UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 572-i

House of COMMONS

Oral EVIDENCE

TAKEN BEFORE the

Justice Committee

European Union Data Protection framework proposals

Tuesday 4 September 2012

Ian Readhead and Merilyne Knox

Jean GoniÉ and Sietske de Groot

Christopher Graham and David Smith

Evidence heard in Public Questions 1–48

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Justice Committee

on Tuesday 4 September 2012

Members present:

Sir Alan Beith (Chair)

Mr Robert Buckland

Jeremy Corbyn

Mr Elfyn Llwyd

Seema Malhotra

Yasmin Qureshi

Elizabeth Truss

________________

Examination of Witnesses

Witnesses: Ian Readhead, Director of Information, Association of Chief Police Officers, and Merilyne Knox, Head of Public Access Office, Metropolitan Police, gave evidence.

Q1 Chair: Ms Knox, Mr Readhead, welcome. We are very glad to have you helping us with our work on the EU Data Protection Framework Directive. Both of you have been involved in ACPO’s work in this area. Although Ms Knox is from the Metropolitan Police, it is in the ACPO capacity, I think, that you are here with us today. The Framework Decision 2008 is what you have been working with for some years. Was there anything much wrong with it and couldn’t we have carried on with that?

Ian Readhead: I think the answer to that is we are rather surprised that the Directive is going to be changed so soon after implementation. The Directive provided to the police service is the framework upon which we exchange criminal conviction data with our colleagues across Europe and I cannot underestimate how critical that is to the police service, against a backdrop that so many offenders who now come into our custody centres are not UK nationals. In the Metropolitan Police, for example, that level is nearly 40%, and so having a process whereby we can exchange conviction history is absolutely essential to good crime investigation and also to ensure that the courts obtain that information so that they can advise magistrates and judges about tariff and bail. We think those processes worked relatively well and we are surprised that we are now looking at a new Regulation and Directive.

Q2 Chair: In your communication with other countries and police forces in other countries are they similarly surprised, do you think, and happy with the arrangements?

Ian Readhead: There would be some countries who would say that their systems are well developed and perhaps there are others who still have some way to go to mature an approach to data protection. It is the concept that one hat fits all that worries us about the Directive. We think that compliance with the current Data Protection Act, although it perhaps is described as inelegant, with regard to proportionality, accuracy and retention periods, provides an excellent framework for exchange and also creates the right balance between the rights of the state and the police service in particular to hold personal data, against the rights of the individual as well for privacy.

Q3 Mr Llwyd: Good morning, Ms Knox and Mr Readhead. In your written evidence ACPO says "…we do not underestimate the new levels of bureaucracy and cost the Directive will cause to fall upon the police service". What is your assessment of the actual cost of this proposed Directive that is likely to fall upon the police service?

Ian Readhead: As you know, the Ministry of Justice at the moment are going through a costing exercise and we are unaware of any due diligence being carried out by the Commission with regard to these proposals. But we need to be very clear that the prescriptive nature of this Directive is, in our view, excessive and is totally alien to the way in which we provide compliance with the Act.

With the greatest respect to the Commission, the Commission should not be saying, "You’ve got to have a data protection officer and this is the role and function of that data protection officer." What they should be saying is, "Against the backdrop of the Directive you should have compliance." How we provide compliance is a matter for us, because, as in many other public services, chief constables have looked very carefully at their structures and we don’t have data protection officers any more; we have information managers who cover a whole raft of compliance areas-be that freedom of information, subject access, data protection or vetting. It is compliance that is critical, not a bureaucratic process that seeks to say, "These are your structures."

I also have to say that some of the business processes within the Directive will involve us in significant cost-for example, the proactive method by which we would have to advise individuals potentially that we hold their data. The concept that you can hold data separately for victims, witnesses, suspects and offenders is, in our view, absurd because some individuals will be all of those. This kind of approach, in our view, is administratively cumbersome, would have significant costs for us in IT terms, would involve us recruiting more staff and comes at a time when public services are going the opposite way. We are actually trying to reduce our costs, whilst having compliance.

Q4 Mr Llwyd: The likelihood is that it would be disproportionately heavy on smaller forces.

Ian Readhead: I think that is right because those smaller forces are the ones that have recruited one person to undertake a number of those roles. The concept that you wind the clock back to having a data protection officer is just inconsistent with the way in which you provide compliance with the legislation.

Q5 Mr Llwyd: Ms Knox, do you wish to add anything to that?

Merilyne Knox: No. I would echo the views that Ian has put to you. One facet of my role is as a data protection officer. I take on multiple portfolios with regard to information management, and it is important that is maintained because, in order to come to an informed judgment regarding how the police force should manage its information, it should have due regard to all the information management legislation, codes of practice and so on.

Q6 Mr Llwyd: This is a question for either one or perhaps both of you. Where, in your opinion, should the balance lie between data protection rights and administrative burdens?

Ian Readhead: The role of the police service is to hold data differently from colleagues in the private sector. We run informants. Informants are very often criminals. How we manage that data, which is based on opinion rather than fact, is not the same as that envisaged by the Commission. It is not a factual process; it is an opinion process.

What we wholly accept, though, is that our accountability is to a number of structures. We account to the Information Commissioner, the Communications Commissioner, the Surveillance Commissioner and the courts. There are good examples of where the way in which we have held data historically has not found favour with the European Court of Justice and we have had to change that. Those are the checks and balances that exist for the police service. Inevitably, though, we will hold more information about individuals than will exist in the private sector and the balance is through those checks and balances that I have described.

Q7 Mr Buckland: In your written evidence, you make the proper point that it is unclear as to whether or not the new proposal would apply just for EU purposes or for domestic purposes. Have you had any guidance or assistance from the Ministry of Justice as to what their view is as to the applicability of the new proposal?

Ian Readhead: We have. We have worked very closely with the Ministry of Justice and also with the Home Office. We have been through the legislation with them and we have also had the benefit of Hansard, looking at the debate in the House. The current advice from the Ministry of Justice is that domestic processing is not covered by this Directive, and I have to say we are extremely pleased that that is the case; it would be absurd if 43 police forces now had to have information-sharing agreements with each other. It runs against the whole concept of sharing information and having a common approach to areas such as intelligence that came out of the Bichard Inquiry.

None the less, in relation to the exchange of European conviction data, I want to impress upon you first how important that is and the kind of work we are undertaking at present. For example, in regard to a German national who is arrested in this country, we would go to our colleagues in Germany to find out if he had any antecedent history. Those convictions, if he had them, would then be produced to the court in this country. If that German national were then convicted in this country, that record, including the conviction history from Germany, forms part of the PNC record. However, we would not share that information with an inquiry that may come from America about that German national. We have to be proportionate in the way in which we hold that data and we would direct the Americans back to Germany in order for them to disclose what information they wanted to with the American inquiry.

We also track offenders across Europe. This is another really important piece of work. A Polish national arrested in this country, who might be here legitimately with his wife and children, is arrested on a European arrest warrant and taken back to Poland. We now track that individual and we observe whether or not they are convicted, because, if they are convicted of a serious offence, we then notify the UK Border Agency because that has an impact on their ability to reenter this country.

