UK privacy watchdog is hobbled, says Europe

The Information Commissioner's Office needs more powers for the UK to comply with European data protection law, according to the European Commission

The UK privacy watchdog should have stronger data protection powers, according to the European Commission.

The Information Commissioner's Office (ICO) does not have enough international reach or enforcement power, the Commission said in a statement on Thursday.

"I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules," said justice commissioner Viviane Reding in the statement. "Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement."

The ICO must have its powers strengthened to comply with European law. At present, the UK is not implementing the EU Data Protection Directive correctly, partly due to legal ambiguities surrounding the powers of the ICO, said the Commission.

To comply with the directive, the ICO must be able to assess whether a third-party country has adequate data protection before allowing international transfers of data. In addition, the Commission said that the ICO must be able to perform random checks on organisations, and have the power to enforce penalties following those checks.

The UK has two months to inform the Commission of measures taken to beef up the powers of the ICO, or it will be liable to enforcement action from the Commission. The next step would be for the Commission to take the government to court.

The ICO said in a statement on Friday that data protection is important, and that it would discuss the Commission's concerns with the Ministry of Justice, which sponsors the ICO.

"It is important that we have effective data protection regulation to help protect individuals' personal information," said ICO. "We look forward to discussing the Commission's detailed concerns with the Ministry of Justice and providing input into the UK government's response."

The Commission has been concerned about the powers of the ICO for at least six years. The first step of the infringement procedure against the UK government was a letter of formal notice sent on 9 July 2004. A complementary letter of formal notice was sent on 10 April 2006. The latest letter of notice was sent to the UK government on Wednesday.

The Ministry of Justice responded in a statement on Friday. "We are firmly committed to protecting UK citizens' privacy and data," said the statement. "We are considering the Commission's letter and will respond in due course."

The ICO is an independent public body funded by the Ministry of Justice. It can only perform random checks on government departments, not private sector organisations, and cannot enforce any monetary penalty following a random check.

The ICO was given greater enforcement powers in April, and now has the power to fine an organisation up to £500,000 for a serious data breach, but only when it has been asked to investigate.