ICO Concerned Over ‘Guesswork’ Surrounding EU Data Privacy Laws

The UK’s data protection watchdog has yet again raised concerns over controversial privacy laws drawn up in Brussels. The Information Commissioner’s Office (ICO) has published data it says shows businesses don’t understand the proposed rules.

The ICO is particularly worried about “guesswork” guiding the proposals, which include provisions to fine companies two percent of annual turnover and establishing the right to be forgotten – something that has greatly upset Facebook. The regulator and the British government are engaged in a campaign to limit the eventual European rules, much to the dismay of privacy campaigners who want them imposed.

Privacy worries

“Inevitably, there will be burdens for those who have to deliver the benefits, whether businesses or regulators. The question is does the benefit justify the burden?” asked information commissioner Christopher Graham.

“There has been much talk of ‘what is best for business’, but that must be based on valid evidence. This reform is too important for guesswork.”

There remains much confusion over the costs of the proposed directive and regulation, with the European Commission saying they would actually provide savings for economic operators of €2.3 billion.

The UK Ministry of Justice, which is currently working hard in Brussels to drastically water down the legislation, disagrees. It estimates a net cost to UK business of between £80 million and £320 million a year. The MoJ is also keen to have the regulation canned and for the EC to take a less restrictive option, of updating its privacy directive which would be much less onerous on organisations.

The ICO said its latest data showed businesses were unsure of their obligations under the proposals, nor could they ascertain what the associated costs would be.

Research firm London Economics surveyed 506 workers dealing with data protection,  and found eight in 10 could not quantify their current spending on keeping information safe.

Nearly nine in 10 said they could not provide any estimates, both for one‐off adjustment costs and additional yearly compliance costs, for the effect of the planned Brussels rules.

The report also found„ “current and expected additional spending on data protection increases substantially for firms holding more than 100,000 records of personal data”.

Looking at 10 of the more concerning provisions of the rules, including the 24-hour breach notification stipulation, increased fines and the right to be forgotten, 40 percent had inaccurate knowledge of them. None were able to cite all 10.

Graham called on the Commission to take heed of the report, before the final regulation and directive are decided upon.

“We’d urge the European Commission to take on board what it says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or hobbling regulators,” Graham added.

“Similarly, businesses and other stakeholders need to constructively engage with the debate about burdens and the importance of privacy rights, while the process can still be influenced.”

If the proposals go through, MPs have claimed the ICO itself is looking at a shortfall of £42.8 million.

Privacy advocates, who backed the original proposals, are concerned that large companies with a vested interest, such as Amazon, eBay and Facebook, will succeed in watering down the proposals through lobbying power.

Are you a pedant on privacy? Try our quiz!