In response to the invitation from the Ministry of Justice to
respond to the Proposal for a Regulation on the protection of
individuals with regard to the processing of personal data and on
the free movement of such data, Clyde & Co submitted a response
Summary of contents of the response:
As a firm we are both a data controller and legal counsel to
data controllers and data processors. We welcome many of the
changes which have been proposed but our experience shows that
compliance with the differing data protection regimes and
requirements across the European Union is challenging, and that
this often leads to uncertainty as to whether compliance has been
achieved or not, leading to an increased costs burden from the need
to take advice in each of a number of jurisdictions.
We believe that this is an area of law which would certainly
benefit from having its profile raised and would hope that in the
run up to the implementation of the Regulation both the Commission
and the Information Commissioner's Office (ICO) (as well as
other data protection regulators across the European Union) embark
on a coordinated marketing exercise to raise the profile not only
of the Draft Data Protection Regulation but also of the importance
of data protection as a whole.
The proposed increased sanctions are potentially
disproportionate to the risk of harm to individuals for breaches of
To achieve the successful implementation of a pan- European
data protection regime, more consideration will be required of how
such a regime will be policed and how consistency across the Union
will be achieved on a day to day basis. For example, how will the
situation which arises where a data regulator in one Member State
interprets the legislation differently to the regulator in another
Member State be resolved?
We have concerns regarding the ambitious territorial scope of
the draft Regulation, both within the EU (with the various
regulators permitted to levy cross-border fines) as well as from
the provisions designed to make non-EU based organisations comply
with the Regulation; it is difficult to see how these will work in
The drafting of a right to be forgotten makes it somewhat less
extensive than the public may anticipate from the media attention
given to it, and query how much more extensive the proposed
legislation is to that which currently exists in many Member
As a law firm we hold a large amount of our clients'
personal data (and indeed much other confidential information about
their affairs). It is essential we and similar businesses are
permitted to retain information about those whom we have acted for
and against and to be able to access that information for a long
period, not least to ensure we comply with our professional rules
for example as to conflicts of interest between our clients.
We believe that mandatory notification of data breaches within
24 hours will often be impracticable given that the data
controller's immediate priority will often be to implement
remedial / disaster recovery procedures. Smaller businesses may not
even have developed such procedures and may need legal advice on
their obligations, which is likely to take much more than 24 hours
to obtain in practice. The scale of a data loss may not always be
immediately apparent until a forensic investigation has been
carried out. For all these reasons, we think the time limit for
mandatory notification should be carefully reviewed, perhaps with
the upper time limit for the maximum length of time which should
lapse prior to a breach being notified being qualified by an
exception which can be invoked if notification was not reasonably
practicable (the onus being on the data controller to show
We believe a de minimis exception should be considered for
mandatory notification. Does the ICO really wish to be told of
every such loss or only those which risk harm to individuals or may
indicate a need for intervention by the ICO into the data
controller's activities or actions?
We are pleased to see that the model contract clauses and
binding corporate rules (BCRs) are proposed to remain in place;
although we think more consideration needs to be given to these and
(in relation to BCRs) the related approval process in order to
increase their uptake as well as to market their usefulness. We
favour a more streamlined procedure for having BCRs and simplified
drafting for new versions of model contract clauses.
*Our response represented a personal view from Clyde & Co
lawyers who practise in this area not from the firm as a whole and,
as we informed the MOJ, it should be read in that context. It is
not in itself legal advice on any particular case or
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
The date of the first binding vote by the Civil Liberties, Justice and Home Affairs Committee (LIBE) on the proposed General Data Protection Regulation (Regulation), which was initially planned for April-May 2013, has been postponed a second time.
Sam Allardyce recounted a humorous tale which re-enforced how important it is to have the right facts and figures at your disposal, and the importance of controls in establishing a trustworthy dataset.
The Court of Appeal has concurred with the High Court that the publication of private information relevant to an individual's character was justified where the public was entitled to consider his fitness for high public office.
When an organisation collects personal data about an individual, that individual has certain expectations about the purposes for which the data will be used.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”