Through all of these processes, we work with our colleagues in both the Home Office and the Ministry of Justice and we try proactively to put in place schemes to try and monitor offending behaviour on a European level to protect local communities.

Q8 Mr Buckland: On that point, you raised some practical examples there. Another example would be the requirement of sex offenders to notify the authorities on their arrival or return to the UK. How is that system working in practice and would that be affected potentially by this proposal?

Ian Readhead: Yes. Again, we track sexual offenders across Europe. So, in regard to UK nationals who have gone to Spain potentially to gain access to young vulnerable females because the age of consent in Spain is lower than in this country, we would seek to obtain from Spanish colleagues details of that offence. We then impose all of the structures-the MAPPA processes-that are put in place when that sexual offender comes back and then tries to live in the community.

It is one of the things that concern us about the Directive. The Directive uses four principles in relation to how we can use data: it talks about the execution of criminal penalties, investigation, detection and the prosecution of criminal offenders. It doesn’t talk about common law. If we had a paedophile offender released from prison who goes to live on a caravan park, we go to the caravan park; we talk to the local families who are in caravans; we tell them, "There is a paedophile here." We do that unashamedly because we have to protect communities and protect vulnerable persons and children. This Directive, written in the way it currently is, in our view would prevent us from doing that.

Q9 Chair: Can you explain how that would happen-why the Directive would prevent you from making that kind of disclosure for which we have statutory provision in this country?

Ian Readhead: Yes. It prevents us because of the prescriptive nature of the Directive. As we read this, those areas do not permit us to use our common law powers any more, because, effectively, the argument would be that we are no longer processing data in accordance with either this Directive or the Regulation. That is a real concern to us because there is huge value in exchanging information with other agencies. We do that in relation to problem families and courts exercising warrants; we do it across a whole range of areas.

Q10 Chair: Youth offender teams as well.

Ian Readhead: Absolutely. We have dedicated resources working with our partner agencies to create those safer communities on a local level, and this prescriptive Directive, in our view, goes backwards. It takes us away from being able to do all of those very useful activities that mean so much to our local communities.

Q11 Jeremy Corbyn: Thanks for your points, Mr Readhead. When you disclose information to other agencies or, indeed, in the case you mentioned, owners of caravan parks for example, do you only disclose information that is based on a court process-a judicial process-or do you disclose police suspicions and police reports?

Ian Readhead: A high degree of care has to be exercised in relation to the disclosing of intelligence. If we had very good intelligence about an individual that gave us suspicion that they were actively involved in, let’s say, grooming children, we would, in certain circumstances, talk perhaps to the headmaster of a school or to partner agencies where we felt that local safety was being prejudiced. On the whole we try and use factual information. What is really critical in there is that, if we were tested in a court of law, we could produce sufficient evidence to warrant disclosure in that way. But we recognise that we have to be very careful in how such information is shared. Do you want to add anything to that?

Merilyne Knox: No; I absolutely agree with that. It has to go through a proportionality or pressing need test, which is based in case law anyway, on which we would make these disclosures. You would have to balance out what the impact would be in disclosure against the impact in not disclosing, and that is how we would make that decision.

Q12 Jeremy Corbyn: Is there not a danger that you would expose yourselves to a prosecution on the basis of defamation?

Merilyne Knox: Absolutely, very much so, but so far the disclosures we have made have been safe, and they have been upheld in court at JR level and above. Mr Readhead has made reference to that caravan example, which has been tested in court and was upheld.

Ian Readhead: So the whole essence of enhanced vetting, which is about employing persons who have unsupervised access to children and vulnerable persons, has at its heart disclosure of intelligence. It is not just about factual issues; it is about disclosing to employers in those circumstances intelligence which may shape the way in which they determine to let somebody have access.

If you go back to Ian Huntley, for example, remember Ian Huntley was never convicted of anything. What he had was a sequence of arrests where his modus operandi was to commit sexual offences against vulnerable young women whose evidence would never be trusted. That arrest history was critical to the way in which he was able to get access and employment. You know it is the failing of the police to make that available that enabled him then to commit the awful crimes that he did, so it is at the very heart of the way in which you protect local communities.

Chair: Thank you very much indeed. We are very grateful to you for the very frank and clear evidence that you have given. Does anyone have any more points anyone wanted to raise with these witnesses? If not, we can move on to our next group, but we very much appreciate your help this morning.

Examination of Witnesses

Witnesses: Jean Gonié, Director of Privacy EU Affairs, Microsoft, and Sietske de Groot, Senior EU and International Affairs Policy Adviser, Federation of Small Businesses, gave evidence.

Chair: Ms de Groot from the Federation of Small Businesses and Mr Gonié from Microsoft, both of you are looking after European issues for those respective organisations. We are grateful to you for assisting us today in our work on the proposed Directive and Regulation. I am going to ask Mr Buckland to start.

Q13 Mr Buckland: Thank you very much. We have been dealing with the Directive. We are now turning to the draft Regulation itself, and, in particular, the impact assessment made of that Regulation by the European Commission, which acknowledges that there are going to be some additional compliance costs. But it comes to the conclusion, in their view, that the reforms are expected to achieve benefits and savings of about €2.3 billion in administrative burden per annum. What assessments have you made of that predicted saving?

Sietske de Groot: We have no exact figures, but this €2.3 billion refers to the savings made mainly through harmonisation but also because the notification procedure has been abolished, so the last thing for our members is a true saving per year. However, up to one quarter of our members export in general and most of them within the European Economic Area. This is export in goods and services. Of that quarter, very few will export data, so the savings from harmonisation are very small. Then the savings from notifications are considerable.

However, the rest of the Directive introduces provisions that are much more burdensome. I can go into detail on that if you wish. The net result is negative, in our view, even though we don’t have exact figures, but if you look at the provisions they are very burdensome.

Jean Gonié: First, thank you very much, Mr Chairman, for inviting me. I am very pleased and honoured to speak on behalf of Microsoft. I totally concur with what you have said. With this figure of €2.3 billion we have difficulties, to be candid, because we have no real details regarding the impact assessment. We have just a few pages at the end of the text. We would like to have more information to understand better what these €2.3 billion savings really represent.

Q14 Mr Buckland: Are there any specific heads of information, do you think, that are absent at the moment that need to be looked at?

Jean Gonié: I think the economic impact and the business impact are not taken into account enough. We have some ideas, which are not difficult, about the appointment of a data protection officer and some savings that are linked to that. But, to be candid, the real impact for the industry, which is our impact, is difficult to represent maybe but doesn’t exist today.

Q15 Mr Buckland: We have dealt with some of the negatives. Do you see any benefits to business of having a harmonised data protection regime?

Sietske de Groot: Yes, of course there are benefits because data is free flowing not only in the UK but in the rest of Europe and the rest of the world, so you need harmonised rules on that. We have a number of members who provide cloud computing, and especially for them it is important that the rules are harmonised. I suspect that will be the case for more businesses in the future because more of our small businesses will export and more of our small businesses will use the European market to find new customers. So harmonisation is important.

