The Government has submitted a number of concerns to the European Council of Ministers in relation to the proposed changes to the data protection regime which will reform data protection laws across the European Union. The concerns of EU member states were set out in a report from the Council of Ministers that was leaked by Statewatch, the civil liberties group.
The concerns that the Government has raised include that:
- the proposed reforms oblige companies based outside the EU to comply with EU laws if the personal data they process relates to EU citizens; the Government is concerned that this cannot be policed and is therefore not enforceable;
- the reforms allow the European Commission to impose further requirements on member states;
- many of the reforms place “unrealistic” obligations on small and medium sized enterprises, such as notifying the Information Commissioner’s Office of each breach of data protection law within 24 hours of the breach taking place;
- the words defining “personal data” in the reforms are too wide; and
- the reforms should be in the form of a Directive rather than a Regulation; a Directive would give member states the flexibility to implement the reforms as they each saw fit (within certain parameters), whereas a Regulation would not give a member state any room for flexibility in implementing the law in terms of taking into account the tradition and practice of that member state.
Simon Weinberg, a solicitor in the Commercial/IP/IT team at Matthew Arnold & Baldwin LLP, commented, “The Government’s concerns are well-founded and we have raised similar issues in Upload Commercial/IP/IT before. However, the suggestion that the reforms should be in the form of a Directive seems to conflict with one of the overriding aims of the proposed reforms, being to bring the law in each member state into line, as the current position across the EU has been described as ‘fragmented’ at best.”