Justice Minister Helen Grant said that the net annual cost of complying with the European Commission's draft General Data Protection Regulation would be between £100 million and £360m for UK businesses, public sector organisations and charities.
Grant said that the Government believes the "burdens the proposed Regulation would impose far outweigh the net benefit estimated by the Commission". The Commission has said that it expects its proposed reforms to deliver €2.3 billion of annual savings to organisations' administrative costs. However, Grant said that UK calculations, set out in a new impact assessment (53-page / 358KB PDF) published by the Ministry of Justice (MoJ), had arrived at a very different conclusion.
"The Government’s view is that the Commission both overestimates the benefits achieved through harmonised EU data protection law and fails to address the full costs and unintended consequences of its own proposals, by only considering administrative costs," Grant said (2-page / 14KB PDF) in a Ministerial Statement. "Our analysis addresses some of these failings by considering in full the impact of the proposed regime, including the additional costs for businesses, including small and medium enterprises, the additional costs to supervisory authorities, conducting data protection impact assessments and complying with other new obligations."
Grant said that the Government is "seriously concerned" about how the proposed reforms will impact on businesses and said that it "the extra red-tape and tick box compliance" set out within the draft Regulation was hard to "justify".
"We estimate the costs for UK small businesses of simply demonstrating compliance with the new rules around £10 million (in 2012-13 earnings terms) every year," Grant said. "A further serious issue is the possibility of stifling innovation through prescriptive and inflexible rules on gaining individuals’ consent and informing them about the processing of their personal data, whilst offering people an unworkable ‘right to be forgotten’."
"Instead the focus must be on achieving the right ends: meeting people’s rightful expectation that their personal information is used lawfully, proportionately and securely, whilst being able to offer them the goods and services they want and need," the Minister added.
During the ongoing negotiations regarding the reforms, the Government will push for a data protection framework that is "proportionate" and one that "minimises the burdens on businesses and other organisations, whilst giving individuals real protection in how their personal data is processed," Grant said.
In January the Commission outlined plans to bring the EU's data protection framework up-to-date with the digital age. Its proposed General Data Protection Regulation would replace the existing regime which the Commission has described as fragmented and outdated.
Currently EU member states have slightly different data protection laws from one another. This is as a consequence of the way those countries have implemented the 1995 Data Protection Directive into national laws.
If enforced, a data protection Regulation would introduce a single data protection law across all 27 EU member states. The Commission's intention is for the new laws to also apply to companies that process personal data of EU citizens from outside the borders of the trading bloc, although the UK's Information Commissioner's Office has previously questioned whether that would be enforceable.
Under the plans, organisations seeking to rely on individuals' consent in order to process their personal data fairly and lawfully would have to obtain explicit, freely given, specific and informed consent from those individuals. Consent would not be able to be gleaned through silence or inactivity on the part of individuals and instead must be obtained through a statement or "clear affirmative action" before it can be said to have been given.
Public authorities, many large businesses and those with personal data-heavy processing operations will also be required to appoint dedicated data protection officers, under the Commission's proposals. A new regime of penalties was also proposed that could see businesses fined up to 2% of their annual global turnover for failure to issue timely notifications about any breaches of data security.