Q16 Mr Buckland: But is it a question of striking the right balance? Harmonisation can mean different things to different people, can’t it? Putting it bluntly, how prescriptive do you think moves to harmonisation should be? What do you think the balance should be between harmonisation and too much prescription when it comes to domestic arrangements?

Sietske de Groot: We think the rules are too prescriptive indeed. Of course we would like to have as much harmonisation as possible, but we think you can also make legislation on the basis of principles instead of prescription, because prescriptive rules also prevent innovation. If you prescribe in too much detail, you don’t leave room for industry to develop their own standards or find their own solutions. In that sense, prescription goes against harmonisation because you stifle growth and trade in Europe.

Q17 Mr Buckland: There should be clear objectives.

Sietske de Groot: Yes.

Q18 Mr Buckland: First of all, presumably, the protection and integrity of data that is personal and private has to be at the top of the agenda, doesn’t it? Sometimes people say, "Yes, that’s a very good argument, but how do you achieve harmonisation without some prescription?" What do you say to that?

Sietske de Groot: That is a very good question. I can’t answer on that because you need some form of prescription if you want to harmonise. We are very happy that it is a Regulation already that helps in harmonising things instead of being a Directive. At the same time, in this Regulation there is some room for manoeuvre for the Government to define rules on employee data, and we are very happy that that is left to the UK Government. But, yes, you have to strike the right balance, and, honestly, I couldn’t say. That is also a philosophical discussion. Do we have prescription and harmonisation? How far do you go? It is very difficult. For us it is important that it is not stifling growth, innovation and burdening small businesses.

Jean Gonié: I completely agree with all that and I think I can speak on behalf of the US industry established in Europe, because, for your information, I am also ViceChair of AmCham EU, and I was a reporter for the data protection position from the American Chamber of Commerce in Europe, in Brussels.

Basically, we are very happy to have this reform of the 17-year-old data protection regime. What is very good with this reform is that it is supposed to bring the maximum of harmonisation, which is really key. But you are correct: the devil is in the detail and we really want to be sure that we achieve the goal that we want. Today I think we all agree that 27 different regimes is 27 risks, 27 good reasons not to make business. All of us agree, from SMEs to worldwide companies, that this is really key. That is the reason why we are very happy with this text. The problem here is that we would like to have real harmonisation. There are a lot of different subjects that, for example, are already "discutable", like the onestopshop approach. I am happy to talk about the main establishment notion later on if you want. We really have some concerns about that.

Another thing I think we all need to discuss is the notion of delegated Acts. A delegated Act is very good. We need to have delegated Acts if we want to have maximum harmonisation and reform of the Regulations, but we think that some of them are maybe not useful; some of them go against a very important principle, which is technology neutrality; and some of them also deal with essential elements of the law. We don’t want a delegated Act that deals with essential elements of the law to be present in the text. I can develop that if you want, but it is really very important for us that the text shall not be too prescriptive.

If I may, I have one general comment on the text. We are all very happy to see a good reform that protects the data subject the maximum. I personally was a member of the French data protection authorities-CNIL-10 years ago. This is very important for everybody; there is nothing to discuss.

On the other hand, as an industry, we are very surprised to see that we have a lot of new burdens but very new rights and very new incentives. We do not have a lot of incentives to develop all that we are supposed do. The data subject has a lot of new rights-the right to be forgotten, the right to data portability, the right to lodge a complaint, which is good. But we would like the industry also to have new rights to help us, for example, to develop data transfer and to have an appropriate mechanism to put in place. So we have a lot of new burdens because we are supposed to be happy with this harmonisation.

Q19 Mr Buckland: Specifically to you, Mr Gonié, in terms of the decision making and investment decisions made by companies, taking your company as an example, what sort of weight would you give to data protection legislation in a particular jurisdiction when making investment decisions? Is it of priority or is it some way down the list of priorities when it comes to making those sorts of judgments?

Jean Gonié: I would say that this is in between the top and bottom in the list because, as you can imagine, we also have other incentives like tax regimes, skills employability and so on to determine investment. But, definitely, if we have coherent clarity in a data protection regime, this will really help. Like we have the digital single market objective, if we can have the same like a data single market, it will be very helpful for all of us. It would be a very good signal from Europe to the rest of the world.

Q20 Seema Malhotra: I want to continue on the analysis of the proposed Regulation, looking at specific criticisms that have been made and, in particular, the discretion about the right of data subjects to be forgotten. Article 17 of the Regulation gives individuals the right to request that organisations delete their personal data in specific circumstances. How feasible is it to permanently delete data, particularly if published on the internet, in accordance with this right to be forgotten?

Sietske de Groot: We think that it is very difficult. You can notify the parties to whom you have given or sold the data, but how can you check that everything is deleted, especially at a time when everybody is on Facebook and posts messages on Facebook? We think that it is not feasible to do that. Also, I would like to take the opportunity to say that we have stricter rules for businesses to comply with data protection, and, as Jean Gonié was just saying, we don’t have any rights that compensate that.

For example, you have to comply as a business with all these rules; it is very burdensome. But then one of your employees or one of your clients posts personal information on himself online. If that data gets compromised, who is responsible then? You can’t point to the data subject in that case. We feel that the burden of compliance and the burden of proof is very heavy on business, and that is not right at a time when we have Facebook, LinkedIn and other social media, and where personal data is easily submitted to the internet.

Q21 Seema Malhotra: Just so that I understand, you think it is disproportionately heavy on business.

Sietske de Groot: Yes, especially if you see how easy it is to post your personal data online. If you put the same data online that you hold as a business and it then gets compromised, it is difficult to trace back when the source was. But as a business you are responsible by definition, so you have then to prove that you did comply with the rules. It is very difficult then to prove that the data was already there online and the source of it.

Q22 Seema Malhotra: I would be interested if you had any further comments on that and also what you might consider to be reasonable steps to inform third parties of a request that data is to be erased.

Jean Gonié: Yes. The phrase you used-"third parties"-is really key and essential in the text, but I would say more generally I think we all like this right to be forgotten. In Microsoft we have absolutely no concern in trying to do our best to comply with this right. Anyway, as you know, this right already exists. The right to erase data already exists in the 95/46 Directive.

It is good to have new rights, but the problem is that, if a new right is not workable, if as a company, as a data controller, you cannot test the feasibility of this right and you cannot erase the data, there is a huge problem. I think that this right to be forgotten idea is very good up to a certain limit. It is totally possible to retrieve any kind of data where, as a data controller, you have control of the data. This is totally possible. This is very important; it is key and essential. It is very important to do that. The problem is that it is not possible to retrieve all kinds of data because of the openness of the internet and the worldwide architecture of the web.

I suggest that perhaps you invite or discuss with a body called WCC, which is in charge of liberating the architecture of the internet, and you will certainly understand better, because this is a very tricky question and it is not easy to understand, that it is not possible to have access to data anywhere in the world for many reasons, such as sovereignty of state. So this is really the first problem; it is not possible to have access to data.

The second problem for us is as a data controller. When I say "for us", data controller is a large notion. It is not only us; it can be ISVs; it can be a lot of other actors. In fact, basically what is asked of them is to control or to monitor the internet. Once again, because of the freedom of the internet, because of the openness of the tool itself, it is not possible for them to do that, and it goes against an idea that is already established in the ECommerce Directive, which is the idea that internet service providers shall not have the ability to monitor the internet.

