UNCORRECTED TRANSCRIPT OF ORAL EVIDENCE
To be published as HC 572-ii

House of COMMONS

Oral EVIDENCE

TAKEN BEFORE the

Justice Committee

European Union Data Protection framework proposals

Tuesday 11 September 2012

Anna Fielder and Georgina Nelson

FranÇoise Le Bail and Marie-HÉlÈnE Boulanger

Evidence heard in Public Questions 49–99

USE OF THE TRANSCRIPT

1.

This is an uncorrected transcript of evidence taken in public and reported to the House. The transcript has been placed on the internet on the authority of the Committee, and copies have been made available by the Vote Office for the use of Members and others.

2.

Any public use of, or reference to, the contents should make clear that neither witnesses nor Members have had the opportunity to correct the record. The transcript is not yet an approved formal record of these proceedings.

3.

Members who receive this for the purpose of correcting questions addressed by them to witnesses are asked to send corrections to the Committee Assistant.

4.

Prospective witnesses may receive this in preparation for any written or oral evidence they may in due course give to the Committee.

Oral Evidence

Taken before the Justice Committee

on Tuesday 11 September 2012

Members present:

Sir Alan Beith (Chair)

Mr Robert Buckland

Jeremy Corbyn

Nick be Bois

Christopher Evans

Mr Elfyn Llwyd

Seema Malhotra

________________

Examination of Witnesses

Witnesses: Anna Fielder, Trustee and Company Secretary, Privacy International, and Georgina Nelson, Lawyer, Information Policy, Which?, gave evidence.

Q49 Chair: Ms Nelson, Ms Fielder, welcome. We are very grateful to you for coming to help us with the work we are doing on the European Regulation and Directive. Ms Nelson, you are from Which?, and, Ms Fielder, you are from Privacy International.

We are confronted with both a proposed Directive and a proposed Regulation covering different fields, one covering police and law enforcement and the other is what one might call loosely the private sector. Is this structure appropriate and are changes of this scale necessary?

Anna Fielder: I will answer this, if I may. First of all, thank you very much for having me to give evidence. I am very honoured and proud to do so.

As we said in our submission, we do not think that this structure is necessary. It creates a two-speed protection for citizens and consumers and, in particular, we are concerned by the fact that the Directive is far, far weaker than the proposed Regulation.

From the point of view of legislation, the Lisbon Treaty mandates the EU and Member States to have Regulation on data protection in the domestic law enforcement sector. So, from that perspective, yes, we need to have Regulation, but at the moment our Data Protection Act covers all sectors. We don’t see why this should not be the case also in regard to the Regulation covering all sectors, but having specific exemptions and provisions for the law enforcement sector, which obviously deals with some more delicate and important provisions.

Q50 Chair: Isn’t the law enforcement agencies’ case not just that there might be a need for specific exemptions but that the whole process should be one that allows us to operate in the ways we have traditionally done in this country, by domestic legislation, because, as you say, our existing domestic legislation covers both sectors? There is a difference between that and having both sectors dealt with at European level.

Anna Fielder: The domestic legislation at the moment is an adaptation of the EU Directive dating from 1995 and it applies to all the sectors. The UK signed the Lisbon Treaty, so it is obliged to apply EUwide legislation, and also there are provisions in the treaties of fundamental rights and so on. We have an obligation to implement those provisions. The crucial question to consider is how we implement them. Do we create two-speed rights regimes?

We need to remember that the law enforcement agencies hold records about millions of citizens and consumers, and a lot of them are perfectly innocent people and victims. It is estimated that the Police National Database holds records of about 15 million people, and I have seen estimates that about six million of those are perfectly innocent citizens. Therefore, there needs to be some kind of consistency, like we have now in the UK, in the Regulations. What has happened is that the Regulation has been ratcheted up; it has more rights for the data subject. The Directive that has been introduced is very much like the old Directive, with a few extra bells and whistles-for example, separating victims from offenders on the Police National Computer. But, essentially, it is very similar to the old Directive provisions. The result is that you have two totally different pieces of legislation.

That has also impacted on the Regulation because a lot of the data collected for commercial purposes passes on to law enforcement agencies. One classic example is passenger name records that are collected by all the airlines. At the moment different countries have different rules about those and what needs to be collected and why. I have seen records from one airline saying almost for each European country that you need different records. Of course those pass on lock, stock and barrel to the enforcement agencies, and suddenly the provisions for data subjects become much weaker and it doesn’t make any sense.

It is the same with financial records; a lot of financial records would be accessed for law enforcement reasons such as money laundering. You are left with a lot of grey areas and we are very concerned about this.

Q51 Chair: You talk about two-speed rights, but couldn’t that objective be achieved if there was a greater reconciliation between the Directive and the Regulation?

Anna Fielder: Absolutely, yes.

Q52 Chair: Rather than it all being the Regulation-the outcomes specified could be reconciled more closely.

Anna Fielder: You could align the provisions in the Directive much more with the provisions in the Regulations. Indeed, in our analysis of the Directive, we have proposed concrete amendments for this to happen, and we would very much urge the UK, in the Council of Europe, to lobby and ensure that that happens. We know also that quite a lot of other Member States are not happy about the situation because it weakens their domestic Regulations as well, so I think it is still not too late to achieve some consistency.

Q53 Chair: I think when you said "Council of Europe" you meant the European Council, didn’t you-the Council of Ministers?

Anna Fielder: Yes, correct.

Chair: I just wanted to clarify that.

Q54 Mr Llwyd: May I ask you about the perceived benefits of the proposed Regulation? Do you believe that securing the fundamental rights and protection of personal data and privacy in fact requires the level of prescription in the current Regulation as drafted?

Georgina Nelson: Shall I take that one? We understand the benefits of principled Regulations: principle allows flexibility, future-proofing and can be technology-neutral. But, in our experience and especially in regard to the Regulation, we believe a certain level of prescription is required.

You can look at examples that we have in the Air Passenger Rights Directive and the Treating Customers Fairly initiative by the FSA, which were both outcomes-driven, principle- based pieces of legislation, which basically fell flat because the regulators did not know how to enforce them, companies did not know where the guidelines were, what was in and out of scope, and the consumers did not know what their rights were. In each case it ended up in the courts because interpretation fluctuated so widely that it was only left to a judge to decide. That is not the way we want to go down the path with the current Regulation.

If we look back on Microsoft’s evidence of last week, it was clear that, while they were saying they wanted harmonisation, they also wanted clear rules, because when it comes to the heavy levy fines that are proposed they need to have assurance that what they are doing is within or out of scope and whether they are going to be fined or not. We do believe that a level of prescription will be required.

You can look at our current Data Protection Act as an example of where the lack of prescription has caused problems in interpretation. You have the interpretation of personal data when, internally, we have conflicts between what the ad agencies and networks believe, whereas IP addresses are not considered within the remit of personal data. Then you have the ICO’s guidance, which is saying that maybe it should take a broad-brush approach, but there are clearly conflicts there and there is no harmonisation.

