UK Information Commissioner Elizabeth Denham has called for an international treaty on data protection to be set up within the next ten years.
"That is on the horizon, that's where we need to go if we recognise the global nature of data," Denham said during a House of Lords EU Home Affairs Sub-Committee.
She also recommended the UK applies for an adequacy rating with Europe after triggering Article 50.
An adequacy rating – described by the EU as when a third country ensures an adequate level of protection through domestic law or international commitments – would ensure the free flow of data between the UK and countries in the EU.
The requirements for meeting a full adequacy rating are stringent and in practice would probably mean the UK fully adopting the policies of the upcoming General Data Protection Regulation. It would require a negotiation between the UK government and the European Commission, because the latter is the body that grants adequacy ratings to third countries.
"There are other ways for data to flow, or agreements that could be put in place, but it's not as straightforward for businesses to negotiate binding corporate rules and standard contractual clauses," Denham, said.
Denham warned that she is a "long way from the negotiating table" but is advising the government on her field of expertise. "I do think the ministers' doors are open and we are actively providing advice," she said.
But she warned that the government must do its best to help ensure the ICO has a seat at the table so that it can influence debate over the future of data regulation in the EU.
"It's very important the government consider the ICO's place and the ICO's influence in what is going to be the European Data Protection Board," Denham explained. "Anything the government can do to ensure we have some status... if we're a third country, the European Data Protection Board is going to be an adjudicative board – it's not just an advisory board the way it is right now."
"It will make decisions about the data processing of companies and organisations that impacts on UK citizens," she said. If the ICO isn't close to those decisions, it could prove frustrating for both citizens and government, Denham warned.
Denham explained that the ICO meets with many countries outside of Europe, for instance Japan and Singapore, where their data regulation policies are less mature than the UK's – which brought in the Data Protection Act in 1998.
The ICO has created a business case and put this to government for an increase in resources over the next three years – specifically to address the complexities that GDPR might bring – and that even if Britain were to remain in the EU, international work has become increasingly important to the organisation.
"It's a global world when it comes to data," she said.
One member of the sub-committee suggested that the logical answer would be to take the lead in data regulation, and to set a "gold standard" for how these regulators might look.
The Information Commissioner agreed, and added that for public policy reasons and for individual trust, the ICO needs to be the gold standard for both regulation and enforcement. "It goes hand in hand," she said, adding that the best way forward will be to fully adopt the GDPR, put into effect the law enforcement directive, and to look towards a "unified implementation of those instruments".
"We can't have people throwing rocks at us from the outside," she said. "We have to have a very strong regime here, enforced well. Weakening the law, making it less burdensome on business, may seem attractive at the surface but I don't think a sustainable business model is a lowering of data protection regulation and practice. That's going to bite us in the long term."
0 comments:
Post a Comment