Since that time, the Commission has stood on the sidelines with respect of deficiencies in the UK’s Data Protection Act. It has waited until there has been a change of UK Government and for a situation to develop where over the 50% of the Articles in the Directive have been defectively implemented.
Don’t believe me? See the references at end where you will find that problems have been identified, mainly by the Commission, with respect of the UK Act’s implementation of Articles 2, 3, 6, 7, 8, 10, 11, 12, 13, 14, 18, 19, 22, 23, 25 and 28.
Some readers will also know that I have been pursuing various FOI requests with the Commission and since 2005, I have been trying to liberate why the Commission thinks there are problems with the UK Data Protection Act. This culminated in January, this year, when the Commission pointedly refused to follow the advice of the European Ombudsman to publish limited details of its assessment of these inadequacies. In effect, the Commission has augmented seven years of inaction with seven years of secrecy.
I hope that you can now understand why I am not cheering from the rafters when the Commission expresses sudden concern about “the implementation of the EU’s 1995 Data Protection Directive (95/46/EC) both in UK law (the Data Protection Act of 1998) and its application by UK courts”.
Instead, I have some pointed questions to ask. For example, when the Commission’s uninformative press release says that it “has worked with UK authorities to resolve a number of issues”, I respond by saying “what were these problems? what was the resolution of them?” and “why is there a need for continued secrecy about problems that are no longer problems (as they have been resolved)?”.
So when the Commission’s press release states that “the Information Commissioner's Office's ...cannot monitor whether third countries' data protection is adequate” and that “these assessments should come before international transfers of personal information”, I ask the Commission to explain “why has it taken seven years to come to that conclusion?”.
When the Commission claims that the Information Commissioner “can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks”, I ask the Commission to explain why it has maintained such silence and secrecy as these deficiencies have been present since 1998 when the Directive was first implemented by the previous UK Government.
When the Commission states that “Furthermore, courts in the UK can refuse the right to have personal data rectified or erased” I ask the Commission to explain “how it has it resolved the Court of Appeal’s interpretation of S.7(9) of the UK Act in the Durant decision”.
This latter point is not an issue for geeks - it is serious as this interpretation allows a Court to possess a general and untrammelled discretion not to enforce the right of access. In effect, Durant allows for an exemption from the right of access to personal data on the grounds that if a Court thinks there should be an exemption then there is an exemption.
As the Directive requires Member States to guarantee the right of access to personal data; the silence of the press release implies the Commission is tolerating the UK Courts having a wide discretion not to guarantee the right of access.
In summary, I don’t think the European Commission has acted because of concern for UK data subjects or the powers of the Commissioner as the Commission has known since 2004 that the UK did not implement Directive 95/46/EC properly? I suspect that the real reason relates to the politically expediency, in as the Commission now wants to make changes to the Data Protection Directive 95/46/EC. It knows that the UK has a new and more euro-sceptic UK Prime Minister who is unlikely to co-operate with its plans.
I therefore think the Commission's belated legal action is driven by the answer to one question: "How can the UK be forced to implement any new Directive properly if its inadequate implementation of the 1995 Directive is left unchallenged".
References:OUT-LAW News: UK's Data Protection Act might not meet European Union standards; http://www.out-law.com/page-4549 (May 2004); Europe claims UK botched one third of Data Protection Directive; http://www.out-law.com/default.aspx?page=8472,
Data Protection Act fails to implement 50% of the Directive? http://amberhawk.typepad.com/amberhawk/2009/11/data-protection-act-fails-to-implement-50-of-the-directive.html (Blog of November 19/11/2009)
FSA v Durant; [2003] EWCA Civ 1746; and the Commission’s Download Deficiency press release here.
Marketing: We have dates for our Data Protection Update sessions in Autumn (£95+VAT; book early as they are very popular. Also, we have a set of Data Protection courses (Edinburgh commencing in late August and in London on July 13th). Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). Details on www.amberhawk.com.
Very enlightening article. It is always interesting to see what is go on in the UK and compare it with Data Protection, in Spain.
Posted by: E_pdpes | 09/09/2010 at 01:04 PM