Then you can take a wider look at the whole of Europe and think about how different Member States deviate between enforcement of data protection authorities. It is huge when you look at the different fines between what our own ICO does and what Spain does, and that in turn breeds forum shopping and uncertainty and that doesn’t breed consumer trust, which we want to see.

Anna Fielder: The point I would like to add, which is very vital, is that data nowadays doesn’t stay within national borders. It is not just European; it is global. So you can’t have consistency without some degree of prescription. I would fully support what Georgina said.

Q55 Mr Llwyd: By reference to the air passenger details, you may both answer but I think specifically this relates to what Ms Nelson was saying. Do I take it you believe that a focus on outcomes would not achieve the same result?

Georgina Nelson: There need to be clear steps about how those outcomes would be achieved. Just to focus purely on outcomes without that guidance would mean that it would be left up to the different Member States to provide that guidance, and that is when you would get differences in interpretation and fluctuation.

Anna Fielder: The current Directive is focused on outcomes. It has principles and results that Member States are expected to achieve, and you have a 27-track legislation. It doesn’t work. In order to harmonise, you need to prescribe to some degree-not necessarily to a vast degree but at least to some degree.

Q56 Mr Llwyd: Which?, in particular, in evidence, has said that the lack of trust and concerns raised over data protection present a significant barrier to growth, referring to a lack of confidence in many consumers in the confidentiality of the whole thing. Do you think that updated legislation could change this perception that, indeed, data online is not secure?

Georgina Nelson: Yes, I do. Our recent research showed that 80% of consumers were concerned or very concerned about the use of their personal information online. The research that we have done, both qualitative and quantitative, has shown that there are usually four reasons why there is this lack of trust.

First, it is the lack of transparency. It is the failure of the privacy policy to communicate to users how their information will be used. It has become a contract that companies use to protect their liability and it is written by lawyers in legalese. The result is that the vast majority of consumers don’t even look at it. That means they feel that they are losing control and they don’t understand how their information will be used. So the Regulation is brought to address that by pushing on transparency, by saying what information companies have to provide and by encouraging standardised formats.

Then you have breaches. Last year there were a vast number of high street breaches that hit the press. Consumers often didn’t hear about it from the high street themselves; they heard about it through social networking sites or through the media, and that again really shook trust. What the Regulation is proposing to do is put an obligation on data controllers so that, if they do suffer a breach that adversely affects consumers, then they have to notify them. Again, that would really build trust.

Then you have the fact that there is patchy enforcement when it comes to companies who breach data protection and so consumers are not seeing wrists slapped; they are not seeing any action being taken. Again, that is something that the Regulation is trying to harmonise between Member States and trying to give DPAs further powers to take against those companies and higher fines to impose.

Then the final reason we believe is the lack of feasible redress mechanisms. At the moment you are quite powerless as a consumer. If Google, for example, breaches your personal data, if they suffer a breach, your route is to take Google to court. It is not feasible for an individual to take on Google’s lawyers. Although we think there is still work to be done in this area, the Regulation is looking at easier routes for redress. Whether you do it via a consumer organisation representing you on your behalf or there are rights for compensation payments, we believe that these are all steps, hopefully, to build that consumer trust back up.

Q57 Mr Llwyd: Ms Fielder, do you want to add anything?

Anna Fielder: I totally support what Georgina said. I would say that we are not talking about some consumers. We are talking about the vast majority of consumers that are concerned, and all the surveys point to that.

The other economic issue worth bringing out here is having more confident consumers. I authored a study on ecommerce for the European Commission a while ago and we had an economic analysis of ecommerce in Europe, which shows that the opportunity lost for people not confident enough to go and shop online is about 1.7% of the EU GDP. Lack of confidence to engage has very serious implications for UK plc, basically.

Q58 Mr Llwyd: I can follow what both of you are saying, but how do you square that with the fact that the main four clearing banks would always say that online banking is increasing hugely year on year? How do you square that circle?

Georgina Nelson: Consumers are reassured by the levels of security that banks operate at. I don’t think banks generally have been the ones highlighted in the data breaches. What we are looking at is when consumers are contacted by companies with whom they have never had a nexus of relationship because they may have ticked a box ages ago and they feel they don’t know who their data is going to and what is happening to it.

Also, when you talk about privacy concerns for consumers, obviously the usual rebuttal is, do consumers really care because they are uploading their pictures on to Facebook? Are they just wanting their cake and eating it? What we need to remember is that there are these great shortterm benefits online, but what you are seeing is this concern that consumers feel there is something in the wings, and, while they want the benefits, they are not sure about the longterm costs and they have a level of unease about it.

If you look at BIS’s mydata strategy, on which I have been working with BIS, and think about what they are trying to implement there and how they are trying to take their personal data ecosystem forward, the huge barriers that they are facing are in consumer trust with the research that they have done. This is continually what we are going to find with the internet. Once we move to Digital by Default with the Cabinet Office and ID Assurance, unless we can build that consumer trust, these initiatives are going to have real problems getting off the ground.

Q59 Nick de Bois: I have a quick supplementary on that. I don’t want to take away from what seems to be your enthusiasm for the proposals, but is it, in summary, realistic to think that this legislation will suddenly make consumer confidence no longer an issue in online transactions? If you ask 100 people in this room, if there were 100 people in this room, most of us who would use it would be worried about the possibility of fraud. Are you not raising expectations too much by putting emphasis on satisfying those objectives to this legislation?

Georgina Nelson: It is a really positive step in the right direction and I do believe the Commission have addressed the key concerns that we recognise with consumers. I am not saying it is a panacea, but I believe it is certainly a way forward.

Anna Fielder: Can I just add to this? Philosophically, legislation is always a first step. It doesn’t solve anything in itself. There is plenty of legislation that is ineffective because it is not effectively enforced. So you need this first step; you need to create the basis, and then it is the work of the regulators, the consumer groups or the stakeholders to make sure that it works and it promotes the objectives that it needs to promote.

Q60 Nick de Bois: That leads us nicely on to the burden of business, if I may, Chairman. Bearing in mind what you have just said, I am trying to understand if either of you feels that the administrative burdens contained in the proposed Regulation are necessary to deliver this EUwide harmonisation. I will put that in context, because clearly there is a difference of view between your two organisations and those of the Federation of Small Businesses and Microsoft, who do not take your position. Can you explain why you think it is necessary, and perhaps I will start with you, Ms Fielder?

Anna Fielder: Yes, with pleasure. I want to make two points and then Georgina can supplement me. If you read the Regulation, the bulk of these administrative burdens is particularly in the sections that concern data subject rights-in other words, consumer and citizen rights.

For example and concretely, you have an Article 12 that sets requirements for various procedures and mechanisms. You have an Article 14 that has a detailed list of all the information that has to be provided; Article 23 is on privacy by design and default. The bulk of those burdens are in the data subject rights, and the reason they have been put in there is because, precisely, the current legislation does not respect those rights and it was felt that you need a bigger degree of prescription and administration in order to ensure that that happens.

