Laws protecting consumers online need revision

Observers have called for a review of UK laws that protect consumers from the sort of security blunders that saw thousands of Powergen customers' credit card details published on the Internet this week.

Experts say current legislation does little to protect consumers and argue that unless positive steps are taken, a lack of consumer confidence could scupper Tony Blair's vision of a successful "e-Britain".

According to the 1998 Data Protection Act, Powergen's customers are not entitled to any financial compensation except anybody who suffers credit card fraud or other damages. Powergen has offered customers affected by the security breach £50 compensation each for the inconvenience.

"Customers who suffer distress following a breach in the act will only qualify for compensation if they can also prove to have suffered damage," said Lorraine Godkin, compliance manager at the Data Protection Registrar.

Robin Bynoe, a partner at Charles Russell Solicitors, believes the data protection law is sound, but that two potential problems exist. "Firstly, there must be adequate enforcement... and secondly it must keep up with the extremely rapid changes on the Internet. The fact that a security breach is accidental is no excuse in law," he added, agreeing that test cases would help to establish the legal position.

Users who have had their personal data published online without their consent but not suffered any damages are essentially on their own, says Bynoe. "Something has to happen before any talk of compensation can begin."

Neither the Office for Fair Trading (OFT) nor the Department of Trade and Industry (DTI) would admit to any responsibility for the online activities of companies such as Powergen, stating that such security breaches should be dealt with by the police and the Data Protection Registrar. But given the registrar's response, there seems little reason for consumers to take risks with information they want kept secret.

A spokesman for the OFT did reveal however that there had been discussions about creating a new department responsible for guarding consumer rights online. No details were given.

Malcolm Hutty of the Campaign Against Censorship of the Internet in Britain called for widespread consultation and review of the existing law. "There has to be action, so that these kind of security failures can't happen again. Companies can be fined for failing to keep personal data secret, but the poor member of the public has no real comeback."

Hutty suggests one solution could be to set a minimum fixed fine which would be levied against companies who breach the data protection act. He did however concede the complexity of the issue and called for debate.

Take me to the e-commerce special.

What do you think? Tell the Mailroom. And read what others have said.