We have a lot of different notions here, and once again I think everybody wants to comply with the text, but the problem is, first, the feasibility and, secondly, the theoretical debate that goes behind this very notion.

I would just finish on a very important point because the right to be forgotten, which is the same for other rights, is subject to a fine. If we don’t comply with rights established in Article 17(1) and (2), we may be subject to an administrative fine up to, I think, 1% or 2% of our worldwide turnover, which is of course a lot and which is a huge risk for all of us. If you want, I will maybe develop this administrative fine approach later on, but basically I think the problem is what we have already said about this harmonisation already.

The problem is that we don’t want to be fined for something where we don’t know the ins and outs; we don’t have the rules and we don’t know what is at stake and what is feasible. There is a huge risk because there is a kind of a third party role and other parties’ role in Article 17(2), and, if we don’t comply with the text that we don’t understand or that we know it’s not possible to comply with, we will be subject to a fine.

Once again, we are happy to be fined, but we need to know the rules. If you start a football match or any kind of game, you need to know the rules. Once you know the rules, you can start the game. The problem is that, with half of the text of the Regulation to date, we don’t really know the rules. There is nothing to discuss. We are companies who just follow the law, nothing more, but we want the law to be clear for us to know what the future looks like. We just want and need predictability.

Q23 Elizabeth Truss: You mentioned earlier the whole issue about technology neutrality not being covered in the proposed Regulation. Could you just comment overall to what extent you think that existing technology is taken into account in the Regulation?

Sietske de Groot: I am not a technical expert in this, but what strikes me is that in the delegated Acts the Commission sometimes says that it will define the electronic format for the provision. It strikes me that, if you define that and the Regulation comes into effect later on, that electronic format is maybe not up to date any more. Maybe you want to say something, Jean.

Jean Gonié: This is totally correct. The problem with part of the text here is that a part of some Articles is a threat to what we call technology neutrality. It is very important to have text that is future-proof and goes with no specific standard or format.

I will just take three Articles as examples, if you want to have something concrete: Article 18 on data portability, Article 23 on privacy by design and by default, and Article 33 on privacy impact assessment. Those three Articles go with the possibility for the European Commission in the delegated Acts to specify a format.

For example, on data portability, the Articles go clearly with the fact that the Commission have the possibility to define electronic format. It is the same for privacy by design. The Commission nailed it down-technical standard. It is the same for privacy impact assessment. It may make sense; it is maybe a very good idea; it is maybe very important-but it is also a threat because we don’t know what the technology will look like in two or three years. Remember, Facebook is a very new company-some years ago no one knew Facebook. It is the same for Google, for very large companies who are very new; it is the same for Twitter. We don’t know what the technology will look like and this is something that is very important for us.

Q24 Elizabeth Truss: Can I ask how what the EU is doing compares with other regulatory regimes around the world? Do you think the EU approach is restricting growth in this market compared to other markets, and could you point to an authority that you think is getting the Regulations right?

Sietske de Groot: I have to say I know very little about this, but you are talking about the internet here and that is difficult to police. There is no authority that polices the internet. We have eCOM, which is fairly independent, but I wouldn’t know of a state-

Q25 Elizabeth Truss: My question was more towards Microsoft as a global company, because you must deal in all those markets.

Jean Gonié: Yes. That is a very good question. I gave one or two examples spontaneously, but, if you would like, I am happy to send you further explanation or details. As you know, in the US there is no one federal privacy law but some state laws, so some states in the US-for example, the State of California-advocate technology neutrality because they know that this is very important because we don’t know what the future looks like.

I also think spontaneously that in Singapore, which has just adopted a privacy law, this is also the same idea. But, to be candid, I do not know for the rest of the world. As you know, it is only like 60 to 80 countries that have a privacy law in the world, so it is not that much. But it is an interesting question anyway because it is a very important point.

Q26 Elizabeth Truss: You have also commented on international data transfers in cloud computing. Can you elaborate a bit on that? Why do you think there need to be stronger safeguards there?

Jean Gonié: As a worldwide company, this is really the key question; this is the most important question. To be candid, we think that in the text today that stipulation is good but it needs to be improved. Today, when we speak about cloud, online, internet, social media and so on, all that is about data transfer. We think that today the text needs to be improved because the safeguards proposed are not robust enough. They are very good; they want to improve what we call the safe harbour, which is the agreement between-

Q27 Elizabeth Truss: Can you just clarify a bit more for us, because on the one hand you are saying it needs to be less specific so it needs to be technologically neutral, and on the other hand you are saying the safeguards aren’t tight enough? Can you just outline how you would move that around to fulfil both of those?

Jean Gonié: Thank you for this question and it confirms what I have said. Let me use a word that is very important for a lot of US companies and it will be a connection to what I have just said on the incentives. Today we think that for international data transfer what is missing is, I would say, a recognised accountability approach. What is recognised accountability and accountability? This is really the link I wanted to make with the notion of incentive. We think that today a lot of companies develop certifications and codes of conduct. They try to do their best to do more than what is compulsory and they have no incentives for that; they have no real recognition. Today Article 39 is not clear on that.

So we would like this to be developed for data transfer. It does not mean more prescriptive text. It means that the text takes into account what companies are doing for data transfer in the world.

Can I tell you precisely what the Article 29 Working Party, which is the 27 data protection authorities in Europe, have just proposed in their cloud computing opinion last July? They say that, in addition to any kind of data transfer that already exists, it is good if a company, based on its pragmatic experience, develops appropriate safeguards-of course with a lot of control. But this is something really very important and that will go with the fact that we think the text is prescriptive.

Q28 Elizabeth Truss: This is a slight diversion, but do you think part of the problem is the underlying market structure of the internet and the way that it was developed and so on means that consumers don’t necessarily pay for data transfer in the way that they might do?

Jean Gonié: I do definitely. I definitely think that there is a gap between the text proposed today, which is a good text, and the reality of this online approach from the internet. If there is one word that is the key word for this Regulation for this text, it is trust or transparency-but really trust. The text needs to take into account this notion of trust. If we can reach this notion of trust, I think the data transfer issue, for example, will be achieved and will be solved. Typically, the reason why I use the certifications and the codes of conduct is because, thanks to them, you can introduce a certain level of trust in the data transfer fleet.

Q29 Seema Malhotra: This question is more about the impact on small businesses, so it is slightly more directed to you, Ms de Groot. The FSB have argued that the proposed Regulation will have a greater effect on small business that won’t necessarily have the resources. I am quite interested to know how effective you think the proposed exemptions for small businesses might be in relieving them from burdens and also your view about subject access requests and fees and the potential for perhaps an increase in volume should fees be abolished.

Sietske de Groot: First, on the exemptions, there are three notable exemptions in the Regulation. One is the exemption for the data protection officer, which of course we welcome very much. Then you have exemption 28 on documentation. This is a big thing. Yes, we are very happy that that happened because that would mean an enormous burden otherwise.

