ICO concerned by proposed European Data Protection law changes

Information commissioner Christopher Graham has raised a number of concerns with the European Commission's (EC) revised Data Protection Directive, claiming it does not reflect the realities of data protection.

In a response to the document issued by the EC on Wednesday, the Information Commissioner's Office (ICO) said Graham considered many elements of the document to be poorly thought out.

"The commissioner believes in a number of areas the proposal is unnecessarily and unhelpfully over prescriptive. This poses challenges for its practical application and risks developing a tick-box approach to data protection compliance," it said.

"The proposal also fails to properly recognise the reality of international transfers of personal data in today's globalised world and misses the opportunity to adjust the European regulatory approach accordingly."

It added that Graham believed the creation of a separate piece of legislation for the control of individuals' data by law enforcement agencies does not give enough protection to citizens.

"He is concerned that in an area where the processing of personal data can have a particularly adverse impact on individuals the Commission's proposals are much less ambitious," it said.

"He believes that a high level of data protection that, as with the current UK Data Protection Act, is equally applicable across all sectors is required and hopes that these provisions will be strengthened as negotiations progress."

The ICO did commend several proposals in the document, though, including the strengthening of the powers of data protection authorities to provide comprehensive investigative powers and placing certain legal obligations on data processors.

The changes put forward by the EC include a number of obligations that firms of all sizes may find onerous, including potential fines of two per cent of turnover for data breaches and a 24-hour breach disclosure notification system.