There were several issues referred to by the European Commission. The first is that the ICO cannot currently look at whether third countries’ data protection is adequate. Third countries will host data before it reaches its final destination following data transfer. The EC says this assessment should come before international transfers of personal information.
Second, the ICO cannot perform random checks on people using or processing personal data – nor enforce penalties following the checks. The EC has stated that the ICO should be allowed to do both.
Furthermore, courts in the UK can refuse the right to have personal data rectified or erased and the right to compensation for moral damage when personal information is used inappropriately is also restricted. The first right should be removed, and the restrictions on the second should be lifted said the EC.
The UK now has two months to inform the Commission of measures taken to ensure full compliance with the EU Data Protection Directive.
Some in the industry argue that these measures could become a burden to business. Phil Lee, a data privacy specialist at law firm Osborne Clarke, said: “It seems that the EC is calling for a greater overview of international data exports and mandatory private sector data audits. This would radically alter the traditionally held view that the UK has a business-friendly privacy regime.
“The move could usher in a new era of regulatory oversight at a significant cost to business,” he added.