In July 2010 the Ministry of Justice (the "MoJ") issued a call for evidence seeking views on the data protection law in the UK to prepare it for negotiations on reforming the European Data Protection Directive. The call for evidence presents an ideal opportunity for interested parties to express their views on the reform of data protection laws.
UK Data Protection Regime
In the UK, the collection and use of personal data is regulated by the Data Protection Act 1998 (the "DPA"), which implements the European Data Protection Directive (95/46/EC).
The Directive, which was intended to harmonise data protection law across the European Union, gives extensive rights to individuals whose personal data is collected as well as imposing fairly stringent obligations on those who process such personal data.
Government call For evidence
The MoJ has launched this call for evidence to help the government form its position on the European Commission's (the "Commission") original plans to produce a legislative proposal for reform of the Directive, as well as to help it in its future negotiations. The call for evidence invites opinions on issues such as:
- whether current data protection legislation provides adequate protection to individuals whose personal information is processed;
- whether data controllers should be required to notify all data breaches to affected individuals;
- whether the Information Commissioner's powers are sufficient and appropriate;
- the effectiveness of current provisions for international transfers of personal data; and
- whether biometric personal data, such as fingerprints or DNA samples, should be specially protected as "sensitive" personal data.
Interested parties may also provide relevant evidence about any other aspect of the data protection framework which is working well or which is not working and could be improved. Responses to the MoJ call for evidence are sought by 6 October 2010. Further details are available on the MoJ Call for Evidence web page.
The Commission originally intended to publish a legislative proposal for reform of the Directive before the end of 2010, with the aim for EU negotiations to start in 2011. However the Commission has now confirmed that the proposal will be published in late 2011. The Commission was keen to stress that the delay was due to its need to take account of the results of the public consultation, as the changes it wants are significant, rather than simply being delayed as a result of lobbying from countries who thought the original timetable unrealistic.
ICO's powers criticised
On a separate issue, earlier in the summer the Commission formally requested that the UK government strengthen the powers of the Information Commissioner's Office (the "ICO"). The Commission believes that the DPA does not properly implement certain provision of the Directive, leaving the standard of protection in the UK lower than required under EU legislation. In particular the Commission stated that the ICO cannot monitor whether third countries' data protection is adequate before there are transfers of data outside the EEA, and that the ICO does not have power to perform random spot checks on those using or processing personal data, nor enforce penalties following the checks. In reference to the ICO, the Commission said: "Having a watchdog with insufficient powers is like keeping your dog tied up in the basement."
The UK government was meant to have informed the Commission of the measures it intends to take to ensure full compliance with the Directive by 24 August 2010, but at present nothing has been released.