The second point I wanted to make is about technology. If you look at the amazing technological advances, you can do almost anything with algorithms and automated processing. Every time you go online, a cookie is placed in your computer so that there is knowledge on exactly which sites you visit and it can profile you exactly on your tastes, how much money you have got and where you live, without necessarily knowing your name and address. If you can do all this technologically, why is it so difficult technologically to have a number of processes in place, which are good practice in any case, that when you put them in place they can stay there and be automatic? It is not such a burden and it is not expensive.

Q61 Nick de Bois: Is that realistic? I spent 25 years in business, and someone would come along and assure me that there was a program available and once it’s in it wouldn’t be a problem. I am constantly updating, I am constantly changing, and I saw an IT bill for a small business of about £20 million turnover go from £30,000 a year to about £200,000 a year. How confident are you that this will not become that sort of burden for the smaller businesses-I am more interested in the smaller businesses, as you can imagine-who will have to deal with this?

Anna Fielder: Absolutely, yes; smaller businesses are the bulk of UK business and it is very important. Even smaller businesses can buy off-the-shelf ecommerce packages at the moment. You probably know that if you have been in business. I have a friend who runs a photo gallery; she is a photographer but she is also a small business. She found that a combination of cloud computing and off-the-shelf packages, with the right IT provision and so on, provided her with about 80% of what she needed.

I just want to be clear. You have to have the right balance in order to enforce people’s rights in having their data protected. You also have to have certain good practices that are in place there. If I go online, I want to know who I am dealing with and I want to have clear and very simple information. I don’t know how many people read privacy notices now; very few do. Having said that, there are some provisions in the Regulation that could be streamlined and reduced. We are not saying everything is perfect, but what we are saying is don’t throw the baby out with the bath water.

Georgina Nelson: Just to add to that, I believe Microsoft said that they fully support the data subject rights that are being provided for in the provision. I do not think there should be any fettering or mitigation of those rights due to administrative burdens. It is getting that balance right, and obviously any administrative burden which is superfluous to those rights should be lightened.

For me, from the MoJ consultation, there has been this focus on the shortterm administrative burdens. I would just like to say a couple of things on that. First, what we are looking at is a piece of legislation that, like its predecessor, is probably going to be around for 20 to 30 years. I understand the economic climate of today, but how many economic cycles is this piece of legislation going to outlast? Indeed, by the time it is probably implemented, we will probably be out of the current one. I think perhaps we need to take a bit more of a long view.

Also, if we start thinking about technological changes as well, when this piece of legislation about the Data Protection Act that we have was drafted, Mark Zuckerberg was in primary school and Facebook hadn’t even been thought of. If you think about how quickly processes have changed within five years, what we are putting in place is going to last decades, and who knows what technological and societal shifts will be in place by then? While there may be costs in terms of compliance because, yes, there are new rights and, yes, there are greater protections and the current businesses of today may have to pay to enforce those or to allow them, those shortterm costs have to be looked at in a far bigger societal picture.

I would also like to say that, in regard to these burdens, if we can twist that around and think of the benefits to UK plc, if you look at BIS’s mydata business proposal, you will see that they talk about a huge explosion of innovators and entrepreneurs-these companies who are going to learn how to guide consumer choice and behaviour on their data.

The Regulation is trying to open up this very competitive market of personal data so that it is not sat on by the few big players but it can be utilised by everyone for the greater good, whether that is business or consumers. That is really important to bring into the economic analysis; it is that future scope.

Also, with regard to SMEs, the evidence previously was that at the moment cross- border trade is not something that they engage in, but obviously this is because it is hugely complicated. They probably can’t afford the legal advice and the benefits don’t justify the pain in getting there. But, if we do move towards this harmonisation, they will then hopefully have the confidence and it will be a far easier procedure to open up a whole new market for them, and then again you would seek to reap the benefits.

Finally, just building on Anna’s point about enhanced consumer trust, the OFT recently did a study where they asked consumers whether they engaged online. 6.27% said they didn’t; they had never provided their personal financial details because of their privacy and security concerns. If you twist that on its head, that means 2.64 million of UK consumers don’t engage online, and that is a loss for ecommerce business of £2.48 billion. Again, that is something we should look at in the longterm for this proposal.

Q62 Mr Buckland: Looking at the Regulation, in particular at Article 17, which is described in the headline as "the right to be forgotten and to erasure", it is interesting to note that in the body of the Regulation that phrase "right to be forgotten" is not used at all and we are back to the right to erasure, which is a preexisting right under the old provisions. Do you think the "right to be forgotten" is a helpful term or do you think it is just a slogan?

Anna Fielder: I will start and Georgina will continue. If you look at Article 17 in detail, it is a bit more than just the right to erasure. It mentions the grounds on which permanent erasure is possible, including the right to object. It also has a provision of endeavour on the part of the data controller to inform third parties about erasing data. So it is a bit more than just the right to erase. Therefore, it needs to have an adequate title to denote that. It is aimed mainly at social networking and social sharing sites like photo sharing, video sharing and so on, and it is quite specifically aimed at that. The third party provision is one of endeavour. It tells them to try. What they have to prove is that they make a good stab at it-not that they actually did it.

Q63 Mr Buckland: Yes. They have to "take all reasonable steps"; that is the phrase.

Anna Fielder: Yes, exactly. Also, I have just two more points to add. One is that, if you look for example at social networking sites like Facebook, they have contractual agreements with IAP providers, and these contractual agreements include privacy provisions. If they have contractual provisions with all these companies, they can easily notify them or try to notify them of the need to erase.

One caution I wanted to add in this is that we would be concerned about how this affects intermediaries like search engines, because there is other legislation-the ECommerce Directive-which excludes them from liability when they are mere conduits of data. We would like that preserved; we would not want net neutrality affected at all.

Georgina Nelson: We support the move in regard to the "right to be forgotten" and its obligation on third parties. One problem that we see for consumers online is that, if they do tick that box, for example, to third party marketing, they find that their details have been passed, in some of our investigations, to up to 2,000 different companies. At the moment, if a consumer wanted to contact them, they would have to contact that original company and say, "I am making a subject 7 access request. Please tell me all the other companies you pass my data to." Then they would get the list back and they would have to go through each of those parties. This is proposing that the obligation is on that data controller to notify them, and we think reasonable effort is perfectly justifiable in that scenario.

Looking at public dissemination, I know there has been a lot of talk about how it is impossible on the internet because things are viral and things happen so quickly. We obviously understand the limitations of that and we are not saying that we should expect 100% erasure in those scenarios. But, likewise, on a website you are going to have terms of service with your users. If you are a social networking site, you also have terms of service with your account holders. It should not be too much of a jump to say in those terms of service you have, if there is a notification on this website that someone has-whatever it will be called in the future-exercised their right to be forgotten, then you need to do the following steps and we expect that of you. I would hope that the big noise about the impossibility and the costs could be possibly broken down into easy, possibly legal solutions through those contracts.

