As a result of an investigation by the European Commission into the United Kingdom's implementation of the Data Protection Directive 95/46/EC and the Privacy and Electronic Communications Directive 2002/58/EC, the Commission issued the United Kingdom with a Reasoned Opinion on 24 June 2010, which outlines the Commission's intention to take further action if the UK fails to increase the powers of the Information Commissioner's Office (ICO) in relation to the Data Protection Act 1998.
Most specifically the Commission requires that the ICO:
- has the power to monitor whether third countries' data protection regime is adequate, prior to international transfers of personal information; and
- has the power to perform random checks on people using or processing personal data, and enforce penalties following such checks.
Since 2008, the ICO has had the power to audit public bodies without their consent but this power does not extend to auditing private entities without their consent. Secondary legislation could have been implemented to give the ICO the power to audit private entities without consent but this has not been introduced to date. In absence of a power to audit without consent, the ICO may not become aware of processing activities being carried out contrary to the Data Protection Act unless or until a complaint is made about processing that has already taken place. By allowing the ICO to audit private entities without their consent, the ICO will be better equipped to tackle the root causes of data protection breaches within private organisations. Following an audit, the activities, procedures and processes of an entity (whether public or private) should be data protection compliant. Any subsequent breach could result in significant sanction by the ICO.
Together with the recently introduced potential fines that may be levied by the ICO, an enhanced power to audit without consent is likely to encourage better compliance with data protection obligations because the threat of financial sanctions will be bolstered by an increased likelihood of being found out.
The UK had two months from the date of the Reasoned Opinion to comply with EU law in this regard. As the UK has not made the requested changes to the Data Protection Act in time, the European Commission has the right to bring an action against the UK in the European Court of Justice as a result of the powers given to it under Article 258 of the Treaty on the Functioning of the European Union.
On 6 July 2010, the Ministry of Justice launched a "Call for Evidence on the Current Data Protection Legislative Framework", part D of which deals with the ICO's existing powers and asks "what, if any, further powers do you think the Information Commissioner should have to improve compliance?". The closing date for responses to this Call for Evidence is 6 October 2010. For further information, the Call for Evidence document can be found here: www.justice.gov.uk/consultations/docs/dpa-call-evidence-02-07-2010.pdf