Information commissioner welcomes reformed data protection framework - saying some things will have to be done differently
All data processing for law enforcement purposes in the EU will have to comply with the data protection principles of “necessity, proportionality and legality” under the reform of data protection law agreed last week. Governments will be required to provide “appropriate safeguards for individuals” along with supervision by independent national data protection authorities - and effective judicial remedies.
The new framework, consisting of a directive and a regulation, was agreed last week as a replacement to the 1995 Data Protection Directive, which was implemented unevenly across the EU.
The new rules will give individuals more control over their data, including a “right to be forgotten”. Data holders will also be obliged to notify data breaches to the national data protection authority and to the individuals concerned.
Christopher Graham, the UK information commissioner, said the new regime will challenge his office “to do some things differently”. But he added that “we are determined to play our part in readying the UK for the big changes that will need to be in place for 2018 at the latest”.
While most attention has been paid to the new regime’s impact on social networks and commercial cloud services, it will also have implications for public sector data handling, including for law enforcement. The European Commission said that the rules will affect both cross-border and domestic processing of personal data.
“This would reduce differences between the legislation in member states, to the likely benefit of the protection of personal data overall. It could also lead to a smoother exchange of information between member states' police and judicial authorities and thereby improve cooperation in the fight against serious crime in Europe,” it said.
To ensure a high level of protection of personal data in the field of police and judicial cooperation in criminal matters, and to facilitate exchanges of personal data between member states' police and judicial authorities, the directive will:
- Apply general data protection principles to police cooperation and judicial cooperation in criminal matters, while respecting the specific nature of these fields.
- Provide for minimum harmonised criteria and conditions on possible limitations to the general rules. This concerns, in particular, the rights of individuals to be informed when police and judicial authorities handle or access their data.
- Establish specific rules to cover the specific nature of law enforcement activities, including a distinction between different categories of data subjects whose rights may vary (such as witnesses and suspects).
Mark Thompson, privacy practice leader at consultancy KPMG, described the framework as “a significant overhaul of European privacy and data protection laws”. It will require non-EU businesses that trade in the EU to re-think some of the activities they undertake in the EU.
“This makes it much harder to operate some ‘global’ services and will require them to truly put an EU lens on the business activities which are undertaken in the EU market," he said.
Reform of the 1995 directive, which underpins the UK’s Data Protection Act, was first proposed in 2012. The next step will be a vote on the new law in the European Parliament in the new year, following which it must also be approved at European Council level by the 28 member states.