Q64 Mr Buckland: There is a danger, isn’t there, that "all reasonable steps" could be interpreted in a restrictive way? Providers could say, "It is just not possible for technical reasons to do more than we are doing."

Georgina Nelson: Yes. The focus needs to be on efforts rather than the results. There needs to be some elaboration on the right as it currently stands so that people clearly understand their obligations and guidance is provided on what they would expect in those scenarios.

Q65 Mr Buckland: It is not an absolute right; it is a qualified right to be forgotten.

Georgina Nelson: Yes.

Q66 Mr Buckland: There are exemptions, as you say, set out in Article 17(A). Do you think the term is helpful or misleading?

Georgina Nelson: Our general position is that, if we can find something that wouldn’t lead to that sort of consumer expectation of a wholesale full right, then that would be great. Maybe we can get our marketing team on it.

Q67 Mr Buckland: Putting aside the legal difficulty, there are technical difficulties, aren’t there, in being completely forgotten by a data holder?

Anna Fielder: Just to sum up, we are not married to the name but we are married to the extra provisions. Yes, if the Which? marketing team devised a good name, that would be great.

Q68 Chair: But if you have a long record of defaulting on your credit that is not something that you are entitled to have forgotten, is it?

Georgina Nelson: I don’t think that would be included in the exemptions.

Anna Fielder: Yes.

Q69 Mr Buckland: We have a number of exemptions: for example, public health, scientific and statistical and historical research purposes, and freedom of expression. They are quite wide derogations, aren’t they, which can be interpreted widely, it seems to me, unless I am getting that wrong?

Anna Fielder: Yes. The focus of that Article is exactly as Georgina said-on certain circumstances-and all the derogations ensure that situations that need not be are not.

Q70 Mr Buckland: Can I just move on to another subject, which is the right of access to the data subject and how that is to be policed? There are issues, aren’t there, about what would be regarded as vexatious or repetitive applications and the potential of, for example, a £10 charge being made? The Government seem to resist the idea that, no matter who the subject, there should be unrestricted access. What is your view as to the position of any charge in certain circumstances?

Georgina Nelson: A charge exists at the moment; a company can make the £10 charge for consumers. From Which?’s own experience, when I first arrived, that was the system in place as standard and we removed it. We didn’t suddenly see a flood of subject access requests hit us. I would question this call from business that, "We are going to be inundated. These are the costs that we’re going to experience." I would actually question that. When we have done a recent poll on this area, only half of people knew that they had the right; only 7% had ever exercised it, but 76% thought it was completely unacceptable for a company to charge them for their information. It is showing, again, that times are changing and the days have gone of writing out a cheque and sending it in the post to a company to get a lever arch file of their photocopies of screenshots.

If you look at what mydata is trying to do, one of its big aims is moving subject access requests into the 21st century. The raison d’être of that is that they will be free, and so we have to move away from this. It is a barrier, effectively, which companies want, and that barrier will be provided by the exemptions within the Regulation around "manifestly excessive", so they will still have that caveat and getout. For the majority, it should be free. Around "manifestly excessive", that is going to be decided in a delegated Act, and I guess from our perspective we would just be concerned that it wouldn’t be a loophole for companies to refuse subject access requests. We just want a tightening up of what that actually means.

Anna Fielder: I had an example. My husband had his ID stolen. Somebody opened a bank account in his name and started ordering goods from various catalogues and so on. I know the law really well. It took me six months, and in subject access fees about £200, to access all the companies that had wrong records. Imagine an elderly vulnerable person who doesn’t know the law, having to do that individually with every company. It just wouldn’t be possible and it would be excessive as well in terms of charges. There are concrete examples-ID theft is a huge problem in this country as well-where we need specific, good measures to make sure that people can access their records and correct them.

Chair: Thank you very much indeed. You have both given us very interesting evidence this morning and we are very grateful. Thank you.

Examination of Witnesses

Witnesses: Françoise Le Bail, Director General, and Marie-Hélène Boulanger, Head of the Data Protection Union, Directorate-General JUSTICE, European Commission, gave evidence.

Q71 Chair: Madame Le Bail, Madame Boulanger, welcome to the Committee. We are very grateful to have your evidence today. As you will have seen from reading the previous evidence session, we are gathering evidence, ideas and thoughts about the proposed Regulation and Directive. That very sentence brings up the issue of there being both a Regulation and a Directive. Is there a risk of inconsistency between the Regulation and the Directive? One previous evidence session pointed to the fact that data is not necessarily confined to one or other sphere; it moves between both spheres.

Françoise Le Bail: Thank you very much, Chair. I would like, first of all, to thank you for leading this inquiry at this particular time, where we are trying to find the right balance for these proposals, which are very important-important for citizens but important also for business and for public powers. We very much welcome this inquiry.

To answer your question, on possible inconsistencies between the Regulation and the Directive, as you may imagine, we have discussed this internally a great deal and also with stakeholders before taking the decision to bring forward two different proposals. In fact these proposals have quite a lot in common. They have, first of all, the same principles in common. The same principles of data protection apply at the core of the Regulation, but I think the new element is that they are at the core also of the Directive, which was not necessarily the case to start with.

The second element, which is very important, is that the Directive covers domestic processing as well, which was not the case in the Framework Decision. The additional element is that the Directive, in the same way as the Regulation, is covered by the mechanism that allows data protection authorities and also the Commission to have a say if this is not respected.

In doing so, we have applied, first of all, the obligation we have under Article 16 of the Lisbon Treaty, but we have also applied declaration 21, which is annexed to the Lisbon Treaty, which says that for this particular field, which is police and judicial cooperation in criminal matters, of course specific provision should be taken. So, as I have said, there is a great deal of commonality between the two.

Secondly, in the Directive, we give to the Member States and law enforcement authorities the flexibilities that are required for exerting these powers in this very particular field. This is why you will find in the Directive a number of derogations that go with this particular field. This is also why the legislative instrument itself is different-a Regulation that does not need new transposition-and the Directive leaves a bit of leeway to the Member States to take into consideration their particular culture and also the type of legislation; I am thinking about common law in the UK.

This is the reason why, although there is a huge amount of commonality, there are also a number of elements that are different because the field itself is different. But they are part of the same exercise, which is to reinforce the rights of individuals in terms of data protection. This is also part of the exercise of stopping the fragmentation in the legislation, both in Regulation matters where we have 27 different types of legislation but also in what is the framework decision area now, where, first of all, there is a very different way of implementing these framework decisions and a very different degree of application of the framework decisions. We believe that, by presenting two types of legislation at the same time, we will fight against this fragmentation but we can also give the necessary flexibility.

Q72 Chair: When the Directive was published, you had comments of both the European Data Protection Supervisor and our own Information Commissioner, suggesting that it was a weaker position than was originally envisaged within the actual content of the Directive. How do you respond to that concern?

