ICO publicises its concerns over EU data reforms

The Information Commissioner’s Office (ICO) has published on its website a letter to Chris Grayling, the Secretary of State for Justice, warning that unless significant additional resources are made available, the ICO will not be able to do its job effectively when the draft Data Protection Regulation comes into effect.

In the letter, Information Commissioner, Christopher Graham, voices his concerns about the additional responsibilities for the ICO outlined in the draft Regulation. While he supports the need for updated legislation to meet the requirements of the 21st Century, he sees “real problems ahead with the practical delivery of a Regulation that is still so detailed and specific”. Such a regime, he says, is bound to be very costly and it is not clear where the necessary funds will come from.

Graham is particularly critical of the following 4 proposals:

1. Enforcement regime – a very prescriptive approach that takes away the ICO’s power to decide what action to take (the current legislation leaves it to the discretion of the ICO).

2. Breach notification requirement – individuals will have to be notified every time there is a data protection breach, even if it’s a very minor one that doesn’t pose a privacy risk.

3. Prior authorisation for international data transfers – this is a new requirement which will put a heavy burden on the ICO’s limited resources.

4. An unrealistic consistency mechanism across the 27 Member States. This proposes that Data Protection Authrities (DPAs) in the 27 EU member states support and cooperate with the DPA in the country of an organisation’s main establishment. This could offer some modest financial efficiencies, says Graham, but the system will only be as good as its weakest link. There is a possibility that some businesses might seek to take advantage of smaller and less-resourced jurisdictions to make life easier for themselves.

Graham also points out that the ICO will probably face additional costs because the UK, as one of the larger economies in Europe, will probably attract a good deal of “country of main establishment” business.

Question marks over ICO’s funding
These new extra responsibilities come at a time when the ICO’s funding is under threat. The ICO’s activities are currently funded from the £16m paid in notification fees but this income source would disappear under the new legislation. Graham accepted that extra funding from government in the current economic climate was unlikely and that such direct funding might, in any case, compromise the principle of “complete independence” as a regulator.

Graham rounds off his letter with a clear warning that if additional resources are not available, the ICO will need to change its regulatory approach. “Instead of giving advice and guidance and intervening on the basis of risk and proportionality, we would have to move towards a process-driven approach…To the extent that we could no longer be selective on the basis of a regulatory risk-based judgement, I fear we would be less effective.”

Caroline Roberts, Director of Public Affairs, DMA