Monday, September 17, 2007

EU Commission: UK failed to implement a third of the Data Protection Directive

Following the EU's investigation the UK's implementation of the data protection directive, the Commission has surprisingly expressed dissatisfaction with the UK approach to about a third of the Directive.

"The articles of the Directive which the Commission claims have not been implemented properly are articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 – just under a third of the 34 articles in the Directive.

These Articles relate to: the definitions used in the Directive (e.g. the meaning of personal data); the scope of the Directive's application to manual files; the conditions when sensitive personal data can be processed; the fair processing notices give to individuals; the rights granted to data subjects; the application of exemptions from these rights; the ability of individuals to seek a remedy when there is a breach; the liability of organisations for breaches of data protection law; the transfer of personal data outside European Union; and the powers of the Information Commissioner.

Data Protection expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the extent of the objections reflects official attitude towards data protection policy. "All UK Governments involved in implementing the Directive have had a policy of minimising the Data Protection Directive's effect," he said. "The number of problems raised by the Commission seem to indicate that the UK Government may have misjudged the situation and minimised the effect of too many obligations"."

Thanks to Glyn via ORG for the pointer. The UK government had until recently been keeping the details of the EU's complaints under wraps but it seems Out-Law got the information via a freedom of information request. It's a coincidence that the details should begin to emerge now since I had just posted a note about loopholes in privacy legislation to the ORG list in recent days :

"The idea that regulation is a cure for privacy problems is widely held but I don't subscribe to it.

The EU and its member states have mountains of privacy regulations. Frequently when these regulations come under pressure, such as with the EU-US safe harbour provisions for transfer of personal data or the PNR agreement with the US, they buckle. In addition there are numerous loopholes that dedicated privacy regulation evaders can drive a coach and horses through. Even where the loopholes don't apply and in the face of the efforts of people like the Information Commissioner to explain the dangers and sound legal opinions to the effect that they will breach existing privacy regulations, the government still push through ID cards, the Children's Index database ContactPoint, data retention and an unending stream of terror, crime, immigration and other laws and regulations that undermine current protections (at best, though some would argue they destroy the existing protections completely).

Privacy is a complex issue and can't be addressed through regulation alone any more than complex systemic messes like terrorism or immigration can be solved by regulation (and imagined magical computer systems that keep everyone under surveillance then point out the
baddies) alone. Privacy levels and awareness are an emergent property of a whole series of complicated interracting and dynamic factors, relating to social, psychological, market, environmental, technological (in the Lessig architectural sense or possibly more accurately in the Kim Cameron/ Stefan Brands/ Caspar Bowden/ Ben Laurie/ etc. architectural sense) prevailing winds (and I'm sure members of the list can think of many more).

Apologies for the rant."

No comments: