Thursday, 24 June 2010

Commission to UK - fix your inadequate data protection laws

The European Commission thinks that neither the UK Data Protection Act 1998 nor its application by the UK courts properly implements the requirements of the EU Data Protection Directive, and in a "reasoned opinion" to the UK (the second stage of EU infringement procedures) they've asked the UK to remedy the shortcomings.

If the UK doesn't comply within 2 months, the Commission could refer the UK to the European Court of Justice. The Commission had previously tried, in October 2009, to take the UK to task over privacy and data protection, specifically on the interception of electronic communications like email, but nothing much seems to have happened on that front. So who knows if something happen will on this. (The UK aren't alone, the Commission are also unhappy about Finland allowing taxpayers' personal data to be effectively public, and to be bought and sold on and on and on - you thought the UK DVLA were bad…?)

The Commission press release 24 June 2010 said (emphasis added):

"…In the UK, national data rules are curtailed in several ways, leaving the standard of protection lower than required under EU rules. The UK now has two months to inform the Commission of measures taken to ensure full compliance with the EU Data Protection Directive…

The Commission has worked with UK authorities to resolve a number of issues, but several remain, notably limitations of the Information Commissioner's Office's powers:

  • it cannot monitor whether third countries' data protection is adequate. These assessments should come before international transfers of personal information;
  • It can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks.

Furthermore, courts in the UK can refuse the right to have personal data rectified or erased. The right to compensation for moral damage when personal information is used inappropriately is also restricted.

These powers and rights are protected under the EU Data Protection Directive and must also apply in the UK. As expressed in today’s reasoned opinion, the Commission wants the UK to remedy these and other shortcomings."

"Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy. EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity. I will enforce this vigorously," said Vice-President Viviane Reding, Commissioner for Justice, Fundamental Rights and Citizenship. "I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement."

I've mentioned before that I think the main reason why PETs are not used is because regulators can't monitor systems properly for security or other issues, and can't make data controllers use "privacy by design" technologies, so this is an interesting development. We'll see whether the UK does let the dogs out!

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.