The Ministry of Justice have published a summary of the responses to their consultation on European Data Protection proposals. On the issues we raised around Internet Identifiers, Breach Notification and Cloud Computing there seems to be general agreement with our concerns.
No one else seems to have mentioned Incident Response specifically, but there was a suggestion that expanding Subject Access Requests to cover IP addresses (a consequence of the expanding definition of “personal data”) might let cyber-criminals find out when their attacks have been discovered by making SARs in respect of significant IP addresses. It’s an interesting idea – I suspect I’d be particularly keen to ask for proof of identity if I were ever to receive one of those 😉
On Internet Identifiers:
Most respondents commented on the ambiguity of the definition of personal data, when coupled with Recital 24 which states that: ‘identification numbers, location data, online identifiers or other specific factors…need not necessarily be considered as personal data in all circumstances’. Most Respondents from the legal sector have asked for clarity as Recital 24 seems to contradict Article 4 and could lead to legal uncertainty as to when and for whom information is, or is not, personal data.
On Breach Notification:
Many also expressed the view that 24 hours is an over-ambitious window for data controllers to investigate a possible data breach, which could involve data forensic officers and other third party organisations providing intelligence into the nature of the breach. These respondents felt that 24 hours is simply not enough time to determine if a data breach has occurred, and if so who was involved and the scale of the breach. Overwhelmingly, respondents have asked that the Regulation adopts the use of ‘without undue delay’ rather than ‘not later than 24 hours’ as an approach to responding to data breaches.
Finally, one of the reoccurring themes in responses to the Call for Evidence has been the emergence of cloud computing and the potential threat that the proposed Regulation brings to innovation in this area of technology. Various respondents argued that, as it stands, cloud computing represents a new and economically viable way of processing data in any part of the world. This means it has become easier for countries outside the UK’s jurisdiction to process data belonging to EU citizens. Respondents have suggested that by introducing a prescriptive Regulation, the EU runs the risk of hindering a generation of technological innovators.
The majority of respondents welcomed the new derogation for transfers which are necessary for the purposes of the legitimate interests pursued by the controller or processor where the transfers are not classed as ‘frequent or massive’ (Article 44(1)(h)); however respondents asked for a clearer definition of ‘frequent or massive.’ Respondents, especially those who represented Cloud computing services, asked that the proposal take into consideration the sensitivity of the personal data being transferred, rather than purely the quantity and frequency of the transfer.