Reform of EU data protection laws is making slow progress. But change will come, predicted David Smith, deputy commissioner at the ICO, during a keynote session at this week's Infosecurity Europe in London.
As a result, the UK is unlikely to see any change to its data protection laws before 2017, Smith told the audience. "I would be astounded if [the Regulation] gets passed this year. It may get passed in 2015, and it will be two years to bring it into force. We're not talking about a change in the law before 2017 at the earliest. But the existing law took five years to negotiate… and it is more complex now, and data is more prevalent."
Nonetheless, the general direction of the new Regulation, which will replace the existing data protection Directive, is becoming clear. "Should you prepare now? You can prepare, but don't read too much into the letter of the Parliament's text. There will be changes. But what we can see, is the general direction of travel."
According to Smith, it is already clear that the new Regulation will tackle the question of consent for services that collect data; "current methods for obtaining consent are not good enough," said Smith. "Saying read our T&Cs and click here, and the consent is buried, is not good enough," he warned. "You don't always have to have consent, but if you do rely on it, it has to be of good quality."
Other measures that are now highly likely to make the final draft include privacy by design, and data breach notification. "Breach notification is not compulsory for most organizations in the UK," said Smith. "But it will be."
Smith did say, though, that proposed fines – of up to 5% of global turnover, or €10m for data breaches could yet be reduced. Certainly, the ICO is not pressing for higher penalties, even though some lobby groups have argued that data breach fines should be in line with the penalty regimes for competition law breaches.
"I am not so sure fines should be like those for competition law," said Smith. "I am not so interested in fines of €10m. For the big multinational companies, it is not really the fine that hurts. What I'd want to have is more imaginative powers. The [US] Federal Trade Commission can impose audits on companies for 20 years." Powers of that type could be more effective than fines alone, Smith believes.
But Smith added that he is wary of new European data protection laws that could be inflexible, and an undue burden on companies. The ICO is not, he said, calling for a new Directive in place of a Regulation.
"I think we will end up with a regulation, as long as it is not too prescriptive," he said. Any new law should be flexible enough to allow for the different legal frameworks, public sensibilities, and "history and tradition" of different EU countries.
"We need enough wriggle room to make it a sensible law for the UK, which protects people's privacy without putting an undue burden on business." And the ICO, he said, should retain its educational and advisory role. "We don't want to be just an enforcer."