The powers of Britain’s data protection authority need to be strengthened if they are to comply with the EU’s Data Protection Directive, the European Commission said today.
The Commission request takes the form of a reasoned opinion the second stage under EU infringement procedures. In the UK, national data rules are curtailed in several ways, leaving the standard of protection lower than required under EU rules. The UK now has two months to inform the Commission of measures taken to ensure full compliance with the EU Data Protection Directive.
“Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy. EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity. I will enforce this vigorously,” said Vice-President Viviane Reding, Commissioner for Justice, Fundamental Rights and Citizenship. “I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement.”
The case concerns the implementation of the EUs 1995 Data Protection Directive (95/46/EC) both in UK law (the Data Protection Act of 1998) and its application by UK courts. The Commission has worked with UK authorities to resolve a number of issues, but several remain, notably limitations of the Information Commissioner’s Office’s powers:
- it cannot monitor whether third countries’ data protection is adequate. These assessments should come before international transfers of personal information;
- It can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks.
Furthermore, courts in the UK can refuse the right to have personal data rectified or erased. The right to compensation for moral damage when personal information is used inappropriately is also restricted.
These powers and rights are protected under the EU Data Protection Directive and must also apply in the UK. As expressed in todays reasoned opinion, the Commission wants the UK to remedy these and other shortcomings.