Then you have the exemption that is in the delegated Acts on the data impact assessment. On the last one, of course, it is not sure whether that is going to happen because it is in a delegated Act. That might happen later; it might not even happen. Again, I can come to discretion on delegated Acts later. So we are very happy with the exemptions.

There are also other smaller exemptions announced in delegated Acts. You calculated how many delegated Acts there were, but approximately half of them announced that they would take into account micro and small to medium-sized businesses. Of course we welcome that; it is very good. But we would like to see that addressed in the Regulation itself because delegated Acts cause a lot of legal uncertainty. We don’t know what is going to happen, when and what, if and how. If the Commissioner is now saying there are exemptions in those delegated Acts, we are happy with that but we don’t know how happy we can be with that because we don’t know if they are going to happen or not. The intention is good, of course, and we welcome that.

On subject access requests, we really are not happy with the fact that you can’t charge a fee any longer, because the burdens of subject access requests have increased because the rights of the data subject have increased.

Q30 Seema Malhotra: What kind of proportion have they increased by?

Sietske de Groot: What proportion? I can go through a list of new things that small businesses have to do and it is all to do with the new rights of the data subjects. I can’t give a proportion, but I can go through a list later on. What we implore is that the loss of the fee means a net burden increase because there is more obligation you have to comply with and you can’t charge a fee.

Especially, this fee acts as a barrier-that is what our small businesses say-to people asking for their data, people who are not serious or who want to be frivolous or vexatious. That is a real clear barrier to those people and that protects our businesses. If you leave that open, you can even think of people who are disgruntled with their employer or with a business just doing that on purpose, making data access requests on purpose and bombarding them with that, like you have a cyber attack.

Q31 Seema Malhotra: I have a slightly wider question, which is the requirement to appoint a data protection officer. Should this be based on the number of staff or also, perhaps, on how much data a firm might process? That could be to either of you.

Sietske de Groot: We think that a data protection officer should not be mandatory at all. Of course we are happy with the exemptions. It should be assessed by the business itself if you need a data protection officer because it is very expensive to have one. We would advocate it for businesses that are data-centric and monitor data on a daily basis but to make it obligatory for businesses above 250 staff. We think it is a matter of assessing that yourself based on the risk you run.

Chair: Thank you very much. We are grateful to both of you for your evidence this morning. It is clear that this has a lot of very serious implications for business both on a large scale and a smaller scale, which we will take into account in what we have to say. Thank you.

Examination of Witnesses

Witnesses: Christopher Graham, Information Commissioner, and David Smith, Deputy Commissioner and Director of Data Protection, Information Commissioner’s Office, gave evidence.

Q32 Chair: Mr Graham, Mr Smith, welcome back to the Committee. You are regular visitors to us and we are glad to have you with us on this issue, which, as is apparent from the evidence we have been receiving this morning, very important in the areas which it will particularly affect. I will start, if I may, with the Directive.

The first evidence session we had this morning was about its impact on the police. The Government’s view, as we understand it, is that domestic processing should not be included at all but would not apply anyway. In the UK, the domestic processing of the kind of data that the police hold would remain governed by our provisions and is not affected, but the Government are still, I think, nervous about all these provisions being in the Directive. Is that how you see it?

Christopher Graham: Mr Chairman, perhaps I could begin by saying that the Information Commissioner’s Office is deeply sceptical of this proposal to split the current Directive between a Regulation and a Directive. All sorts of mischief follows from that decision. Unfortunately, I was let down by Virgin Trains so I did not hear Mr Readhead’s evidence, but my colleague David Smith, who was listening intently, will be able to answer that question with more precision than I can.

David Smith: I think it is a difficult area because there is clearly an element of politics about the UK’s position in relation to the European Union and, particularly, measures in the police and justice areas-the third pillar here. From our point of view, we are proponents of good regulation. Good regulation means consistent law that is clear and easy to understand and easy to apply. Once we start to diverge and we have a Regulation for the commercial sector and a different legal instrument for police and justice, you start to move away from that and you cause particular problems in areas like local authorities, perhaps, which have functions that will come under the Regulation and others that will come under the Directive.

In many ways, we want consistency. I suppose, at the end of the day, that consistency could be delivered by one instrument from Brussels, but I think, in reality, we are not going to get that. We are going to get at the very least these two instruments and these questions about whether the Directive applies to domestic processing. But, when whatever comes from Brussels is applied in the UK, the Government do have a choice as to what rules they apply to policing domestically. Even if we are not part of the Directive for policing domestically, we will still have data protection law in the UK for domestic policing, just as we do at the moment. Our position will be that that should be closely aligned to the Brussels regime, even if it is not mandatory on the UK to follow that approach, because that makes it easier for individuals and for us as the regulator.

Q33 Chair: Are you saying that it should be closely aligned to the Brussels regime even in those areas where our witnesses have told us that the proposal is potentially very unsatisfactory and would not allow or might not allow the police to use intelligence, for example, in the way that they currently do?

David Smith: I think you can align the principles and the basic operation. I do not think any of the witnesses so far have really questioned any of the basics. It is the administrative burdens that go with it that are the problems. I do think we could, yes, take a proportionate approach to how that is applied in the UK so that the principles are there. It doesn’t stop the exchange of data with Europe because we have different rules, but we don’t necessarily apply all the detailed prescription that has caused so much concern.

Christopher Graham: It is worth adding that we see it as a prime aim of modernisation of the data protection regime to achieve clarity. This is going in exactly the opposite direction. Of course the police have concerns about whether they are going to be able to do their job across borders, capturing criminals and so on. There are also very basic questions about protection for the citizen in their dealings with the police that arise from data protection law. One of our early civil monetary penalties, I am afraid, had to be visited on the Lancashire constabulary because of lax handling of very sensitive personal data, with something as simple as leaving a missing person trace record in a squad car that was passed on to another team and was found blowing down the street, and was handed in to the local newspaper by a man walking his dog.

Let’s not forget the very basic disciplines of data protection, which are what this reform should be about. One of our concerns is that it is going to become so complicated that we won’t see the wood for the trees. There are real concerns and citizens’ rights that need to be protected and they are not necessarily going to be better protected by these two measures.

Q34 Chair: Is there an issue, as the Government have indicated, around having to renegotiate a lot of bilateral treaties and agreements in this area?

David Smith: There is certainly a question. I do not think it is one that is very easy for us to comment on because we are not involved in the negotiation of those bilateral treaties. So we can’t really comment on how difficult that is or on how far it will be necessary.

Those bilateral treaties have, presumably for the most part, been entered into under our current data protection regime and should respect the requirements under that regime. As we said, the principles under the new regime are very similar so, if those bilateral agreements meet the current requirements, they won’t necessarily fail to meet the new requirements. A process of review is required, but our understanding is that there are very many of these bilateral agreements. We believe that the Ministry of Justice have developed a catalogue of these; so they may be able to advise in more detail. But, clearly, those sorts of agreements should be consistent with whatever the new legal regime is and so a review at the very least would be needed.

Q35 Jeremy Corbyn: Do you think that the proposed Regulations are over-prescriptive across Europe for what they are intended to achieve?