Françoise Le Bail: I do not think the protection is less. It is made differently and, again, it is proportionate, I would say, to this very particular field. I guess that, in the reflection of the comments you had from the data protection authority, they had the reach themselves to see one single instrument for data protection, whether for commercial data or police data, which of course would give a great degree of simplification. But, presumably, and this is a judgment we have passed ourselves, it would not have been the ideal solution for police cooperation.

Again, if you come back to the characteristic of the Directive, as I said earlier, the very principle of data protection applies through the Directive. It is the modalities that are going to be different and the derogations that are there are derogations which are of course limited but they are necessary for security and police matters, and for moving very quickly in the framework of a criminal inquiry. We felt that it was necessary for this particular field.

Q73 Mr Llwyd: What impact do you consider the proposed Directive will have on the operations of the law enforcement agencies?

Françoise Le Bail: We believe, first of all, that it will reinforce and simplify greatly the operation of the law enforcement agencies. Again, the principles will be the same, the parameters within which the Directive is implemented will be the same, and there will of course be distinctions in how it is transposed. But, again, by your position with what exists now, the principle will be the same and, again, the domestic processes will be covered, which is not the case in this current Regulation. These are, in my view, the two elements.

I will add another one, which is that, for the derogation, the Directive is planning criteria for defining this derogation. The situation you have now in the framework decision precisely is that there are no criteria for this derogation and therefore you have a very wide variety of derogations that are not based on the same principles.

Q74 Mr Llwyd: Do you wish to add anything?

Marie-Hélène Boulanger: Maybe I can just support what has been said. We believe that having more common grounds among Member States and more common understanding about which data protection requirement conditions will apply to the law enforcement authorities, especially in the framework of the law enforcement cooperation, will simplify cooperation between law enforcement authorities, will foster this cooperation and will also have an important impact on the efficiency of law enforcement cooperation.

Q75 Mr Llwyd: From evidence we have received there isn’t quite as rosy a view of things as you actually state. Privacy International, for example, considers that, in the proposed Directive, data processing principles are less ambitious and more ambiguous than in the Regulation. The rights of the data subjects are weaker; for example, transfers rules are unclear and less restrictive, and supervisory authorities have fewer and weaker powers. The question I would ask you has been touched upon but I would ask you to restate your answer if you would. What is the rationale for the proposed Directive having a weaker level of data protection compared to the proposed Regulation?

Françoise Le Bail: As you have gathered from what I said earlier, I would question the fact that it has a weaker level. Again, by putting the same principles, we believe that it reinforces certainly the protection of individuals compared with the current situation. I would agree with you that there is a clear difference between the Regulation and the Directive in so far as the Regulation goes much further, it has of course less derogation, and it has an intervention by the DPAs and the consistency mechanism, which is much stronger than in the Directive.

Again, the reason for this is the very nature of the activities we are dealing with. We believe this is necessary for police cooperation and, as I said earlier, in order to move faster in an inquiry. By the very nature of this inquiry, for example, the rights of access of an individual are of course less wide than they are for the Regulation, and this is to protect the legitimate activities of the police. It is true that, in doing that, we had to balance the willingness we had to reinforce the right of the individual, but also we had to take a realistic view of what the activities of police and security were and, while preserving the right of individuals, we put a limitation by comparison with the Regulation.

Q76 Mr Llwyd: Apart from the issue of derogation, why does the Framework Decision 2008 need to be replaced so soon after being implemented?

Françoise Le Bail: There are a number of reasons for this. First of all, we thought it was the right thing to do to have an overall framework for data protection. You mentioned it yourself and you pointed to the difference. Yes, there are a number of differences, but there is also an overall framework. We wanted to make sure that citizens will be protected both for a transfer exchange of the commercial data but also in the framework of police activities.

It is up to the Member States to decide if they want to implement the framework decision or not. There is no intervention from, for example, the Commission to intervene if they don’t want to do that. The report that we have issued at the time of issuing the proposal shows the discrepancies, the limits in the implementation and the variety of ways in which it is applied. We thought that it was necessary to have this overall framework.

The second element was that the framework decision doesn’t cover domestic processes. From all the contacts we had, having consulted very widely for two years before putting forward these proposals, we realised from all the stakeholders we were in touch with that it is increasingly difficult to make a distinction between the data that is domestically processed and the data that is not. For the enforcement authorities themselves, this has become a great difficulty and, paradoxically, it has become an admin burden to make this distinction. We thought, having consulted widely, that this was the time to include domestic processing in it, again to create consistency in the overall regime in the same way it is done for the Regulation and, for that matter, for the current Directive. This is the reason why we wanted to do that.

The third reason was to be able to make this protection of citizens-in the framework of their data-a reality, which means that, if it doesn’t happen, there is a right of intervention by the Commission in the framework of its infringement powers to intervene if the Member States do not apply the Directive or do not apply it in the right way.

Q77 Mr Llwyd: Why was the domestic processes element not central to the 2008 decision? Why was it not considered? Why was it not realised then? It is a fast-moving area-I understand that-with new technology, but surely regard should have been had to these issues before 2008.

Françoise Le Bail: 2008-maybe you can answer.

Marie-Hélène Boulanger: I was not there either, but, regarding the domestic processing, the framework decision is also a preLisbon instrument, which means that the way it was adopted to reflect the consensus of all Member States and the European Parliament was not involved as it would be for the Directive in the same way as the Council. I was not part of this negotiation, but, in order to get the consensus of all Member States at that time, it was necessary to exclude domestic processing. What I have been told by my colleagues who were there is that it was not a majority that was against it; it was the way to get a consensus on this text. But I cannot say more because I was not part of this negotiation.

Q78 Nick de Bois: Madame Le Bail, I was interested that you spent four years as the SME envoy, which I am sure is challenging. Bearing that role in mind, I am sure you perhaps understand some of the reservations of UK small business, the Federation of Small Businesses and indeed some of the larger businesses, about the perceived burden and cost as a result of the proposed Regulation. Is the prescriptive nature of the proposed Regulation entirely necessary to ensure the EUwide harmonisation or could you not have done it as an updated general Directive as being a better approach, perhaps avoiding what many people feel would be an onerous burden?

Françoise Le Bail: As you said, for four years I was the SME envoy for the Union, which was a very interesting job and which gave me an insight and understanding of how a company works. It is true that, when preparing for this Regulation, we had extensive contact with the business community and, in particular, with the SME community.

The first thing that the SMEs told us was, "What is a problem for us is fragmentation. If I am an SME and I have to deal with 27 different legislations in terms of data protection, it is awful. It is simply awful. I cannot cope with it because I don’t have a legal service, I don’t have people who are able to follow this." The first thing we are doing for SMEs is to stop this fragmentation. We will stop this fragmentation by one single law. This is a huge benefit for an SME because, for a big company, in a way they can cope; they have legal services. But this is absolutely huge.

