rule. “There was,” he revealed in a blog posting on Friday, “surprising consensus that a unified European data protection law would be good for everyone: business, small businesses and citizens, by making it easier for people to know their duties and rights wherever they are. The group felt this should reduce the burden on business overall.”
Because of Chatham House, we don’t know who was there or their individual attitudes. We are told, however, that attendees “included major businesses, small businesses, policing and civil society,” and that “without a doubt [the group] wanted greater legal consistency.” We must also assume that the meeting discussed principles rather than practicalities. For example, Killock separately told Infosecurity, “The ‘right to be forgotten’ does need to be framed carefully: but if your data is handed out, then of course there should be a duty to delete that data should you wish.” Just last month, however, the European Network and Information Security Agency (ENISA) published a paper suggesting that the right to be forgotten is ultimately technically impossible in an open network such as the internet. So the principle is clear; but the method less so.
The financial penalties imposed by the new Regulation are also problematic. Under the new proposals, damages will be based, writes Killock, “on the significance of a breach to a person,” not on the actual harm done. Currently, “In the UK,” he continues, “you must prove actual loss, or stress, or some other tangible harm to take someone to court,” which in turn means that “most people cannot complain to a court.” Changing ‘actual’ to ‘potential’ will involve a major change to basic UK law.
The potential monetary fines on business could also prove problematic, even though the principle is clear. “The increased fines are needed as a deterrent for bad behavior,” Killock told Infosecurity. “Basing fines on turnover means penalties can deter even the largest players.” But he is clear that there are obstacles to overcome. “The real arguments will come as US businesses and government lobbyists try to weaken the regulation,” he writes.
Nevertheless, the Open Rights Group’s position is clear: “Right now, UK citizens' interests need to be better reflected by the government, who should be supporting greater control over our personal information.”