Christopher Graham: Yes, we do think that. I think our position is very clear. We want a modernised data protection regime. It is an analogue regime for a digital world. That is a cliché, I know, but in this case we have been calling the ICO for many years for updating of data protection legislation and it is a case of "Be careful what you wish for", because we now have a proposal that is welcome in many respects but we need a package which is clear and effective, and which delivers real rights for citizens and consumers. You will find that the evidence you are getting from the various witnesses shows a very wide consensus in the UK about where the current proposals don’t fit that bill.

You ask about it being overly-prescriptive. It is very largely about the proposed legislation in the name of consistency across the European Union being very specific about processes, whereas our approach has been much more to focus on outcomes and to go for the better regulatory approach of risk-based proportionate intervention. We are really quite worried that it will be very difficult to operate this regime. It will turn the ICO from, on a good day, a better regulation regulator into a vast administrative machine processing a lot of forms, permissions and ticking boxes.

We don’t see where the resources are going to come from to do that, but that is for another day. But this approach rather misses the point. You need to place clear obligations on data controllers in terms of their overall responsibility and let them work out how they are going to comply, rather than saying, "You do this; you do this; you do this; you do this", which is almost a painting-by-numbers approach to data protection.

Q36 Jeremy Corbyn: Do you think there is a cultural heritage here in that Europe is made up of a whole load of different nations with very different histories? In Eastern Europe you have former highly centralised states until 1990. In Spain, Portugal and Greece in recent memory you had fascist regimes that centralised all information. Do you feel there is an issue in Europe that some people just feel obsessed with collecting information for the sake of it rather than the outcome-based approach that you advocate?

Christopher Graham: No. We have to recognise the different histories and cultural traditions of our partners in the European Union. If we are going to be able to negotiate a better outcome, we need to treat our partners with respect and understand why they feel the way they feel. But we would be kidding ourselves if we caricatured a situation of this happy breed this side of the channel and a lot of Euro colleagues who have suffered under the fascist boot and so on, because the challenges of data protection for the citizens and consumers, not just in Europe but across the world, are really significant challenges of the 21st century.

Concerns about the surveillance society, never mind the surveillance state, are very widely held. You don’t have to be a German, either an East German who has gone through the whole experience portrayed in "The Lives of Others" or a German either side of the former divide who has lived through the Third Reich, to be concerned about this sort of stuff, because, unless we get data protection right-and it is a fundamental right under the Charter of Fundamental Rights of the European Union-we are all in trouble.

Q37 Jeremy Corbyn: Do you feel these Regulations then are going too far in the sense that there is a lot of unnecessary information being collected and therefore the surveillance society, as you mentioned it, becomes stronger because there are many people who are very concerned about what they see as unnecessary surveillance and unnecessary keeping of information on themselves? This country tried to introduce identity cards, and that was defeated because basically there was opposition to it.

Christopher Graham: Yes. There is that sort of chicken and egg argument. Do we have the Regulation and Directive that is proposed because-

Q38 Jeremy Corbyn: No. The right to challenge information and the right to know what is kept on you surely is the key.

Christopher Graham: Yes, and I support those rights. Our objection is simply to the means that are proposed by Brussels for delivering that fundamental right, which we don’t think will be effective because you are going to tie the various data protection authorities- many of whom are much less well resourced than we are in the UK-in knots doing the process, instead of keeping an eagle eye on what is going on and intervening where there appears to be a problem, and concentrating our resources where clearly the regulator ought to be intervening.

If we really have to give prior approval for risky processing on international transfers and if we really have to go around checking whether everyone of a particular size has a data protection officer or whether they have conducted a mandatory data protection privacy impact assessment, that is all we will do. It will be phenomenally expensive and rather less effective than the system we have at the moment.

David Smith: There are some differences in approaches to data protection Regulation. We have traditionally taken what we would see as a good UK regulatory approach. The market continues. People don’t come to us as an authority to get approval for what they do in advance; they take their business decisions and we step in if things go wrong. We have some strong powers now in terms of penalties, to impose penalties if businesses do get things wrong. But, if you like, you trust them to get it right and you step in if they abuse that trust, and trust was referred to previously, whereas some other data protection authorities have to check things in advance and prior approve things. This is particularly true in international transfers.

Many of our colleague data protection authorities have a system where they routinely sign off international transfers before they are allowed to take place. That is not the approach in the UK. As we try and come together to one harmonised instrument, you see those sorts of tensions emerging. We are critical of this instrument because it will require us to prior approve international transfers, but I have to say that some of our colleague authorities are equally critical of it from the opposite direction because it will allow international transfers through, in some cases without their approval, where they have to give their approval under the current regime.

Q39 Jeremy Corbyn: Lastly, doesn’t the British approach, characterised by yourselves, have with it the necessity of having a well-resourced Information Commissioner, who can retrospectively check on transfers and things like that, whereas, if you don’t have those resources, quite clearly a whole lot of data collection-data abuse quite possibly-can go ahead and you wouldn’t have the resources to do anything about it?

Christopher Graham: It is not just resources. We are in the fortunate position of having a notification fee at the moment, which raises £50 million a year for the Information Commissioner to do the data protection job. Unfortunately, the Regulation proposes to abolish notification, which raises a bit of a problem for us.

But it is not just resources and I am sure you are bored with hearing the Information Commissioner turning up and rattling the tin. It is also about powers. In many areas, one is stymied from doing the work that clearly needs to be done because one simply doesn’t have the power to audit, for example, without consent or to intervene without a court order based on a reasonable belief. You can’t do the sort of sample checking of, for example, international transfers under current powers. We would say we would certainly need greater powers. The resources question is something that I would certainly also like to address.

Q40 Chair: Wouldn’t the approach that you favour-the traditional British approach-be easier to achieve if the whole thing was done by a Directive and not by a Regulation?

David Smith: That must be true. It would be easier to do it, if you like, in the British way, with the freedom that a Directive would give, but that wouldn’t meet the Commission’s desire for harmonisation or would risk that. The Commission are very much, we think, driven-I think Microsoft’s evidence was very helpful-by the likes of Microsoft, the big multinational internet businesses, who say, "Above all else, we want the same rules throughout Europe so that we know what the rules are for Europe."

There is an element that the Commission see that as necessary for economic progress and making Europe a good place to do business, and clearly there is some merit in that. But driving this harmonisation does lead to these detailed prescriptive rules that everybody has to follow, which are not necessarily good for, say, the people that the Federation of Small Businesses represent, who don’t necessarily need the same regime in every country in Europe. What they just need is a sensible regime, from their point of view, in the UK. If the price of that is extra detail and extra prescription, because that is what you have to have to reach agreement among all 27 member states, maybe that is too high a price to pay.

It does not matter too much whether it is a Regulation or a Directive, but we would favour lightening up on the detail. Rather than saying that you must appoint a data protection officer who must be independent with two years’ qualifications and spelling out that you must keep these forms and this documentation, it just says that every business-it does not matter on the size-must have appropriate documentation relevant to the size of the business, the nature of the data it processes, to ensure it is able to meet the requirements imposed by the Regulation, and it must have appropriate staff in place with the necessary qualifications and experience and authority again to ensure it meets the obligations.

