UK companies could be forced to adopt a more rules-driven approach to information privacy, as a result of European regulations.
The EU's upcoming data protection regulation will remove much of European countries' national discretion when it comes to drafting data protection laws, warned David Smith, director of data protection at the Information Commissioner's Office.
And, he told this year's Infosecurity Europe conference, the regulation as it stands could force businesses to focus more on technical compliance with data protection rules, rather than on outcomes and the protection of the consumer. There is an added risk, Smith said, that the regulation could increase the compliance burdens on organizations, and especially on smaller businesses.
The EU's Data Protection Regulation is expected to come into force either later this year or early next year, depending on the outcome of "trialogue" negotiations between the European Commission, the European Parliament, and the European Council, which represents the interests of member states.
The new regulation is aimed at harmonizing data protection law across the EU, and in particular, to make compliance easier for companies that operate across borders.
According to Smith, however, creating one regulation to replace a complex set of data protection and privacy laws across 27 member states inevitably means a degree of compromise.
He described the UK's current approach to data protection as "pragmatic", and contrasted that to the stance of governments in some other European countries, where data protection is viewed more as a matter of principle. "There are differences across Europe that stem from different legal systems and traditions," he said.
Smith pointed to the widely different approaches taken by European member states to tackling data privacy breaches resulting from Google's StreetView project as evidence of the complexity of the task.
When asked by Infosecurity's Deputy Editor, Drew Amorosi, about two of the most controversial areas of the proposed regulation – the "right to be forgotten" and the requirement for breach notifications within 24 hours – the Deputy Information Commissioner said were likely to see at least some redrafting.
Smith suggested that although it is unlikely that the breach notification clause will be scrapped, the ICO, through the Ministry of Justice, would be pressing for more flexibility, perhaps giving businesses more discretion over what they disclose to the regulator and when.
"Twenty four hours is not practical," he warned. "If if goes though, it will be a compulsory system. But it may not be 24 hours and it may not be every breach."
For the right to be forgotten, he said much of the discussion is currently around the role of search engines, and the part they play in serving up content that consumers want deleted. But there were benefits too, such as shifting the burden of proof from consumers having to justify why they want data deleted, to businesses having to prove why it should be kept.
And, he said, the ICO will continue to push, as far as it can, for the new regulation to be driven by a risk-based approach and outcomes for the consumer, rather than focusing on a checklist of rules businesses must follow, in order to avoid penalties, without testing whether those measures improve consumer protection.
"We don’t want to give the false impression that the proposals are universally bad," explained Smith. "They will give better rights to the individual and better protection to their data. But businesses should not just have a mechanism in place to protect data: they need to be able to demonstrate that it is effective in practice."