The European Commission is investigating whether the UK Data Protection Act 1998 is fully in compliance with the European Data Protection Directive – especially after the case of Durant -v- FSA. A government representative, in an interview with Bird & Bird, has outlined to us some of the Commission's concerns.
In the Durant case, the Court of Appeal refused to allow Mr Durant to have access to FSA records which identified him. The decision restricted the types of paper records covered by UK data protection legislation and also established that not all identifiable data, whether held on computer or in a highly structured paper file, would necessarily be covered by the Act; on one interpretation of the judgment, only information affecting an individual’s privacy would be covered. The Information Commissioner’s Office issued guidance expanding on the Court of Appeal’s comments in Durant. Shortly after this guidance was published, the European Commission wrote to the UK government as part of its ongoing review of implementation of the Data Protection Directive asking the UK government to respond to a number of queries about UK implementation, including the impact of Durant.
News of the European Commission investigation has made it hard for organisations to change their procedures in line with Durant and the Information Commissioner’s guidance, for fear that the UK legal position might alter in the event of legal action by the European Commission against the UK government. There are no plans to publish the European Commission letter which has made it difficult to assess where areas of uncertainty lie.
We have asked the Government to provide more detailed information about the Commission’s concerns.
The Government has advised that the European Commission is not concerned with the Court of Appeal’s comments on paper records (called “relevant filing systems” in the Act). Organisations, whose paper records are only filed in date order, or in a similar way, can probably assume that these records are now outside UK data protection legislation.
The Commission is, however, concerned about the Commissioner’s Office’s comments on when identifiable information will be “personal data”. It would, therefore, be unwise for organisations to alter their policies and procedures, on the basis that the information they hold does not affect an individual’s privacy.
The Government has pointed out to us that they believe that the guidance on the Information Commissioner’s website is open to misinterpretation. In the Government’s view, “the Court of Appeal judgment does not significantly restrict the definition of “personal data”, which continues to have a broad meaning (references by the Court of Appeal to the Directive and to the ECJ Lindqvist case make this clear). In addition, the direct effect of the Directive would mean that any UK court considering similar issues in the future would be bound to conclude that a narrow definition was not permissible and could not lawfully be applied”.
We understand that the Commission has also raised a number of other queries about UK implementation, including
the UK’s approach to transfers of personal data outside the EEA
lack of a statutory definition of “consent”
whether the powers available to the Information Commissioner are sufficient – in particular whether the Commissioner should have powers to award compensation and/or impose actual penalties.
For further information on data protection, please contact Ruth Boardman or Hazel Grant.