The second element for SMEs, which is very beneficial, is that they have to deal with one single data protection authority. They don’t have to look at which data protection authority they should knock at the door of; they will have only one data protection authority to deal with. This is a huge benefit. We believe that, taken together, there will be a benefit of 2.3 billion in savings from having this harmonisation.

Of course the question is what are the obligations you put in this Regulation which are going to be detrimental to the SMEs? Believe me, we really worked on this question. I would like to point to a number of elements that are seen widely as administrative burdens for companies. The first one is the data protection officer. We say, if you are a big company with more than 250 employees, then you need a data protection officer. But, if you are a small company, unless you specialise in dealing with very sensitive data, you do not need one. I can tell you that I dealt with that one personally. If you take Germany, for example, if you are a company with 10 employees, you need a data protection officer. Of course we discussed this question very openly. Should we say above 10 employees that you need a data protection officer? We took the right decision, which is to avoid the obligation of having a data protection officer if you have less than 250 employees.

Q79 Nick de Bois: May I ask you a question on that point specifically? I initially think that it is a very welcome idea to limit it by the number of employees, but, if you dig deeper, wouldn’t it perhaps be more effective to look at the sensitivity of the data that the organisation is handling, whether it is 10 employees or 1,000 employees?

Françoise Le Bail: It is a possibility. I will be very clear with you: it is a possibility. We chose the European definition of an SME, which is 250, for simplicity. Everybody knows the definition; either you are above or below. It was for reasons of simplicity. But, again, if there are better ideas to reduce the burden for SMEs, we will look at them, because one of the essential elements of this Regulation was to take into consideration the admin burden. So we are prepared to look at it; if there is a better idea, if it is as simple, why not?

Q80 Chair: Why should you specify that there needs to be a data protection officer if, for example, a company feels it is a much better system to have 10 heads of department, all with data protection responsibilities on a scale, depending on how much their section handles? Surely your interest ought to be in the outcome and not in the procedure or the structure.

Françoise Le Bail: We specify data protection officers again for big companies because, from the consultation we had, we gathered that most big companies already have a data protection officer. The only difference is that, sometimes, somebody is only doing that and sometimes it is a member of the legal service doing something else. This is the information we collected. It seems to us that, to have one point of reference dealing with data protection for the company, wherever they are organised, means they can liaise and coordinate all the services, and all this is up to them, not to us. But to have one point of reference-one person who can be the contact point, for example, of the data protection authority and the Information Officer in the UK-would be a simple solution. This is why.

Q81 Nick de Bois: I have just one point on fragmentation, if I may. Because member Governments can deliver much of the detail through the Directive, do you not feel that your goal of the level playing field-which is the European dream, and I fear I am sceptical of its ability to deliver that-is a threat to achieving the fragmentation you are trying to avoid?

Françoise Le Bail: Certainly for trade data, the problem is all through Regulation. Again, it would have been much simpler to have a Regulation for the police data, but, because of the sensitivity and the particularities of this field, we took the view that it wouldn’t have been efficient. We need to leave the flexibility to the Member States, which is within a framework, again, which has principles, which is a commonality of rules, which are criteria, which are much more precise than the framework decision. So we moved a step further and we reduced the fragmentation to a degree, less than in the trade field, but we did that because of the particularities of police data.

Q82 Mr Buckland: Can I turn to Article 17 of the proposed Regulation and the "right to be forgotten" issue, and in particular to Article 17(2) where it is enjoined that the data controller should take all reasonable steps, including technical measures in relation to data for which they are responsible, to inform third parties and so on? How would you regard that test of "all reasonable steps" to be met? In what ways do you think it can be met? In other words, what does "all reasonable steps" mean, in your view?

Françoise Le Bail: First of all, I want to point out that we chose to put that in Article 17, and we chose to do that because we did not want to make it an impossible task. This is very important to keep in mind. First of all, the right to be forgotten that we are proposing now is making something more precise that exists already in the current Directive, and it is also answering the claim of these citizens who have been vastly put at a disadvantage because of wrong information about them. It was very prejudicial. So we wanted to go a step further.

The second point I want to make is that this obligation is very different whether you are an individual or a controller. It is true that for the controller they have to go further. They have to inform, for example, the search engines and all this to a possible, reasonable extent so that this is deleted. They must prove that they are making a real effort, but we are not asking them something that is impossible to realise. That was also taking into account the current technology.

Q83 Mr Buckland: The burden will be on them to prove that they have taken all reasonable steps.

Françoise Le Bail: The reasonable steps.

Q84 Mr Buckland: Of course, putting aside the legalities, there are some technical issues, aren’t there, about the right to be forgotten? How feasible do you think it is for this particular right to be applied to the extent that data can be permanently deleted from the internet?

Françoise Le Bail: There is no guarantee of this and this is why we said "all reasonable steps". The message we want to pass to these big companies that are running these social networks and search engines is that they need to demonstrate that they are making a real effort. We cannot exclude it resurfacing at some stage, but we would not like them to say, "Not for us. This is nothing to do with us".

The final solution is that they have to participate-this is an element I would also like to underline-in creating trust in the internet. Creating trust means that you can have an influence on it-an influence which is not rewriting your life but an influence on these things that are on the net that you have not posted yourselves or you have posted at an age when you were not conscious of the damage it can do and you want to see it disappear. It is a very important element for trusting the internet.

Q85 Mr Buckland: Can I move on to another subject that is somewhat related? It is the right of the data subject to access information. The proposed Regulation would make subject access requests free of charge. There are some issues, are there not, at the moment about whether or not the continuation of a fee should be applied by certain businesses or organisations? Taking as the principle that there should be free access, do you think there are circumstances in which requests could be refused and, if so, what do you think those circumstances should be?

Françoise Le Bail: First of all, the right of access is a fundamental right; it is part of the fundamental rights that should exist. We have looked at what exists in the Member States and again it is a very varied picture. In some Member States it is free; in other Member States it is not. We believe that for simple access it should be free. At the same time we say in this Regulation that, if the demands are excessive or repetitive, you can put a fee on this. You will have seen also that we say that, if necessary, there will be a delegated Act from the Commission in order to make sure that the conditions are not too different from one member state to the other.

I would like to draw your attention also to Article 21. You see in Article 21 that the Member States, by law, can find conditions or limitations to all this. Article 17 is covered by this. I am saying that, but I am also saying that Article 21 doesn’t allow you to do anything you want as a member state. Of course there are limitations, and the limitations we put, if I remember well, are the reasonable conditions of a democratic country. They have to be a necessary and proportionate measure in a democratic society, but there is a degree of flexibility there that can be explored, and the question of a fee is also something that is discussed very much with Member States currently in the negotiations that will lead to the adoption of the Regulation.

Q86 Mr Buckland: Would I be right to draw the analogy between, let us say, the European Convention of Human Rights, where a general right should be interpreted widely, and derogations to those rights or qualifications, which should be interpreted more narrowly?

Françoise Le Bail: Exactly.

