EU outlines shortcomings in UK data law

The European Commission has spelled out why it believes that the UK Data Protection Act does not correctly implement a third of the EU's data protection measures
Written by Tom Espiner, Contributor

The European Commission has revealed details of where it sees shortfalls in UK data law, as it considers whether to take action against the British government over the matter.

Data-protection expert Chris Pounder received the information from the Commission as part of a long-running Freedom of Information exchange. In a blog post on Monday, he shared the details of a letter sent to him by the European body, outlining where the UK Data Protection Act does not meet the requirements of the EU's Data Protection Directive.

"This case concerns an alleged failure of the UK legislation to implement various provisions of the Directive 95/46/EC on data protection," the Commission said in the letter, dated 16 February (PDF). "As we have already informed you, the provisions concerned are Articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 of that Directive."

Under Article 12, for example, people are allowed to check their data being held by organisations to see whether it is correct, and to alter it, if not. However, the UK law seems to leave it to a court's discretion to grant or refuse such an access request, the Commission said in the letter.

"The Commission considers that the UK law does not set the proper standards in relation to the processing of sensitive personal data concerning to criminal offences," Pounder said, commenting on the purported discrepancy found regarding Article 8.

Narrowed scope

In addition, the European body also was concerned that in the UK, people can only claim compensation if they have suffered damage after a data breach, except where there is journalism involved. Articles 22 and 23 stipulate that affected individuals should be able to ask for recompense for distress alone.

"The European Commission has released details as to why it sees the UK Data Protection Act as an improper implementation of Directive 95/46/EC, so much so, that it is considering infraction proceedings," Pounder said in the blog post.

The other concerns regarded a narrowing of the scope of the directive in the UK legislation. For example, the investigatory powers of the data-protection supervisor — which in the UK is the Information Commissioner's Office — were not strong enough, said the Commission.

Pounder noted that the discussions between Europe and the UK on the matter has been kept under wraps. "Correspondence between the Commission and the UK government has been exchanged, and despite the possibility of litigation, very little has been published or explained to MPs or MEPs," he said in his blog post.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.
Editorial standards