In response to the invitation from the Ministry of Justice to respond to the Proposal for a Regulation on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Clyde & Co submitted a response last month.

Summary of contents of the response:

1. As a firm we are both a data controller and legal counsel to data controllers and data processors. We welcome many of the changes which have been proposed but our experience shows that compliance with the differing data protection regimes and requirements across the European Union is challenging, and that this often leads to uncertainty as to whether compliance has been achieved or not, leading to an increased costs burden from the need to take advice in each of a number of jurisdictions.

2. We believe that this is an area of law which would certainly benefit from having its profile raised and would hope that in the run up to the implementation of the Regulation both the Commission and the Information Commissioner's Office (ICO) (as well as other data protection regulators across the European Union) embark on a coordinated marketing exercise to raise the profile not only of the Draft Data Protection Regulation but also of the importance of data protection as a whole.

3. The proposed increased sanctions are potentially disproportionate to the risk of harm to individuals for breaches of the Regulation.

4. To achieve the successful implementation of a pan- European data protection regime, more consideration will be required of how such a regime will be policed and how consistency across the Union will be achieved on a day to day basis. For example, how will the situation which arises where a data regulator in one Member State interprets the legislation differently to the regulator in another Member State be resolved?

5. We have concerns regarding the ambitious territorial scope of the draft Regulation, both within the EU (with the various regulators permitted to levy cross-border fines) as well as from the provisions designed to make non-EU based organisations comply with the Regulation; it is difficult to see how these will work in practice.

6. The drafting of a right to be forgotten makes it somewhat less extensive than the public may anticipate from the media attention given to it, and query how much more extensive the proposed legislation is to that which currently exists in many Member States.

7. As a law firm we hold a large amount of our clients' personal data (and indeed much other confidential information about their affairs). It is essential we and similar businesses are permitted to retain information about those whom we have acted for and against and to be able to access that information for a long period, not least to ensure we comply with our professional rules for example as to conflicts of interest between our clients.

8. We believe that mandatory notification of data breaches within 24 hours will often be impracticable given that the data controller's immediate priority will often be to implement remedial / disaster recovery procedures. Smaller businesses may not even have developed such procedures and may need legal advice on their obligations, which is likely to take much more than 24 hours to obtain in practice. The scale of a data loss may not always be immediately apparent until a forensic investigation has been carried out. For all these reasons, we think the time limit for mandatory notification should be carefully reviewed, perhaps with the upper time limit for the maximum length of time which should lapse prior to a breach being notified being qualified by an exception which can be invoked if notification was not reasonably practicable (the onus being on the data controller to show this).

9. We believe a de minimis exception should be considered for mandatory notification. Does the ICO really wish to be told of every such loss or only those which risk harm to individuals or may indicate a need for intervention by the ICO into the data controller's activities or actions?

10. We are pleased to see that the model contract clauses and binding corporate rules (BCRs) are proposed to remain in place; although we think more consideration needs to be given to these and (in relation to BCRs) the related approval process in order to increase their uptake as well as to market their usefulness. We favour a more streamlined procedure for having BCRs and simplified drafting for new versions of model contract clauses.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.