Depth of UK opposition to the EU Data Protection Regulation exposed

Photo credit: Andrew Dunn
Photo credit: Andrew Dunn

The basis of the UK’s position on the draft regulation is that it shouldn’t be a regulation, it should be a directive. In EU law, regulations must be implemented by all member states ‘as is’; directives allow member states to implement the proposals in a manner chosen by the member states themselves.

One of the problems for the UK is that the EU proposals come in two parts: a general regulation and a separate directive for the police and judicial system. Since the regulation is subject to modification by the European Commission (EC) while the directive may be amended by UK court decisions, the government sees a danger “that this twin-track approach might also lead to inconsistencies in application....The UK Government’s position with regard to the proposed Regulation is that it should be re-cast as a Directive.”

Such an approach, as a directive rather than a regulation, would help solve many of the UK’s concerns over details of the current proposals by allowing the government to modify the implementation. In its own terms, it “would allow for harmonisation in the areas where it is advantageous and flexibility for Member States where it is required.”

The Ministry of Justice response highlights a number of specific areas of concern. One of these is the regulation’s flagship ‘right to be forgotten.’ The UK agrees with the principle, but says “the use of such terminology could create unrealistic expectations, for example in relation to search engines and social media.” More specifically, it says “that this article raises unrealistic expectations for consumers that their data can be deleted when it has been passed on to third parties. This may encourage data subjects to be more reckless with their personal data, thus undermining the intention of enhancing their protection and rights.”

Another concern that pervades the UK view is that the regulation is over-prescriptive and places onerous and costly burdens on industry. “At a time when the Eurozone appears to be slipping back into recession, reducing the regulatory burden to secure growth must be the priority for all Member States. It is therefore difficult to justify the extra red-tape and tick box compliance that the proposal represents.” The ‘one size fits all’ approach of a regulation is seen to be counterproductive, and the response suggests that the EC’s proposals “should focus on regulating outcomes, not processes.” Outcomes not processes is the traditional European – and especially UK – principle-based approach to legislation; that is, law should specify what must be achieved, not how it should be achieved.

An area highlighted to demonstrate this concern is the regulation’s requirement that certain companies employ a specific Data Protection Officer (DPO). The regulation proposes that this is based on the number of employees in the company, while the European Parliament wants to amend this to the number of data subjects. The MoJ, however, believes this would be burdensome on smaller companies. “The Government’s Impact Assessment,” it says, “estimates that there could be around 42,000 micros and SMEs needing to employ a DPO, costing anywhere between £30–£180 million per annum.” The UK’s preference would be that the company itself decide whether a DPO is required, based on its own assessment of the sensitivity of the data.

In short, the UK would prefer that the EU dictate destinations, not route maps – and that this should be achieved by a directive and not a regulation. “We want to achieve protection for individuals whilst ensuring that data controllers can process data without having to comply with expensive and bureaucratic measures which do not enhance data protection and which prevent businesses from growing.”

What’s Hot on Infosecurity Magazine?