The House of Commons' Justice Committee said that whilst it believes a singularly applicable law on data protection across the EU is "necessary", it said the European Commission's proposed General Data Protection Regulation was "over-prescriptive" as currently drafted. The group of MPs has suggested that the ICO and its EU counterparts be given more freedom in order to determine how to interpret the rules.
"Bringing EU data protection legislation up-to-date is necessary and could provide benefits to both individuals and businesses," the Committee said in a new report into the proposed reforms to the EU data protection regime. "Many of these benefits are only attainable if there is effective harmonisation of laws across Member States, and therefore we can understand why the European Commission decided that a Regulation was the correct instrument to achieve their objective. However, by setting out prescriptive rules there is no flexibility to adjust to individual circumstances."
"We believe that the Regulation should focus on stipulating those elements that it is essential to harmonise to achieve the Commission's objective, such as the consistency mechanism and the establishment of the European Data Protection Board. Member States' data protection authorities should be entrusted to handle factors associated with compliance, such as the level of fees or when it should be informed about a data protection impact assessment, whilst also being a source of guidance. Consistency of approach should then be delegated to the European Data Protection Board," it said.
Under the Commission's proposals a new independent European Data Protection Board would replace existing privacy watchdog the Article 29 Working Party. The Board would provide regulatory oversight and will be made up by the head of each EU member state's data protection authority and European Data Protection Supervisor.
Currently EU member states have data protection laws which differ one from another. This is as a consequence of the way those countries have implemented the 1995 Data Protection Directive into national laws. The wording of EU Directives does not have to be precisely copied into national laws.
The Commission has described the current data protection regime in the EU as fragmented and outdated and has pressed for reforms that bring the rules up-to-date with advancements in technology.
In January the European Commission published a draft General Data Protection Regulation which would, if enacted, introduce a single data protection law across all 27 EU member states. Companies that process personal data of EU citizens from outside the borders of the trading bloc would also be subject to the rules.
The Committee said that it would prefer to see the Commission continue with its plans for a Regulation but said that the current proposals need to be overhauled.
"As currently drafted, the Regulation does give data subjects essential rights that must not be compromised during negotiations, and it has the potential to make data protection compliance easier for businesses, especially small businesses, which trade across the European Union," the Committee said. "However, we do not believe that in its present form it will produce a proportionate, practicable, affordable or effective system of data protection in the EU."
The Committee said that the view of the ICO that the draft Regulation is unworkable and provides for a "regime which no-one will pay for" was "authoritative". It said that a "full assessment of the impact of the proposals" is needed and that advised the Commission to work with the UK, other member states and stakeholders to "pool resources, expertise and information" so that one can be "produced".
The Committee said that the Commission's plans to force certain organisations to employ a dedicated data protection officer were not properly targeted.
Under the Commission's proposals businesses with more than 250 permanent staff, public bodies and organisations with "core activities" that "consist of processing operations which ... require regular and systematic monitoring of data subjects" would be required to appoint a data protection officer. The officers would be responsible for advising the organisations on data protection issues, monitoring the implementation of their data protection policies and adherence with the law and be the point of contact for regulators.
However, the Committee said the requirement to appoint data protection officers should be "based on the type of business and the sensitivity of data that is handled, rather than the number of employees".
The Committee also found fault with the Commission's planned sanctions regime.
Under the Commission's plans regulators would have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation. Organisations not engaged in economic activity could be fined up to €1 million for serious breaches.
However, data protection authorities should have "more discretion" over the type of sanctions they can impose, the Committee said. The discretion would enable them to "effectively punish the worst behaviour".
"We are aware that this could result in different approaches being taken in each Member States, and therefore recommend that, where there is evidence that such differences are having a deleterious effect on compliance, the European Data Protection Board be entrusted to provide guidelines on the type of sanction that may be appropriate in given situations," the Committee said.
At the moment the ICO can elect not to impose a civil monetary penalty on organisations that breach the Data Protection Act and instead require those organisations to adhere to particular 'undertakings' in order to improve their compliance if they believe that action is more appropriate.
The Committee also said that whilst it is "very important" that individuals have a right "to secure the erasure of data about them" it said such a right had been wrongly labelled as a 'right to be forgotten'. This may cause individuals to have "unrealistic expectations" that information about them can be deleted when it may not always be possible, it said.
People should also be able to obtain access to the personal data records that organisations hold on them without having to pay for the privilege, the Committee said. The Government has opposed the Commission's plans to make this 'subject access right' exercisable free of charge, but the Committee has called on the Government to "change its negotiating position" to reflect its opinion.