Q87 Mr Buckland: Would that be fair?

Françoise Le Bail: It’s a fair description.

Q88 Mr Buckland: Finally, dealing with enforcement and fines, the proposal under Article 79 is, of course, to impose fines of up to €1 million or 2% of the annual worldwide turnover of an enterprise. Do you think there is enough room within the proposals to allow discretion and a differentiation to be made between, let’s say, an accidental infringement and a deliberate infringement, because there is a difference, isn’t there, between the two? Do you think there is enough discretion to allow an enforcer to make that differentiation?

Françoise Le Bail: First of all, for the first time we are proposing fines that matter, which make you think twice, because we deliberately decide not to respect the Regulation. That was very important because the fines that exist now currently in Member States are minimal and you can ignore the Directive-it doesn’t matter-or the national law that implemented it; it doesn’t matter.

You will also see that in the fines we are proposing there are steps to be taken. If you forgot about it, you didn’t remember the provision and didn’t do it intentionally, you get a warning, if I remember correctly. Then, if it is a repetitive pattern where it starts to become obvious that you intentionally don’t respect the Regulation, these fines are implemented to the full. We realise that it may happen; by mistake or ignorance you don’t respect the Regulation, but after a while it is a pattern and then we apply it.

Marie-Hélène Boulanger: May I add something to this point? If you look at the provision purely from a legal point of view, you will see that, with regard to your question, "Do we take into account the character of the breach?", there is a clear requirement to take into account the nature, the gravity, the duration of the breach, the intention and the negligent character of the infringement and so on. This is in paragraph 2 of Article 79.

Then you have paragraph 3, which Madame Le Bail just explained, where you have the situation of an actual person without commercial interest and also of a small and medium-sized enterprise. Then, if we go to the other paragraph, it is a maximum. It is "up to". So there is a margin for discretion in the way you apply the fines.

Q89 Mr Buckland: That is very helpful. I take that point; thank you.

Françoise Le Bail: Can I also say, if I may, that I sometimes see in the analyses which are made by the Member States that the amount of the fines is taken into account when analysing the admin burden? We take the view that the fine is not an admin burden because if you respect the law there will be no fine.

Q90 Mr Buckland: It is a penalty; it is a punishment.

Françoise Le Bail: It is a punishment; exactly. So it is not part of the admin burden.

Q91 Chris Evans: We have heard today about future technology and how rapidly technology is going. At the moment the Regulation is in place. However, we are living in a world that is moving ever forward, and we have already heard evidence that Facebook and Twitter were unheard of 10 years ago. Do you think the Regulation, as it stands at the moment, is in tune with the standard of technology we have?

Françoise Le Bail: First of all, one thing we wanted to do when designing this Regulation was to make sure it will be technology-proof, which means that the Regulation, as it is, can apply not only to the technology as it is now but will apply to new developments. We know the cloud; we don’t know what will happen afterwards. It will happen and happen fast. We believe that the provision of this Regulation can apply to all these developments. One of the reasons why it applies to this, and it can apply to future developments, is that this Regulation, although some of you think it is very prescriptive, in fact leaves flexibility in the form of delegated Acts. We have two options: whether we were describing it in great detail, including all the fields of technology we were putting in the Regulation, or we were giving the possibilities for adjusting to future developments. We have done so. The Regulation is technology-neutral and it leaves the possibility in a way that is being discussed with Member States. It is not that all Member States see with great enthusiasm delegated Acts for the Commission, but we leave this possibility to adjust to future developments.

Q92 Chris Evans: I find that very presumptive, to be honest with you. We don’t know how technology is going to develop. At the moment the Regulation has 26 different provisions. Microsoft have come and seen us and told us they think that is just way too many. Having sat on other Bill Committees-for example, the Defamation Bill Committee-I find it difficult to understand how you can frame a Regulation which takes account of something you have no concept of at the moment, like people may have done 20 years ago. It seems to me absolutely impossible and it just seems a complete misnomer having 26 provisions. What are you actually trying to prepare for in the Regulation? I do not see the intention in that at the moment.

Françoise Le Bail: First of all, we had an intensive discussion with Microsoft. Let’s be clear on that. Overall, Microsoft, to name it, are publicly very supportive of what we are doing. We are making their life much simpler by having only one Regulation by imposition with the 26-

Q93 Chris Evans: If I can stop you there, they have said that essential elements should be dealt with in the Regulations themselves and not with secondary law making conferring power on the Commission. What are your views on that?

Françoise Le Bail: If we fix everything in the Regulation, we then give a huge amount of rigidity to the Regulation and then there is a high risk that it will not be appropriate any longer for this future technology development, which can happen any time. So we choose to leave some flexibility there in order to be able to adjust. Leaving it to secondary law, it is not that we are doing this without any control. For secondary law, we do that under the supervision of both the Council and Parliament. So it is not that the Commission itself is going to decide what is going to happen on these matters. Secondary law as well will respect all the provisions of the Regulation. But the choice was either to put everything in great detail in the Regulation or to leave flexibility. We chose to leave flexibility.

Q94 Chris Evans: But my point is that you don’t know how cloud computing is going to develop; you don’t know how international data transfers are going to develop. What you have is a very complicated Regulation with 26 provisions conferring power on the Commission. It seems to me that, if you have a piece of technology that comes across that you have not accounted for, which we have seen developed in the last 10 years historically-and the pace of technology is only going to get faster in the future-you will have a Regulation that is quickly going to become out of date, you have 26 complicated provisions and you can’t deal with them. You are going to be sitting here again in five years dealing with something you should be sorting out.

Françoise Le Bail: The best example to take is the cloud, which is now being developed and is the latest technology that we know of. In fact, this Regulation will apply to the cloud without change. It is cloud-compatible, and we believe that this Regulation is any- new-technology-compatible, because there are provisions, in spite of what you believe, which are not in that great detail because there are elements of flexibility. Doing the opposite will destroy this flexibility, but maybe, MarieHélène, you want to add something on this.

Marie-Hélène Boulanger: I want to go in the same direction exactly, just to say that this Regulation does not regulate technology as such. It establishes principles and safeguards conditions for fair processing. This is something that was already the case in the old Directive, but some elements became outdated. We have based this on new technologies and anticipate as much as we can new development, but it is still based on principle, responsibility, rights and so on. There is no Regulation as such of the cloud, for instance, but there are provisions on the transport of data flow, processing of data, and making use of the processor to process personal data.

Q95 Chris Evans: That is not the point I am getting at. What I am getting at is that there has been technology developed in the last 10 years that has challenged the way the data is held at the moment. I can think of two examples straightaway: Facebook and Twitter. But what if you have technology that comes along which challenges how data is now held and the Regulation could quickly become out of date? That is what my fear is.

Marie-Hélène Boulanger: Exactly what has been explained. The basic principles are there: what you can do and how you can process personal data, based on key principles. Then you have a lot of mechanisms in this text that will support the fact that the text is future- proof. One element that provides legal certainty is that you can go with a delegated Act and it is a way to supplement the text with nonessential elements and provide legal certainty.

