Warning-Data Protection Act Out of Kilter With EU Law

The single most important change required in UK data protection regulation is to bring the law into line with European legislation, says Stewart Room, partner at law firm Field Fisher Waterhouse.

Section 13 of the UK Data Protection Act (DPA) is totally out of kilter with the EU directive on personal data, he told the annual privacy conference hosted in London by the UK Digital Systems Knowledge Transfer Network.

Article 23 of the EU directive calls for compensation for damage suffered by anyone as a consequence of a data breach - which includes any kind of damage, such as emotional distress or loss of reputation - but compensation under these circumstances is currently blocked by UK law, he said.

Section 13 of the DPA states that compensation for distress is payable only if there is damage, but damage is strictly defined as financial loss, as per the ruling in Johnson vs Medical Defence Union in 2007, said Room.

This effectively means the UK citizen is prevented from receiving the benefit outlined in the directive because, in most data breach cases, financial loss is impossible to prove, he said.

Changing Section 13 of the DPA to get rid of the requirement for financial loss before anyone can get compensation for data breaches should be a top priority to bring the law into line with the EU directive and more recently added sections of the DPA, said Room.

Section 13 is an illogical anomaly with Section 55 of the act, which granted the Information Commissioner's Office (ICO) the power to impose fines of up to £500,000 where data breaches cause distress or damage, he said.

Room asked attendees of the conference to vote on whether Section 13 should be amended to give UK citizens the standalone right to compensation for distress caused as a result of a data breach.

Some 69 per cent of data privacy professionals attending the event said "yes", compared with 15 per cent, who said "no" and 13 per cent who said "do not know".

The second most important change in UK data privacy law, said Room, was to make disclosures of data breaches mandatory.

"There is currently no legal framework that requires private organisations to report data breaches," he said.

Because of concerns about damage to reputation, organisations are unlikely to report data breaches unless they are required by law to do so, as they are in 47 states in the US.

In addition to revising Section 13 and making breach disclosure mandatory to build a better legal framework for data privacy in the UK, Room said the ICO still lacks real power to enforce data protection in the UK.

"The regulator still does not have proper and adequate powers as required by the EU directive," said Room.

Many big companies consider the £500,000 fines laughable, and do not even build them into their risk assessments, he said.

But Room said he remains sceptical of the ability of law reform alone to tackle the problem of data handling.

The problem is too big for the ICO and the Financial Services Authority to deal with, he said.

"What we need is an army of regulators, and more judges and lawyers with the required expertise to work in this highly technical area," he said.

print this article

Return to security news headlines
View Security News Archive

Share with: