EU Escalates Call For Greater ICO Powers

The European Commission (EC) has asked the UK to strengthen the powers of its data protection authority so that it complies with the European Union (EU) Data Protection Directive.

The Commission said its request takes the form of a reasoned opinion, which politely describes the second stage of action under EU infringement procedures.

It said national data rules are curtailed in several ways in the UK, leaving the standard of protection lower than required under the EU rules.

UK body lacks authority, says Reding

In a statement issued yesterday, the Commission’s vice president, Viviane Reding likened the Information Commissioner’s Office (ICO), as a watchdog with insufficient powers, to “keeping your guard dog tied up in the basement”.

“EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity,” added Reding. “I will enforce this vigorously. I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules.”

Compliance would require the ICO to be granted power to monitor whether third countries’ data protection is adequate, and that these assessments should come before international transfers of personal information.

The ICO should also be able to perform random checks on people using or processing personal data and enforce penalties following these checks – a power the UK Information Commissioner has long called for, despite being granted some new powers earlier this year.

The European Commission also highlighted the fact that courts in the UK can refuse the right to have personal data rectified or erased; while it said the right to compensation for moral damage when personal information is used inappropriately is also restricted.

EC action welcomed by Open Rights Group

Jim Killock, executive director of the Open Rights Group, welcomed the EC escalation. “Data protection in the UK is weaker than it should be,” he stated. “Powers to fine and inspect private companies are vital. Nor does UK law recognise the idea of ‘moral damage’ from data intrusions, but will only punish provable financial harm.

“The new government has a great chance to strengthen UK law and make good on the coalition’s desire to protect our citizen’s privacy.”

The EC action means the Ministry of Justice, on behalf of the UK coalition government, now has two months to inform the Commission of any measures it plans to take to ensure full compliance with the EU directive.

A Ministry of Justice spokesperson told eWEEK Europe: “We are firmly committed to protecting UK citizens’ privacy and data. We are considering the Commission’s letter and will respond in due course.”

A spokesperson for the Information Commissioner’s Office said in a statement: “It is important that we have effective data protection regulation to help protect individuals’ personal information. We look forward to discussing the Commission’s detailed concerns with the Ministry of Justice and providing input into the UK government’s response.”