The European Commission has requested the UK to strengthen the powers of its data protection authority so that it complies with the Data Protection Directive. The Commission request takes the form of a reasoned opinion – the second stage under EU infringement procedures.
The Commission takes the view that UK national data rules are curtailed in several ways, leaving the standard of protection lower than required under the EU rules. The UK now has two months to inform the Commission of measures taken to ensure full compliance with the EU Data Protection Directive.
‘Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy. EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity. I will enforce this vigorously,’ said Vice-President Viviane Reding, Commissioner for Justice, Fundamental Rights and Citizenship. ‘I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement.’
The case concerns the implementation of the EU’s 1995 Data Protection Directive (95/46/EC), both in terms of the Data Protection Act 1998 and in terms of its application by UK courts. The EU Commission states that it has worked with the UK authorities to resolve a number of issues, but several remain, notably limitations of the Information Commissioner’s Office’s powers:
- it cannot monitor whether third countries’ data protection is adequate – the Commission states that these assessments should come before international transfers of personal information;
- it can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks.
Furthermore, courts in the UK can refuse the right to have personal data rectified or erased. The right to compensation for moral damage when personal information is used inappropriately is also restricted.
The Commission state that these are powers and rights which are protected under the EU Data Protection Directive and thus must also apply in the UK. The reasoned opinion states that the Commission wants the UK to remedy these and other shortcomings.
A spokesperson for the Information Commissioner’s Office (ICO) said ‘It is important that we have effective data protection regulation to help protect individuals’ personal information. We look forward to discussing the Commission’s detailed concerns with the Ministry of Justice and providing input into the UK Government’s response’.