Privacy law will bury us under paper mountain, warns data watchdog

The UK's privacy tsar Christopher Graham has said that proposed EU legislation will bury his office in paperwork and restrict its ability to guard against serious misuse of personal data.

The UK's privacy tsar has warned that proposed EU laws, forcing companies to notify consumers when their personal details have been compromised, will paralyse his office by burying it in paperwork.

The forthcoming General Data Protection Regulation will require organisations to notify data protection authorities of a "personal data breach", preferably within 24 hours.

Speaking yesterday at the Infosecurity Europe 2012 conference the UK information commissioner Christopher Graham said the proposed EU legislation will result in his office being swamped by data breach notifications, reducing its ability to focus on serious breaches of privacy.

"What I don't want is what is proposed in the new draft EU regulation, which has mandatory breach notification for every single breach, whatever its size, whatever its significance," he said.

"That's going to turn the Information Commissioner's Office (ICO) into a paper pushing factory where we have no margin to tackle those subjects where there's greatest consumer detriment. We'll simply be processing stuff.

"You will have a slightly under-resourced data protection authority struggling through a mountain of paper. The ICO will have precious little ability to raise our eyes from the desk in order to decide what we do."

The draft EU regulation offers a broad definition of the type of data breaches that will require notification. It defines a personal data breach as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data". Personal data is defined as "any information relating to a data subject".

There is currently no legal requirement for UK organisations, other than communication service providers, to notify the ICO about a data breach. The ICO advises organisations to notify it when there has been a serious breach, which it defines as a breach involving sensitive data, such as healthcare information, or one affecting a large number of people.

It will likely be at least a couple of years before the draft EU regulation becomes legally binding, as it will need to be debated by the European Council and Parliament before being ratified and adoption by European member states may take several more years.

Graham added he hopes his concerns about the draft regulation will be addressed by amendments before it becomes law.

A spokeswoman for the European Commission said that draft regulation is designed to require notification relating to "serious breaches" and "doesn't mean every little breach" will need to be reported.

The draft regulation also requires organisations to notify people whose personal details have been compromised in many instances. The regulation states that such notification should occur "when the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject".