aiming at increased accountability run a risk of leading to more paper rather

Aiming at increased accountability run a risk of

This preview shows page 8 - 10 out of 15 pages.

aiming at increased accountability run a risk of leading to more paper rather than more data protection. Current criticisms of European data protection law ‘have often focused on the formalities imposed by the Directive (or by the tr anspositions thereof)’. 26 While an important objective of the data protection reform is ‘ simplifying the regulatory environment, thus eliminating unnecessary costs and reducing the administrative burden’, 27 the reduction of some administrative burdens (such as notification) is amply compensated by the creation of new ones. Article 22 requires the controller to adopt policies and to ‘be able to demonstrate that the processing of personal data is performed in compliance with this Regulation’. Controllers are 24 See also Lee A. Bygrave, 'Data Privacy Law and the Internet: Policy Challenges', in Normann Witzlieb et al. (eds.), Emerging Challenges in Privacy Law. Comparative Perspectives (Cambridge: Cambridge UP, 2014), 259- 89, 274, 77, Christopher Kuner, 'The ‘Internal Morality’ of European Data Protection Law' (SSRN, 2008), 18 . 25 Bygrave, 'Data Privacy Law and the Internet', 288-89. 26 Robinson et al., Review of the European Data Protection Directive , viii. 27 GDPR, p. 102. Electronic copy available at:
Image of page 8
8 required to keep documentation of all their data processing operations (article 28). The Parliament and Council versions of these provisions diverge somewhat in the type of required red tape, but whatever compromise is reached, controllers will have to document what they do with personal data. Although the documentation obligation of article 28 may apply only to organisations employing 250 persons or more (but the LIBE versions stipulates it for all controllers), it may also apply to small organisations, depending on how one interprets the rather vague exception; 28 and in any case, controllers need to be able to demonstrate compliance as per article 22, which necessitates some form of documenting what they do. Will such documentation assist in increased compliance and better data protection? That will depend not only on whether enforcement by supervisory authorities will be effective a considerable challenge given a widespread scarcity of resources for DPAs to provide effective oversight over a myriad of data controllers but also on whether the act of documentation will make controllers think about what they do, and adapt their practice accordingly if they realise, when documenting, that their activities are actually not compliant with the regulation. As with the ex ante instruments, this will only take place if controllers have a data protection rationale mindset, instead of a data protection rule compliance mindset, and such a mindset, as I perceive it, is all too frequently absent even on the part of well-meaning controllers. The result will be more paper (or disk space) and more work for data protection practitioners, but not, I fear, more protection of personal data. On the contrary, filling in forms about compliance with rules runs the
Image of page 9
Image of page 10

You've reached the end of your free preview.

Want to read all 15 pages?

  • Summer '17
  • R Hernandez
  • Law, Data Protection Act 1998, The Grave, European data protection law

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture