Europe calls for more powers for data protection watchdog | 12 August 10

COMPANIES and organisations face the prospect of random spot checks and more compensation claims after Europe called for the UK’s data protection watchdog to be given greater powers.

As of April this year, the Information Commissioner’s Office (ICO), has been able to impose fines of up to £500,000 for serious breaches of data protection.

However, experts at leading North law firm Ward Hadaway have warned that those powers could be extended still further.

Judy Baker, partner and head of data protection at Ward Hadaway, says that the European Commission has asked the Government to strengthen the ICO’s powers, allowing it to carry out random spot checks and giving individuals greater rights to pursue compensation for ‘moral’ damage when their personal data is used inappropriately.

Judy explained: “This request has come in the form of what is known as a Reasoned Opinion from the European Commission, and is the latest stage in the EC’s ongoing infringement procedures against the UK.

“It is a formal request to the UK to comply with EU law. The EC believes that the Data Protection Act, which brought in the ICO’s powers, does not implement the EU Data Protection Directive adequately: the UK rules are curtailed in several ways, leaving the standard of protection lower than required under EU rules.

“As a result, the UK now has until the end of August to inform the EC of measures taken to ensure full compliance with the EU Directive, which could significantly alter the landscape of data protection in the UK.”

The EC has cited the following limitations as needing to be remedied:

  • The ICO can neither perform random checks on people/organisations using or processing personal data, nor enforce penalties following the checks.
  • The right to compensation for moral damage when personal information is used inappropriately is restricted. Currently compensation can only be claimed where there has been some form of financial loss; compensation for distress alone is available only in very narrow circumstances.
  • The UK courts can refuse the right to have personal data rectified or erased.
  • The ICO cannot monitor whether third countries’ data protection is adequate. The EC says these assessments should come before international transfers of personal information. Currently, the ICO does not pre-approve exports of personal data to countries outside the European Economic Area; compliance is left to organisations to determine themselves.

Judy Baker said: “The EC has urged the UK to change its rules swiftly so that the ICO is able to perform its duties with absolute clarity about the rules. In its view ‘having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement’.

“If, by the end of August, steps have not been taken to strengthen the ICO’s powers, the EC may refer the UK government to the European Court of Justice.”

The prospect of random ICO spot-checks and the widening of the scope for individuals to take action over breaches of their personal data is likely to make the biggest difference to the way which companies and organisations approach the issue of data protection.

Judy said: “The wider implications of the EU’s proposed changes are likely to be felt by organisations processing personal data across the UK.

“Coupled with the new powers of the ICO to levy fines of up to £500,000 for serious data breaches, organisations will have to take greater care than ever before to ensure compliance with data protection law.”

Ward Hadaway advises a range of organisations in the private and public sectors on data protection issues and on ways they can minimise the danger of breaches.

Judy said: “If these changes are implemented as the EC intends, organisations will be more vulnerable to actions by either the ICO, individuals or both. Organisations really need to address the issue as a matter of urgency.”

* Find out more about our Data Protection services.