Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

MoJ wants obligation to appoint data protection officers scrapped from EU reform proposals


Businesses should not be placed under any obligation to appoint dedicated data protection officers (DPOs) under a new EU data protection law framework, the UK Government has said.

The Ministry of Justice (MoJ) said that businesses should only be "encouraged" to hire DPOs in cases where those firms feel such a measure is "necessary" in order to comply with data protection laws.

The MoJ has previously criticised proposals by the European Commission which would require large companies and those that heavily engage in personal data processing to appoint DPOs. The Commission set out the draft requirements in proposed reforms to the EU's existing framework for data protection in January 2012, but the MoJ has subsequently complained about the cost burdens that such a measure would impose on businesses.

Now, in response (22-page / 112KB PDF) to the UK Parliament's Justice Select Committee report into the Commission's proposals, the MoJ has called for the provisions relating to DPOs to be scrapped.

"The Government does not believe that the requirement to have a data protection officer (DPO) is necessary in the proposed Regulation and we believe that there are other means of achieving the accountability principle," the MoJ said in the response document. "Under the risk based model that the UK Government is proposing, data controllers would be encouraged to appoint data protection officers if they were felt necessary to ensure compliance with the proposed Regulation."

Under the Commission's proposals, business with more than 250 permanent staff, public bodies and organisations with "core activities" that "consist of processing operations which ... require regular and systematic monitoring of data subjects" would be required to appoint a DPO. The officers will be responsible for advising the organisations on data protection issues, monitoring the implementation of their data protection policies and adherence with the law and be the point of contact for regulators.

In some circumstances it would be legitimate for public authorities to appoint only one officer to cover "several of its entities". Only one officer needs to be appointed for a business consisting of a "group of undertakings", according to the Commission's draft plans.

In its report published last year the Justice Committee said that the requirement to appoint DPOs should be "based on the type of business and the sensitivity of data that is handled, rather than the number of employees".

The UK's data protection watchdog, the Information Commissioner's Office (ICO), has also previously said that it should not be "mandatory" for organisations involved in large-scale personal data processing or risky processing to employ a specialist DPO. Such a requirement should not be imposed providing those companies "have effective processes in place for ensuring data protection compliance," the ICO said.

The Confederation of British Industry (CBI) last year also said that it would be "costly and disproportionate" to require all organisations with more than 250 employees to appoint a dedicated DPO.

Earlier this month MEP Jan-Phillip Albrecht published proposed amendments to the draft plans set out by the European Commission. Albrecht is rapporteur to the European Parliament committee responsible for scrutinising the proposed data protection reforms. In his report, Albrecht said that the size of firms should not be a criterion for determining whether they have to appoint a DPO or not. He proposed that businesses that process the personal data of more than 500 people in a year should be obliged to appoint DPOs.

"The threshold for the mandatory designation of a data protection officer should not be based on the size of the enterprise but rather on the relevance of data processing," Albrecht said. "This includes the categories of personal data processed, the type of processing activity and the number of individuals whose data are processed."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.