That sort of lightening up-prescribing the results rather than the forms to fill in-would be a much more effective regime. I do think that we will move some way towards that because we are not the only voice who is saying that, but we are pushing in that direction very much.

Christopher Graham: It is also worth saying that, increasingly, the data protection authorities within the European Union are cooperating very effectively because we feel this pressure from the big international companies saying, "Come on, you said we could do it here but we can’t do it there. What is going on?" Working in the Article 29 Working Party in Brussels, my colleague David Smith is very active in that. I more recently selected the Vice Chairman of the Article 29 Working Party. That is clearly where an awful lot of the work has to be done.

Under the new proposals with the European Data Protection Board, that would be formalised, but it is formalising something that is already happening. We are dividing up the big questions between the different data protection authorities. The Irish will take one, the Brits will take another and the French will take another, usually based on country of main establishment. But that is a trend that is bound to continue, and you will see greater consistency because greater consistency is clearly demanded. That makes me wonder whether we need to visit all these restrictions, particularly on the smaller players, in the name of achieving something that the dynamic of the marketplace and good sense is achieving anyway.

Q41 Mr Llwyd: We did question other witnesses about the right to be forgotten, as it is known. In your evidence to us you say that this is one of the more interesting parts of the Regulation, but you go on to say, "given [the] derogations, the various qualifications to the right and the technical difficulties surrounding the online deletion, we are unclear how the right to be forgotten will actually be delivered in practice". How feasible, in your view, is it to permanently delete data published on the internet in accordance with the socalled right to be forgotten?

David Smith: A lot of attention has been focused on this supposed right to be forgotten. It was the Justice Commissioner Viviane Reding who said to Christopher Graham that this is actually more of a political slogan.

Christopher Graham: She wasn’t just saying it to me; I was sitting next to her when she said it. This was at a European Parliament briefing attended by many witnesses. Rather to my surprise, about six months after she had said this was the big idea, she said she couldn’t understand why everyone was getting so excited about the right to be forgotten because it wasn’t anything we didn’t have already, and so everybody should relax.

Because there are so many exclusions and derogations, we don’t see it as very much of a threat because we don’t see it as very much of a right either. You can’t put the genie back in the bottle. A lot of the problem arises from information which people have posted anyway publicly and which then gets, as it were, re-treated. You can’t recall that. Where you are dealing with information held on databases between different authorities, it is good data protection practice anyway for that to be trapped. You have rights at the moment to ask for that to be deleted.

David Smith: There was always going to be something in here that was called the right to be forgotten because of political statements that have been made and pressure, particularly from the French, to introduce this sort of approach. When you unpick it, much of what is there of the right to be forgotten is just a restatement of existing provisions-data shan’t be kept for longer than is necessary; if it has been processed in breach of the legal requirements it should be deleted, which goes without saying.

What is, in our view, important is the new Article 19, and it is the right to object. It is part of the right to be forgotten. At the moment, under the current law, people have a right to object. I can approach any data controller and say, "I object to you processing my data. Please delete it." But the onus is on me to provide the compelling legitimate grounds as to why it should be deleted. I have to make the case and that right is quite limited. That sort of balance of proof has changed in these new proposals. I can go along to any data controller and say, "I want you to delete my data", and they have to come up with the compelling legitimate grounds for keeping that data. Of course in many cases they are able to do that, but shifting the balance of power in the relationship a bit towards the individual seems to us to be important.

The point has been made about whether this is directed to social networking. Yes, there is no doubt it is. How you take reasonable steps to track information on the internet is extremely difficult and I don’t think we can answer that. If you have information on your site and someone has put a link to it, you can trace that link and so on. But, clearly, as Christopher said, you can’t put the genie back in the bottle.

The big risk here that we see is that you say to the public, "You have a right to be forgotten", and when they try and exercise that right it is quite limited. So you have a lot of disappointed individuals who don’t have the rights they think they have, who then complain to the regulator that they are not getting what they expect. It is not what the law says, so we disappoint them as well and we become the problem. Again, we would like this to be not strengthened but just made more specific and more realistic.

If I may, there is just one other point about it. One of the other things it has been directed at, which is not all that clear, is the responsibility of search engines in the right to be forgotten. To put it simply, if there is information about me on a website that has been published that I do not like, and maybe I have even obtained an injunction to stop that information being published but it is in a foreign country and I can’t do that, can I go to Google-as an example of search engines people usually use-and say, "Google, stop returning that information in a search"?

It is unclear how or if this Article would apply to that, and clarification on that would be welcome. It is also the subject of some cases before the European Court of Justice at the moment, particularly from Spain. How those come out and the implications that they have on how this Article is interpreted is very important, because search engines are absolutely crucial here, but it is arguable whether they are a data controller or a processer or caught by the legal regime.

Q42 Mr Llwyd: Do you consider the current draft Regulation, in respect of steps to inform third parties of a proposed deletion, to be adequate?

David Smith: It is very unclear, as other witnesses have said, how that will work in practice. Where information has been passed on directly to a third party, then we would expect a business to have a record of that and be able to inform them that that information should be deleted. If they have allowed or can find links into their sites, they should be able to trace that. But, if information has gone out on the internet, it has been accessed from their site, taken and posted elsewhere, it is very hard to see what can be done.

That does take you then into this question of what the responsibilities are of search engines and so on in returning this information. Is that where you can be effective? You can stop search engines returning it more easily than you can wiping it from the record, which may have implications as well for historical record, freedom of expression and so forth.

Q43 Mr Llwyd: It is clear that the proposed Regulation will impose a number of new obligations on data controllers. Why is it your belief that a focus on outcomes would be beneficial?

Christopher Graham: Why do I believe that a focus on outcomes will be beneficial?

Mr Llwyd: Yes.

Christopher Graham: I think that the better Regulation approach has been tried and tested. It is a bit retro for Brussels to be quite so specific about all the detail that shall happen, when it is more sensible to intervene either to deal with problems as they arise or to audit compliance with good practice, rather than to have a whole series of very costly obligations imposed on individual data controllers regardless of their circumstances.

You might have a very large enterprise that is doing almost no processing and a very small enterprise whose sole existence was rather buccaneering data processing. We think it is better to put the obligation and the responsibility clearly on the data controller. You are almost subcontracting the responsibility to a particular official. I can imagine that the data protection officer is not going to be part of the club and it will be like the IT guy saying, "These are issues that we leave for the data protection officer", when these ought to be a main board responsibility. This is what ought to be keeping the chief executive awake at nights. What is going to be keeping the chief executive awake at nights is whether the data protection authority will decide to-sorry, there is no discretion about this-when the data protection authority will impose a fine of up to €1 million or 2% of global turnover because the company failed to carry out a privacy impact assessment in appropriate circumstances.

Those are pretty scary obligations, and we believe that the overall obligation to comply, in general, doesn’t then need to be broken down by, "This happens to you if you do this; this happens to you if you don’t do that; and that happens if you don’t do the other." Quite apart from the fact that it is going to tie the data protection authority up in knots, it would be much better to have a general obligation to comply rather than specific steps which have been derived from what has been developed as good practice. It is almost as if the Commission has said, "That’s a good idea; we’ll have that. There’s another one; we’ll have that, and we will fine you"-what was it?-"up to €1 million if you don’t do it."

