From: Wired (UK)

By Liat Clark

The Information Commissioner’s Office fully supports a “proportionate” take on EU data protection regulation in spite of what reports have stated in the past, Deputy Commissioner David Smith says.

Speaking at the Westminster eForum on data protection and eprivacy, Smith addressed reports that the ICO was not in favour of the EU’s proposed data protection revisions. However, he did admit that the prescriptive nature of some elements of the regulation meant we should “go back to the drawing board on some of its provisions”.

“Our role is in protecting individuals, and we think it will provide protection for individuals,” he said. “But to provide that we must have regulation that’s proportionate, practical and effective — if people can’t understand their rights it doesn’t work. And if I can’t explain to you why it helps protect peoples privacy, I’m lost. We must be able to justify everything as proportionate and necessary.”

Smith was referring to elements of the current regulation that he believes are worded too strongly. The “right to be forgotten” he says, for instance, has been overstated and is of concern, despite proponents like MEP Jan Albrecht emphasising it. “Part of it is actually the right to object, which means in future I can come to you and say I object to you processing my data and you’ll have to stop unless you come up with valid pressing reasons [this would be legitimate interest]. This reversal of burden of proof will greatly strengthen the position.”

Another element of the European Commission’s provision, the importance of notifying users if there has been a breach to systems, relates to this sense of accountability lying with the company, not the individual. The same goes for the consumers’ right to their own data. “If I do business with you online I should be able to deal with you instantly, not have to post a letter and wait 40 days for a response.”

The aim of Smith’s address was to reposition the ICO as being irrefutably for the people, considering its recent comments about the proposed regulations being bad for business. The problem is, however, the general consensus from speakers at the forum — including Smith — is that the regulation needs to be more balanced. And that call for balance was directed at tipping the scales back towards businesses.

Lord McNally, a Minister of State for Justice, began his address by pointedly speaking about the importance of protecting the public from state intrusions and criminal activity. His address promptly moved on to flagging up the importance of the eight percent economy, the danger of Albrecht’s “prescriptive” interpretation of the regulation and the burden of costs that will fall to the ICO to implement the regulation (despite the Commission claiming centralising it will save the EU £2 billion). All valid points, but it was clear the day was more about what’s wrong with the EU proposals than what’s right — namely, we’d all like to be more transparent and protect the public, but not at the expense of excessive time, red tape and cost to the private sector. Don’t burden our businesses at a time when we need to be promoting innovation, innovation that has ample room for growth in the big data sector, was the repeated argument from the eForum’s host of speakers, all of whom agreed we need change, but only flexible change.

According to a report just released by European law firm Field Fisher Waterhouse, the ICO issued 200 percent more fines to companies for data security breaches in 2012 than the previous year, so it looks like the problems that drove the European Commission to launch its revisions of data protection are indeed pressing. Eighty percent of those fines were issued to the public sector, but if the EU directive gets the go ahead the private sector will need to be prepared. “The ICO does not hesitate to take serious enforcement action for failures to comply with data protection law, and is becoming a real force to be reckoned with and a driver for change,” said coauthor on the report Stewart Room, technology partner at Field Fisher Waterhouse. “Looking at the year ahead, we can expect ICO’s enforcement activity to continue at this pace or even intensify, focusing in the areas that ICO has prioritised as posing a higher data protection risk, namely health, internet and mobile, financial services, security and criminal justice.”