< Back

Share |

The Regulators

January 2014

Data protection Regulators are highly motivated to make sure the reform process results in law that 'works'. 2013 saw a number of different Regulator initiatives and statements on the draft Regulation. Some of these positions are outlined below.

The Article 29 Working Party published an Opinion on the issue of implemented and delegated acts under the draft Regulation. It was less critical of the powers to introduce delegated acts as these are subject to approval by the European Parliament and Council but it was critical of the number of opportunities for implementing acts. It also recommended an increased role for the proposed European Data Protection Board and a reduction in the Commission's power (unsurprisingly).

The European Data Protection Supervisor weighed in with comments stressing the need to retain the definition of explicit consent, not restricting the definition of personal data and ensuring that pseudonymous data is caught by the definition of personal data.

Union JackIn the UK, the Information Commissioner (ICO) and government committees have published further comments on the proposals. The right to be forgotten came up again as a problem area as did costs to business. The ICO continues to advocate a degree of discretion in implementing the Regulation, particularly with regard to sanctions and stresses emphasising outcome over process. In a recent blog, the ICO was keen to focus the debate on:

  • the additional flexibility currently being proposed for the public sector;
  • the increased role of data protection authorities in signing off third party transfers;
  • funding for data protection authorities; and
  • pseudonymisation.

The Information Commissioner's Office (ICO) published an analysis in December 2013, of the European Parliament's proposed amendments to the draft EC data protection Regulation (Regulation).

The ICO comments favourably on:

  • the consistency in approach;
  • the high standard of consent;
  • the risk-based approach e.g. basing the threshold on the number of individuals whose data is processed by an organisation rather than the number of people it employs and requiring notification of data breach "without undue delay" rather than within 24 hours;
  • the concept of the one-stop-shop which, says the ICO, LIBE has improved on to "strike the right balance in the relationship between 'lead' and 'local' data protection authorities".

The ICO highlights the following issues are needing further consideration:

  • the introduction of the concept of pseudonymous data which the ICO thinks will muddy the distinction between personal and non-personal data;
  • the recommendation that privacy notices be longer and more detailed in order to ensure transparency – the ICO says the Regulation needs to be flexible in order to encourage innovative and effective ways of explaining things to individuals;
  • the ICO criticises the LIBE draft as being too prescriptive in setting out what organisations need to do to comply with the law;
  • Malletthe introduction of standardised information policies which the ICO says is less likely to be effective than those developed through codes of practice and other 'soft-law' mechanisms; and
  • the high level of prescription and tightening up of rules on the export of personal data to countries outside the EEA.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

The Regulators
Debbie Heywood


Sally Annereau


Debbie and Sally discuss the role of Regulators in informing and influencing the debate on the draft Regulation.