But there are other mechanisms. There are a lot of other mechanisms, including the code of conduct and the guidelines to be provided by data protection authorities all together at European level. These guidelines will help to provide guidance on how to apply this principle to new technological development and so forth. There is no Regulation of the technology, so I don’t really see the risk of having this text outdated very quickly because the right of access will remain valid even if there is a new technology. It will still make sense for the data subject to get access to his own personal data.

Chris Evans: I am sorry; I am just not convinced. I have no further questions.

Q96 Jeremy Corbyn: Thank you very much for coming to give evidence to us today. Are you confident that either the EU itself or Member States have sufficient resources to implement and monitor these proposed Regulations?

Françoise Le Bail: In the EU Regulation we ask the Member States to make sure that their data protection authorities are staffed with the right amount of people and also have the necessary financial backing. The picture we have around the EU is of course very different from Member States to Member States. You have a very strong data protection authority in the case in point certainly in the UK, and you have other Member States where it is much weaker. Therefore, we request Member States in the Regulation, and this is an obligation to make sure they have both the necessary finance and staff. The reason for this is that the data protection authorities will have to continue the work they are doing now, but they will also have to participate in the consistency mechanism, which is, in a way, finding a common definition or common position on an event that can take place or a new development that can take place. Google’s review was a case in point, and so we have this consistency mechanism that we have to take part in.

The second aspect of things is that, in a way, they are going to be relieved from a number of things they are doing now. I am thinking, for example, of notifications, which they will not have to issue at this particular stage. But, to be sure of this, we have launched our own inquiry and sent to all the data protection authorities a request for their own assessment of their situation, taking into consideration the implementation of the future Regulation and Directive and their assessment of the amount of people they may need and necessary finance. I must say that the main problem there is of course in new Member States, which have not had data protection authorities in place for very long, by imposition with other Member States.

Q97 Jeremy Corbyn: Isn’t there a danger that, since the internet is obviously universal, a member state with a very weak supervisory regime could become the centre of all kinds of intrusive abuses of data protection? What powers and particularly what resources do you have to ensure that there is some degree of uniformity across the whole of the EU, because without that uniformity the Regulations are pointless?

Françoise Le Bail: Absolutely. First of all, there is this obligation that these Member States have, and then, secondly, the cooperation that is going to take place between the data protection authorities. Let’s imagine, for example, that there is a huge problem in a particular member state. The other data protection authorities can raise it in the framework of the European data protection board in the same way that the Commission can raise it, and there can be a cooperation that can be put in place between the strong data protection authorities and the weaker data protection authorities. But the objective is clearly to have a proportionate level. It has to be proportionate. Of course it is not going to be the same in Estonia as in the UK. It has to be proportionate, but there has to be the necessary level of staff and finance. That is the objective. Maybe you can add something.

Marie-Hélène Boulanger: If you look at the text in detail, you will see that there are a lot of what I would call safety measures in the provisions around Articles 15 and 16 to avoid that risk. In addition to what Madame Le Bail just explained, we also have the fact that there are French and German investigation teams. As the data protection authority of one member state, if you feel that the authority in charge does not have enough staff to deal with the specific case, you have the possibility to send your own staff in support and the competent data protection authority for the specific case cannot refuse the support if there is cross-border. That is one of the mechanisms. There are many other mechanisms like that. A data protection authority can take urgent measures, with specific requirements and so forth. There are many possibilities to ensure that there are no discrepancies between data protection authorities. In addition, the European Commission always has the possibility to intervene in such cases.

Q98 Jeremy Corbyn: Two quick points from me before I finish. Does the Regulation affect the EU’s own considerable storage of data on many issues, including individual information across the EU? Secondly, what consultation have you had with the European Court of Human Rights on the compatibility of the European Convention on Human Rights with these Regulations, particularly in relation to Article 8?

Françoise Le Bail: Let me start by dealing with the second question on the convention. We are of course in very close contact with the Council of Europe on this and we are in the process of requesting a mandate of negotiation from the Member States to take part as a Union, as must be the case now, in this negotiation. But we want to make sure of the compatibility of the new Convention 108 with our own development inside the EU. It doesn’t mean that the convention will go into the same degree of detail, for example, than our own Regulation for obvious reasons, because there is a big variety of members of Convention 108 and it is a very different obligation from the Member States. But we want to make sure that there is no incompatibility. There are a number of questions we are currently discussing with them-for example, the notion of adequacy, which is a bit different, or at least the modality would be different. We are discussing that with them; I am sure we will sort out the problem, but very closely. What about the first question, MarieHélène?

Marie-Hélène Boulanger: On the first question, this package as such does not cover EU institutions and bodies, agencies, the European Commission, European Parliament, and Council. You have to see that in a broader perspective. Also, before this package was presented the year before, at the end of 2010, we had a communication where we made it clear that we would present the necessary instrument to have the complete set of rules. The idea was to start to discuss with the colegislator to have this principle agreed, and, when there is a clear orientation about where we should go and what the adaptation is of this principle, the Commission should come with a new legislative proposal to complete the package and to cover EU institutions and bodies. That is the logic.

Q99 Chair: Going back to the issue Mr Corbyn raised earlier, when we had our own Information Commissioner Chris Graham in front of us last week, he said that even minimal compliance or compliance with the minimum required would increase the costs of his office by 56%, and what he thought of as more satisfactory compliance could be as much as an 187% increase in his resources, which he confidently expected that the Government would not be providing him with. This is quite worrying, given that ours is one of the better funded information officer setups in the European Union.

I don’t know whether you have seen that evidence or whether you will now be considering that the whole process is going to be too expensive, because along with that went his view that, if adjustments were not made, he would end up spending a lot of his resources on details of structural compliance rather than pursuing serious failure and giving appropriate advice.

Françoise Le Bail: First of all, we don’t know these figures yet. I am sure he is going to transfer them to us and we will look at them, together with the assessment of the other data protection authorities as well. My first reaction is that it seems a huge amount. Certainly, in the reflection we have had, we never envisaged that it would be as much as that. So we need to have a look at these figures in detail. My guess is that it will be much less.

Secondly, when he says, for example, that he will need to look at details, dealing with every single complaint that the Regulations, they believe, oblige them to do, this is a subject of discussion among Member States. This is also the subject of discussion with the data protection authorities because this is a remark they have made. They say there are too many cases to deal with; we will be submerged and we cannot, as we do now, concentrate on the main cases. This we are discussing and we are confident we will find a solution for this. So be aware that we are engaged in this process with Member States, DPAs and national Parliaments, and we are gathering all information that we have. But, coming back to the figures, they seem a lot.

Chair: Thank you very much indeed for your evidence; we appreciate it very much. We will in due course be reporting as part of the process by which the UK Parliament considers this matter. Many thanks.

Prepared 17th September 2012