In a letter to Justice Secretary Chris Grayling, (4-page / 5.04MB PDF) Christopher Graham said that he has concerns that data protection authorities (DPAs) will not be sufficiently resourced to regulate the new General Data Protection Regulation that has been proposed by the European Commission.
"As things currently stand ... I see real problems ahead with the practical delivery of a Regulation that is still so detailed and specific as to the processes DPAs shall undertake in almost all circumstances," Graham said.
The Information Commissioner raised particular concerns about any new rules which could require businesses to notify DPAs of all breaches of personal data they suffer and about how a new mechanism for regulatory cooperation would work in practice, amongst other issues. Graham said the new regime, as currently drafted, is "bound to be very costly" but that it was unclear where the extra funding needing to regulate it was going to come from.
Graham said that plans to scrap the current requirement businesses notify DPAs about their intended use of personal data would impact on the Information Commissioner Office's (ICO) budget. The watchdog generated £16 million in income in the last financial year from notification fees, he said.
"We do not yet know how this funding is going to be replaced or how alternative sources of income would avoid compromising the ICO's necessary 'complete independence'," he said.
Graham said that businesses may resort to "forum shopping" as a result of DPAs across Europe being under-funded. He said, though, that he expects that the ICO would require more resources to deal with an expected rise in the number of businesses that would refer to it for regulatory compliance issues under the new regime.
Under the Commission's draft Regulation, DPAs would be responsible for regulating companies that have their "main establishment" in the country in which they conduct their regulatory activities. "Main establishment" refers to the premises in which companies take their main decisions about [their use of personal data] / [their data processing activities]. If companies take those decisions outside of the EU a main establishment will be taken as any "place where the main processing activities in the context of the activities of an establishment of a controller in the Union take place", according to the draft.
Under the proposed regime authorities would be required to provide one another with "mutual assistance" so as not to inconsistently apply the laws in different countries. If individuals in more than one member state are likely to be affected by decisions taken by one DPA, other authorities in those countries would have the right to participate in joint operations. However, only the DPAs in countries where organisations have their "main establishment" will take regulatory action, unless the DPA in question confers power to a sister regulator in another state.
The Information Commissioner said that the proposed new regulatory framework, together with the burdens the ICO would face as a result of new demands the draft Regulation would place on businesses, would require it to adopt a new approach to data protection regulation unless additional funding was provided.
"Without significant additional resources it is clear that the ICO would need to change its regulatory approach," Graham said. "Instead of giving advice and guidance and intervening on the basis of risk and proportionality, we would have to move towards a process-drive approach based on prior checking, processing of breach notifications, and mandatory fines."
"To the extent that we could no longer be selective on the basis of a regulatory risk-based judgment, I fear we would be less effective. If this is true for the ICO, one of the biggest and best resourced DPAs in the EU, questions have to be asked about the viability of the proposed Regulation elsewhere in the EU," he added.