By Judd Lindenfeld
The proposed changes to the European Data Protection Directive were sure to face strong opposition from U.S. lobbyists representing Facebook, Google and other pillars of the tech industry. After all, the switch from mere “directive” to actual “regulation” is one that gives the provisions an immediate and uniform impact across the European Union. This is on top of the additional requirements and standards that the change imposes. But consternation from Member States themselves—to the point of calling for the changes to be scrapped entirely—is a bit more surprising.
However, this is exactly what the UK Information Commissioner’s Office (ICO) has called for.
http://www.ico.gov.uk/news/~/media/documents/library/Data_Protection/Research_and_reports/data_protection_reform_latest_views_from_the_ico.ashx
The UK ICO has called the current undertaking “a great opportunity” to update the way that personal information is used today yet laments the outcome of the process for a number of reasons. First, the ICO takes general aim at the updates for being “too prescriptive” when it comes to its administrative requirements. This concern is mostly reserved for small and medium enterprises (SMEs) that cannot afford the safeguards—such as hiring a Data Protection Officer—that the regulations require. Indeed, these kinds of administrative requirements create greater barriers of entry into the tech industry.
Next, the ICO complains about the lack of clarity in the regulations. Terms like “personal data” must be defined more precisely by the new regulations (do they include non-obvious identifiers such as IP addresses). The same applies to the new “right to be forgotten” that the regulations create (how forgotten is “forgotten”? Will users understand the degree of protection that this right offers?). Determining the definition of these provisions is crucial because of the heavy penalties that result from violating the regulations.
Finally, the ICO questions what is perhaps the key feature of the regulations: its uniformity. He correctly points out that different Member States have different legal traditions and “what is allowed by law is not spelled out in the UK in the way that it is in some other countries’ legal systems. However, in the change from “directive” to “regulation,” what is applied to one State is applied to all.
The position of the UK ICO is illuminates a number of important considerations in the quest to achieve data protection. First, it shows that patrolling the tech industry through an omnibus set of regulations is a difficult venture. Growth in the tech sector is dependent on small firms and start-ups that lack the protective capabilities of their larger counterparts. And terms like “personal data” that may seem clear today might, with the advent of new technologies, seem murky tomorrow.
Most importantly, it’s questionable whether the goal of data protection can be achieved through the same means in every State. Of course, uniformity of law brings its own set of benefits. However, these benefits will never be realized if the laws that apply to every Member State are not “one size fits all”
For more information on the controversy surrounding the new regulations:
http://www.wired.co.uk/news/archive/2013-02/07/ico-against-eu-data-protection
http://www.theregister.co.uk/2013/02/06/uk_ico_position_data_protection_directive/
http://www.wired.co.uk/news/archive/2013-01/22/us-eu-data-protection-advocates