Following the publication of its “further thoughts” on the European Commission’s proposed new data protection framework, the ICO has now published an in-depth, article-by-article analysis of the proposed General Data Protection Regulation (the Regulation). The ICO pointed out that this is an important opportunity to get the framework correct, as it is likely to remain in force for many years. The paper reflected the ICO’s general concerns and expressed its opinion about some of the more contested elements of the Regulation.

The ICO reiterated the need for further clarity and expressed concerns about the number of delegated acts of the European Commission in the Regulation on the basis that use of the delegated acts is likely to result in continued uncertainly for businesses and data subjects.

The ICO emphasises that the new data protection framework should promote a truly risk-based approach, instead of focusing on the administrative detail and compliance process rather than outcomes, as it could encourage paper-only compliance. The ICO also voiced strong support for the concept of protection by design, so long as the model was principle-based to accommodate scalability and flexibility.

The ICO welcomed “the high standard of consent”, but raised concerns that some data controllers may be left without a lawful basis for processing, and criticised the unequivocal barring of consent obtained in cases of alleged “significant imbalance”, pointing out that consent can be obtained for employer-employee data processing. The ICO continues to advocate for the inclusion of “pseudonymised’ data within the definition of the personal data, but floated the idea that individuals’ access rights should not apply.

While the ICO generally supports the new right to be forgotten, the paper acknowledges that it may be impossible in practice, because data in the public domain will often be disseminated without the original data controller’s consent or knowledge, which could result in individuals developing a false belief that data is capable of being erased. Despite acknowledging the concerns regarding the right to portability’s potential impact on property rights and trade secrets, and admitting it is not a “classical” element of data protection law, the ICO welcomed its inclusion highlighting that it empowers consumers.