A UK parliamentary committee has recommended that the European Commission go 'back to the drawing board' with its proposals for a revamped EU data protection regime.
The Commission presented its proposals in January. It called for the introduction of tough new rules for firms that suffer data breaches, and new powers for national data authorities such as the UK's Information Commissioner's Office (ICO). The proposals also urged the introduction of a 'right to be forgotten'.
However, the UK House of Commons Justice Committee issued a report on Thursday that said the proposals were "too prescriptive" and simply would not work. This backed up what the ICO had previously said.
"The current data protection laws for general and commercial purposes need to be updated, as they do not account for the digital world," committee chairman Alan Beith said. "However, we agree with the Information Commissioner's assessment that the system set out in the draft Regulation 'cannot work' and is 'a regime which no one will pay for'.
"Therefore, we believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive."
Directive vs regulation
The Commission had proposed both a new directive and a new regulation. These are two separate kinds of legislative tools — a directive has to be turned by member states into national laws, whereas a regulation immediately becomes law in every member state.
"We believe that the Commission needs to go back to the drawing board and devise a regime which is much less prescriptive" — Justice Committee
The committee said the Commission should pick one or the other: either a regulation that guarantees harmonised laws across the EU (which is largely the point of the new data protection rules) while leaving compliance enforcement up to the ICO and other national watchdogs, or a directive that loses some of the harmonisation benefits but allows member states to make the new rules consistent with their own laws.
"We are concerned that the approach taken by the European Commission, introducing two instruments, will lead to a division of the UK law, set out in the Data Protection Act," the report read. "We believe that this could cause confusion, both for data subjects, and for organisations within the criminal justice system in particular, as they will have to consider which law applies in their given circumstance."
The committee also said that it agreed with the idea behind the 'right to be forgotten' but not that term itself, which it said "could create unrealistic expectations, for example in relation to search engines and social media". This appears to suggest the committee has a different interpretation of the concept to the Commission, which has been very clear that the new right would apply to search engines and social media.
ZDNet has attempted to get a response to the report from the Commission, and is awaiting its reply.