The ICO has today warned that the data protection regulation currently making its way through the European Parliament may not suit the UK, and in fact may not even reach the agreement necessary for it to come into force.
Further reading
'There is no info security risk; there is just risk' says Santander risk chief Data Protection Act is not a barrier for information sharing in NHS, says ICO ICO to investigate Google's privacy policy
David Smith, Deputy Information Commissioner and director of data protection at the UK's data watchdog the Information Commissioner's Office (ICO), made these pronouncements today at Infosec 2013.
He explained that the idea behind the new regulation is to harmonise data protection rules across Europe's 27 member states, explaining the recent difficulty in prosecuting Google when it harvested individuals' Wi-Fi network data as part of its Streetview project was a driver.
"The driver behind this [regulation] is harmonisation, the EC is very driven by demands from multinational businesses, who say we're supposed to have one Europe, but we have 27 different sets of rules in data protection. They want to do business with one set or rules across the EU."
But Smith added that this harmonisation risks being overly prescriptive, with individual countries left constrained by rules that they are unable to tailor to their specific cultures and environments.
"The risk is when you produce one set of rules, they become very detailed and allow little scope for differentiation, and there are huge differences across Europe in terms of laws. Some countries say Google Streetview can't operate due to data protection, but that's not a sensible rule for the UK.
"This drive [to harmonisation] could be counter-productive if it means lots of rules which don't make sense in the UK."
He explained the ICO's preference would be for a risk-based approach to data protection, rather than one of prescription.
"We welcome [the regulation], it will give better rights for individuals and better protection for data with better accountability. Businesses not only have to have compliance mechanisms to ensure protection of people's information, but they need to demonstrate that they're in place and are effective in pratice.
"But then it almost undoes that. You know you need proper documentation and policies and procedures, proper staff with the right qualifications, and we're happy to leave it at that. When we come knocking, you justify how effective you are. But the problem with harmonisation is all those measures are spelt out in detail, so it specifies all the staff you need with specific qualifications, and all the policies and documents you need.
"So it undoes the idea that you're responsible. We're more bothered about addressing risks and outcomes, it's not just about having the right paperwork in place."