Q44 Mr Llwyd: Microsoft told us, and I think quite reasonably, that in their view the one-size-fits-all approach to compliance is inappropriate. They do in fact say, for example: "To be balanced, the Regulation should ensure the most punitive sanctions are reserved for truly bad actors." What would you say about that?

Christopher Graham: I absolutely want the discretion, as Information Commissioner, to use the experience and judgment of my team to judge behaviour, judge the circumstances and consider mitigating actions, which is exactly what we do with civil monetary penalties now. If we were obliged to go blasting in on every occasion and fine a particular sum of money, we would be in no better place in terms of compliance, and probably a rather worse place, so I don’t favour that one-size-fits-all approach at all.

I want discretion, and in the negotiations-and there do need to be real, hard negotiations within the European Union to improve this draft-a very important victory would be to change that bit that has all the lists of what the data protection authority "shall" do and amend that to "shall be empowered to" or "may do" so that we have the discretion to go after the bad guys, understand where things may have gone wrong and there are mitigating circumstances, and not-

Q45 Mr Llwyd: "May" could be the right word, couldn’t it?

Christopher Graham: When I raised this point with a very senior figure within the European Commission and I said, "‘Shall’ is a real problem", he said, "‘Shall’-you can easily change that to ‘shall be empowered to’". I suspect there is a lot about this draft Regulation and Directive which can be easily changed with an appropriate negotiating stance from the UK and others. The big mistake we make is to say, "We hate this; we hate this; we hate this-we’re not going to play", whereas, with a little bit of diplomacy, we could achieve a much better result.

David Smith: That is entirely right. What it does do is to illustrate some of these problems of harmonisation. You really want harmonisation. If you have a data protection officer without the right qualifications, you should face exactly the same fine whether you are in the UK, Poland, France or wherever, which gets you to, "There must be a fine and it must be a certain amount." But that just gets you to undesirable, unintended consequences and unmanageable regulation.

In our view, you have to lighten up. You have to take the risk that there won’t be complete harmonisation. It doesn’t actually matter whether the fine is exactly the same or not, and we do have the European Data Protection Board, which is there to try and ensure consistency. Equivalence of approach is much better than harmonisation, in our view.

Q46 Chair: Your belief that diplomacy can sort a lot of these things out might be particularly welcome to the many industries and organisations who have given written evidence to us about particular difficulties they think that the Regulation presents, whether it is credit reference agencies, newspapers, the BMA in respect of health data from research, or the insurance industry. A whole series of industries and activities have got quite worried about their returns.

Christopher Graham: We are worried too, but we are trying to do what we can, within the Article 29 Working Party, to influence discussion in a more pragmatic direction. We are very active on this issue. We did a briefing for members of the European Parliament very early on. We are doing another one in two weeks’ time. As I said, we are very active within the Article 29 Working Party, and the Article 29 Working Party has considerable influence because of the expertise that exists there. I hope the Committee will not feel that the UK position is going unheard. But I would say that we are not going to get anywhere just by saying how awful everything is. We have to come up with ideas for making it better and we have to behave in a cooperative way that actually achieves results rather than just grandstanding.

Q47 Chair: Sometimes I get the rather odd feeling that there are people like us who worry a great deal about the protection of data and individual rights, and then there are a whole lot of other people who spend much of their time loading vast amounts of information about themselves on to the internet by means of social media and also by means of shop loyalty cards and other things, which they cheerfully use.

Some of the evidence to us has suggested that there is some sort of distinction that could be drawn between citizen data and consumer data, on the basis that there are things which are relevant to Government and there are other things which citizens generally don’t have the same protective concerns about. Is there any basis for that kind of distinction?

Christopher Graham: When things go wrong you are concerned about it, whether it was the state that did it to you or Sainsbury’s. If the concern is that people are putting lots of very personal information, in particular photographs taken late on a Saturday night in a bar, on Facebook, I am not terribly sympathetic when they ask for the record to be wiped clean, and I am not terribly sympathetic when people express surprise that employers might be quite interested in knowing a little bit more about their employees by accessing information that is publicly available.

But I also think that all the benefits that come from the online world are benefits for consumers as consumers but also consumers as citizens. There is easy access to service and, frankly, when we get this right, better service from public authorities and better service from companies able to deliver services with the efficiencies that online develops and so on. But we do need a very strong data protection framework for us to be able to get all the benefits of online without the risks. I don’t see any merit in splitting one’s persona between, "I am a citizen at the moment, but at the next minute I am a consumer and I therefore deserve less protection." I don’t know whether, David, you have any thoughts about that.

David Smith: Only that a lot of it does come down to this flexibility of application. The same arguments are being made about the definition of personal data-that this is cast too wide and it captures things like IP addresses on the internet. But having a rigid definition which captures the right things and doesn’t catch the wrong things in a changing technological age-we wouldn’t have been talking about IP addresses five or 10 years ago-is very difficult. It is right that a wide range of information-anything that can be potentially used to affect you in any way-is caught by the legislation. What we then need to do, whether it is consumer data or citizen data, is to ensure that the provisions apply in a sensible proportionate way, given how that data is being used.

It is quite different if, say, the police are using that data or if you are a Facebooker using that data or it is on a credit reference file. It comes down to not trying to categorise data differently but giving more flexibility in what you mean by "accurate", "up to date", "not kept for longer than is necessary", depending on the nature of the data and the way in which it is being used.

Q48 Chair: Mr Smith and Mr Graham, thank you very much indeed. We are very grateful for your evidence today.

Christopher Graham: Would I be allowed to amplify one point or are you really up against the clock?

Chair: By all means.

Christopher Graham: A real concern for us, with the proposals, is the impact that it will have on data protection authorities having the resources to do the job necessary. I thought the Committee might be interested that we have run some sums to find out the impact on the ICO of implementing what is currently in the proposed legislation. I accept that may change, but it raises the question of whether any of this is actually doable, because, if we were to do the least that we can identify as being down to the ICO under these proposals, our funding would have to increase from the current £15 million from data protection-the notification fee, which itself is under a question mark-by a further £8.4 million: that is a 56% increase.

It isn’t going to happen, Chairman. But if we were to do what is frankly the more realistic role of what we think we ought to be doing, given the legislation that is set out, the figure is even more scary and, frankly, unbelievable. It is £15 million at the moment; we would need a further £28 million. Is anyone going to vote an additional 187% to the ICO, excellent though it is? No, they are not.

So you then have to say, "This system cannot work." They are certainly not going to vote 56% either. This system cannot work because you are describing a regime that nobody will pay for. We are about the best funded of the data protection authorities within the European Union. If we can’t do it, and we particularly can’t do it when the notification fee on which our funding is based is abolished, how is anyone going to be able to do it?

David Smith: If we lose discretion, all we will be able to do is punish and not advise and assist. We believe very strongly that advising and assisting people to get it right, as well as punishing those who fail in their responsibilities, is the duty of a rounded, proper, effective regulator.

Chair: You could not have been clearer. Thank you very much.

Prepared 10th September 2012