Changes to the EU data protection regime should come in the form of a new Directive rather than in the form of a Regulation in order to enable that flexibility, it said.
"We are of the view that the proposed general Regulation should be a Directive in order to provide greater member state flexibility to implement the measures – a Regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice," the UK said, according to a leaked file (170-page / 606KB PDF) from the Council of Ministers published by civil liberties group Statewatch.
Currently EU member states have slightly different data protection laws from one another. This is as a consequence of the way those countries have implemented the 1995 Data Protection Directive into national laws. The wording of EU Directives does not have to be precisely copied into national laws.
The Commission has described the current data protection regime in the EU as fragmented and outdated and has pressed for reforms that bring the rules up-to-date with advancements in technology.
In January the European Commission published a draft General Data Protection Regulation which would, if enacted, introduce a single data protection law across all 27 EU member states. Companies that process personal data of EU citizens from outside the borders of the trading bloc would also be subject to the rules.
However, the UK has questioned whether regulators could police businesses' compliance with the new data protection regime if they are based outside of the EU.
"There is a real question as to whether this is enforceable and what steps Member States are expected to take in order to enforce where there is no existing mechanism," it said, according to the leaked file. "This provision could lead to EU citizens to believe their data is afforded the same protection outside the EU as within it. If this is not the case then this will be misleading and confusing for data subjects."
In addition the UK has also raised concerns about the "excessive number" of 'delegated' and 'implementing' acts that are allowed for under the draft Regulation. These acts allow the Commission to provide more detail on the precise workings of some of the drafted measures, but the UK said this "often does not constitute a correct exercise of the power conferred in the parent legislation," according to the leaked file.
In particular it said that the Commission should not be able to "impose further criteria or requirements" for when organisations wish to justify the processing of personal data as within their "legitimate interests". It is also "illogical" that public authorities be prohibited from processing personal data if they are relying on the 'legitimate interests' basis for doing so, as the Commission's proposals currently state, the UK said.
Under the Commission's proposals organisations will generally be able to process personal data without having to obtain the consent of individuals to whom the information relates if their "legitimate interests" in processing the data are not outweighed by the fundamental rights of the individuals concerned. The 'legitimate interests' provision already gives organisations a lawful basis for processing personal data under the existing EU data protection laws.
The UK is also pushing for some small and medium-sized businesses to be exempt from some of the rules drafted by the Commission. It has said that "many prescriptive requirements" within the draft Regulation place "unrealistic obligations" on SMEs and not-for-profit organisations in particular.
"We welcome exceptions for SMEs and, further, propose that assessments on SME carve-outs should be considered on the basis of risk of processing to data subject," it said, according to the leaked file. "Other prescriptive requirements include requirements to notify a data breach within 24 hours, to maintain documentation of all data processing operations and mandatory data protection officers which could be costly and impractical for many business and organisations".
The UK's written comments also outline its scepticism over the Commission's claim that the reforms would bring £3 billion benefits from reduced 'legal complexity'. It said the "quantified impacts" of the proposed Regulation had not bee "thoroughly investigated" and that the calculations within the Commission's 'impact assessment' "does not provide a credible foundation to underpin the proposals." There has not been proper "assessment of costs" and the impact assessment also fails to "consider impacts [of the Regulation] over time", the UK said.
Further concerns the UK has raised include its view that the wording defining what 'personal data' is too imprecise and unjustifiably broad. It has also contested wording around the meaning of 'consent', and proposed that the draft Regulation be amended to remove the requirement that consent must be given "explicitly" by individuals in order for processing of their personal data to take place.