UK sends EU data plans “back to the drawing board”
The Justice Select Committee has told the EU to go back to the drawing board with its plans to revamp European data protection laws.
The EU proposals include plans to change out-of-date data regulations due to increased use of the web and other technologies, and would standardise data protection across the continent.
“The 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens and … help reinforce consumer confidence in online services,” the EU said when it launched the proposals at the beginning of the year.
The UK’s Justice Select Committee has published a report into the proposals and slammed the plans as being far too prescriptive because they would impose more regulation on the UK.
Although the committee accepts changes are needed because existing laws were drawn up before the web became prevalent, it said the plans wouldn’t work.
The Commission needs to go back to the drawing board and devise a regime which is much less prescriptive
“The current data protection laws for general and commercial purposes need to be updated, as they do not account for the digital world,” said Sir Alan Beith MP, chairman of the committee.
“However, we agree with the Information Commissioner’s assessment that the system set out in the draft Regulation ‘cannot work’ and is ‘a regime which no-one will pay for’. The Commission needs to go back to the drawing board and devise a regime which is much less prescriptive.”
Under the proposals, web companies would need “affirmative action” from consumers before they could process data on them, similar to the cookie consent system.
The draft regulation also sets out regulations that would see consumers have the right to access their personal data, have it rectified or erased, to object to processing and not to be subject to profiling.
According to the committee, the plans are flawed because they “do not allow for flexibility or discretion for businesses or other organisations which hold personal data, or for data protection authorities”.
Instead of an overriding set of laws, the committee believes compliance should be entrusted to each individual country’s data protection authorities.
However, the committee conceded that the proposed directive could benefit smaller companies that want to operate in multiple countries in the Eurozone.
“Currently a firm would have to deal with 27 separate sets of domestic legislation, and may be put off by the potential legal costs of complying with each,” Beith said.
“Whilst multinationals can take on this burden, small firms cannot. If the draft Regulation is passed, this worry will be removed as the law in Romania will be the same as in Sweden, and indeed within the UK itself.”
As well as seeking clarification on how the regulation would impact business, the committee also said the draft should be changed to make it clearer that law enforcement agencies would not be included in the data protection proposals, with profiling just one tool used by the police.
“We have been told that the draft Directive does not apply to domestic processing by law enforcement agencies within the UK. This needs to be placed beyond doubt,” Beith said.
“It needs to be made clear that the Directive must not impact on the ability of the police to use common law powers to pass on information in the interests of crime prevention and public protection.”