The Information Commissioner’s Office (ICO) has published a briefing outlining the European Commission’s (EC) proposals to reform the Data Protection Directive, and sets out its views on a number of those proposals. The ICO expects the EC to publish its proposal early next year.
The ICO highlights that it believes the new framework must:
- be clear and easy to understand and provide a cost-effective means of individuals exercising their rights;
- set out a clear structure with overarching high-level principles based on risk, context and purpose with flexibility for enforcement bodies, rather than a prescriptive approach based on lists;
- involve an obligation on organisations to carry out a private impact assessment where processing could have a significant or adverse effect on an individual, uses intrusive technology or creates a particular risk.
- ensure that data processors are responsible and accountable, with the emphasis on the maintenance of standards rather than simply having a ‘process’ that complies with the law; and
- allow the ICO more inspection and enforcement powers in both the private and public sectors with less emphasis on prior approval and authorisation of a data processor’s activities.
The ICO was critical of recent statements suggesting that consumers should have a “right to be forgotten” as it could mislead and create false expectations and be impossible to implement in practice.
The full text of the briefing can be found here.