The main directive that governs the processing of personal information in the European Union, the Data Protection Directive 95/46/EC, was signed by the European Parliament and Council on 24 October 1995. It had to be implemented by member states within 3 years from the this date of adoption (not to be confused with its publication date in the Official Journal – Official Journal L 281 , 23/11/1995 P. 0031 – 0050).
The UK started out well, with the Data Protection Act 1998 getting royal assent on 19 July 1998. However, most of the Act’s operative provisions did not come into effect on the passing of the Act but came into effect late, on 1 March 2000.
However, the European Commission has for many years considered the implementation of the Directive by the UK to be inadequate. In particular, the Commission considers that the powers given to the Information Commissioner, the UK’s national data protection authority, are insufficient. There have been many rumours over the years about preliminary steps being taken by the Commission to enforce proper implementation of the Directive, but with no official confirmation.
This week we at last have confirmation that the Commission is after the UK, with a press release giving some details about its request that the UK strengthen the powers of the Information Commissioner. The request is in the form of a reasoned opinion – the second stage under EU infringement procedures. The Commission has four concerns about the implementation of the Directive in the UK:
- the Information Commissioner cannot monitor whether third countries’ data protection is adequate. These assessments should come before international transfers of personal information;
- the Information Commissioner can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks;
- the courts in the UK can refuse the right to have personal data rectified or erased; and
- the right to compensation for moral damage when personal information is used inappropriately is also restricted.
The UK now has two months to inform the Commission of measures it has taken to ensure full compliance with the Directive, else it risks being taken to the Court of Justice of the European Union (CJEU). The Commission’s press release quotes Viviane Reding, the relevant Commissioner (Commissioner for Justice, Fundamental Rights and Citizenships):
“Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy. EU rules require that the work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity. I will enforce this vigorously. I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement.”
Sadly, the UK had an excellent opportunity to make most of the necessary amendments when the Criminal Justice and Immigration Act 2008 and Coroners and Justice Act 2009 went through Parliament. The 2008 Act introduced monetary penalties powers for the Information Commissioner. With these powers in place, specific mention could have been made about their use in the provisions on assessments introduced by the 2009 Act. There was debate in the House of Lords on extending the assessment notice provisions at ss.41A-41C of the Data Protection Act 1998, which are currently restricted to Government bodies, to the private sector. An amendment was proposed by Lord Dubs, a member of the Joint Committee on Human Rights, to extend the scope of these provision, but the amendment was not moved. It would have been possible, had the Government wished, to broaden the scope of assessment notices to include the assessment of transfers/exports of personal information.
(The link to the Data Protection Act 1998 above is to the consolidated act, which therefore includes ss.55A-55E inserted by s144 of the 2008 Act, and ss.41A-41C inserted by s173 of the 2009 Act.)
One of the most difficult rights of the Data Protection Act 1998 for an individual to exercise is the right of access to that individual’s personal information, particularly if that individual is in a dispute with the data controller (the holder of the personal information). The problem is that if any individual is willing to accept the risk and cost of going to court to seek a court order to require compliance, then the court has a discretion on whether it makes an order and the terms of that order. This has always been a frustration for advisers to individuals.
Still, there is finally a chance that the threat of being brought to the CJEU will prompt the UK to address the shortcomings of the Data Protection Act 1998 in time for the 15th anniversary of the passing of the Data Protection Directive 95/46/EC.