So, after an inordinate and unexplained delay from Royal Assent of the Criminal Justice and Immigration Act 2008 (8 May 2008) until earlier this month, the Ministry of Justice has finally published a consultation document on the maximum monetary penalty it considers should apply to the new powers at ss. 55A to 55E of the Data Protection Act 1998, once these sections are brought into effect: £500,000.
What perhaps will be more interesting is how the Information Commissioner will use his new powers to levy monetary penalties. Draft guidelines have been published.
Could the judicious use of these powers engineer effective data subject access to personal data? We will write this up as an article, hopefully for the journal Privacy and Data Protection, but we think there may be enough in the draft guidelines concerning deliberate contraventions (of the sixth data protection principle) and the question of whether compensation has been paid to the data subject (including reimbursement of reasonable legal fees where the individual has sought to enforce their rights under s.7(9)?), to suggest a method.
Perhaps we can then, at last, get rid of the effect of the pernicious dicta in Durant -v- Financial Services Authority  EWCA Civ 1746 that renders it extremely difficult for data subjects to assert their subject access rights when they are also in legal proceedings with the data controller, against the view of the Information Commissioner. Perhaps then we can also ensure that there is equality of arms between well-financed data controllers and data subjects, who currently cannot readily enforce their s.7 rights without incurring massive and disproportionate costs.