Christopher Graham spoke at the recent Privacy Laws & Business Conference in Cambridge, UK. Here is an update of the main points:
The new EU Regulation
Will it happen? Well, “if it looks like a duck, swims like a duck and quacks like a duck then its probably a duck”. All the indications are that the Regulation will happen. We have to assume it will. This echoes the message from the European Commission at the same conference. So: start preparing now (or at least think about starting to prepare!)
Information Commissioner’s Office priorities
The ICO has challenges like any organisation. There are the “known knowns”: the fact that the ICO has more to do and less resource to do it. In the last year, the ICO responded to 40,000 enquiries using its resources of 388 staff (that covers data protection and freedom of information) and a budget of £16 million (USD 27 million).
There are also “known unknowns” like the Regulation.
Then there are “unknown unknowns” such as the recent Google ruling and the news that the UK Parliament is rushing through emergency legislation to counteract the EU decision that the Data Retention Directive is illegal and invalid. The new UK rules will require telcos and ISPs to retain communications data for law enforcement access purposes.
On the Google ruling, Christopher Graham said that the Article 29 Working Party will be producing guidance and the ICO will look to that to inform how it will respond to requests and complaints in relation to the “right to be forgotten”. However, this is not an unfettered “right to be forgotten” and the ICO will not allow it to be used to help those who have committed crime to airbrush their past. Christopher Graham criticised the British media response to the Google ruling and the suggestion that this is an unfettered “right to be forgotten” that could be abused.
The A29 Working Party is due to meet the search engines on 24 July to discuss the ruling.
The ICO is still pushing for mandatory audit powers and implementation of the rules on custodial penalties for data breaches.
The ICO is progressing a privacy seal programme. The ICO will not be launching its own “privacy seals” but we can expect to see this become part of the privacy landscape in the near future.
The ICO is very focussed on dealing with spam marketing (email and texts). We expect more enforcement action on this. Nevertheless, the ICO will be picking its battles carefully (given resources and time constraints). Christopher Graham echoed Richard Thomas’ view that you have to be “selective to be effective”.
Christopher Graham also discussed the fact that as the new Regulation will trash the notification regime, the ICO will need to find an alternative form of funding. The ICO currently collect the notification fees (£35 or £500 per entry). One idea is to look at some kind of “information rights levy” payable by data controllers. The larger the controller, the higher the levy. The levy would then fund the ICO. These are just initial ideas but food for thought. Someone will have to fund the ICO’s expanded role under the Regulation. The same is true for regulators in other countries in the EU.