Data protection - why more powers are needed to protect privacy

This month's amendments to the Data Protection Act have attempted to address important deficiencies in legislation; they give the Information Commissioner the power to carry out compulsory inspections of government departments and the power to fine data controllers. While these developments are welcome, they fall short of what is required to achieve a properly functioning legal regime.

The Act is designed to protect both citizens' privacy and their personal data, but to do this it must offer them a clear route for seeking redress of grievances through the courts. But even following April's amendments, the Act fails to offer sufficient opportunity for citizens to claim financial compensation following a data privacy breach. As it stands, they can only do so if they can prove direct financial loss. There is no self-standing route to make a compensation claim for distress in most cases. This has many negative implications for legal compliance. Firstly - it is very difficult for individuals to prove financial loss in the majority of circumstances because, often because they have no idea where their information has been accessed, how many times, by whom and how. Secondly, if the public does not have a sufficient remedy for the stress caused by data breaches, they cannot hold data controllers to account in the vast majority of situations. Effectively, the law is allowing for the minority of claim situations, and not the majority. This serves no one's purpose. It is bad for individuals because it reduces their ability to seek redress. It is bad for the Government because once the true nature of the problems are finally revealed it will require further administrative time and taxpayers' money to remedy them. And it is bad for UK plc because it does not offer a strong financial sanction to encourage data controllers to work harder at avoiding breaches. This, in turn, will mean a failure to reduce the numbers of privacy failings.

So under the current legislation citizens have no choice but to rely on the regulator. This is where the problem intensifies. The Information Commissioner's Office (ICO) simply does not have the clout to solve the overarching problems. The amendments to the Act now offer the ICO a new financial penalty regime - it can impose a fine of up to £500,000 if a data breach has caused either substantial damage or substantial distress. But this is not sufficient for two reasons. Primarily, it isn't enough money. Too many large data controllers would consider such a fine an acceptable cost of doing business; half a million pounds just does not qualify as a suitable deterrent. Secondly, once this fine is levied, and it hasn't deterred the data controller, what happens next? There is nothing more severe in the ICO's armoury. Unfortunately, when we find out that a limited fine will not have enough impact, the Government will once again need to go back to the legislation, which means more time in committees, more cost to the taxpayer, and a longer wait for a resolution.

The most concerning aspect of this situation is that the remedy is not complicated. To deal with the issue of citizen's compensation rights, why not mirror the ICO's penalty regime and make it an option for individuals to sue for compensation for either damage or distress? If the ICO can impose financial penalties for causing distress, why not let individuals have the right to sue for compensation under the same circumstances? My interpretation is that the Government is concerned about opening the floodgates to a ‘compensation culture' where the courts are flooded with large numbers of claims because the opportunity to do so exists. However, I believe there are several mechanisms to avoid this. The most obvious would be to require citizens to prove they have experienced substantial distress, exactly the same approach taken by the ICO's penalty regime. