Summer 2007 has seen four conflicting pronouncements on the state of UK/EU data privacy laws. Lords, Tories, EU Commissioners and now the UK Information Commissioner have all heaved in. Ray Coyle reveals his personal data on these developments.
Who: The House of Lords Science and Technology Committee, The Conservative Economic Competitiveness Policy Group, The Information Commissioner and the EU Data Protection Supervisor.
When: August and September 2007.
Where: Parliament, the Data Protection Forum, Brussels
Law stated as at: 28 September 2007
The Data Protection Act has been the subject of much political attention in the last few weeks. Unfortunately, not only do the various political factions not agree a common course of action, their recommendations appear entirely contradictory. Given the importance of the protection of private data in modern business, where electronic communication has so increased the quantity of data to be protected, data controllers need to understand any likely changes to the regulatory regime.
At one end of the spectrum, the House of Lords Science and Technology Committee released its report on Personal Internet Security on 10 August (www.publications.parliament.uk/pa/ld200607/ldselect/ldsctech/165/165i.pdf). The Lords makes two key recommendations in respect of data protection.
Lords' key recommendations
The first is the strengthening the enforcement of the Act buy increasing resources at the ICO, introducing random audits of security measures and substantially increasing penalties for breach (para. 5.57). The Committee seems particularly concerned about the penalties, comparing the £5,000 maximum fine under the Act with a £980,000 fine imposed on the Nationwide Building Society in February 2007 for the loss of a laptop containing confidential information (para. 5.50). Secondly, the Committee recommends the introduction of a data security breach notification law, similar to that in force in the United States, that would compel Data Controllers to send notification letters to individuals stating the nature of the breach and providing advice on the steps individuals should take to deal with it (para 5.55).
Perhaps more worrying is the overall tone of the report. The Committee clearly believe that urgent action is needed, particularly in respect of privacy on the Internet which was described in the report as both a "playground for criminals" and "a lawless wild west" (Abstract, p.6)
Tories go for the nuclear option
At the other end of the spectrum is the Conservative Party. Their August 2007 report "Freeing Britain to Compete: Equipping the UK for Globalisation" (www.conservatives.com/pdf/ECPGcomplete.pdf), approaches the issue of data protection legislation and enforcement form an entirely different perspective. The Economic Competitiveness Policy Group describes the Act as an "expensive bureaucracy" and recommends its repeal (para 6.10). The report cites figures from the British Chamber of Commerce (BCC) estimating the cost of compliance at £2.3 billion per annum (although this figure is the subject of much dispute) and recommends that significant cost saving could be made through governing data protection through the law of privacy and established codes of conduct rather than specific legislation.
The authors of the report seem unfazed by the fact that the Act implements EU law and repeal would be problematic to say the least.
ICO heaves in
Somewhere between these two opposing views sits the Information Commissioners Office. Richard Thomas, the Information Commissioner, has called for a debate (which seems to have already started) on changing the EU Data protection directive, describing it as "highly confusing and overly prescriptive" (Richard Thomas' speech to the 15th Anniversary Event of the Data Protection Forum on 6 September 2007).
European data supremoes comment…
Contrast this with the EU Data Protection Supervisor, Peter Hustinx, who has made it quite plain that although in three to five years' time it might be an idea to consider reviewing the 1995 Directive, Member States' energies would now be better spent properly enforcing and implementing the existing measure (the European Commission has recently been reported for example as considering the UK's transposition of the Directive defective on no less than 11 counts).
Why this matters:
None of the parties above are currently in a position to bring about changes to data protection legislation in the UK. Unfortunately, the department for Business, Enterprise and Regulatory Reform (formerly the DTI), who should be at the vanguard of any move to regulatory change, has recently been rather silent on the issue. This is not surprising given the current political climate. With a general election on the horizon (although where on the horizon is more difficult to say), the current government are unlikely to follow the recommendations of the (mostly Labour) Lords Committee and open themselves to further criticism for increasing the burden on business.
That picture is likely to change following the next election. If Mr Cameron holds the reigns, he will be under pressure to deregulate in order to fulfil his pre-election promises. On the other hand, Mr. Brown, starting a full term, may be more likely to listen to the advice of his peers and increase the regulatory burden. Either way, the pressure from the BCC, House of Lords and the Information Commissioner for some kind of reform will not go away and it seems unlikely that the data protection regime in the UK will be the same in twelve months from now.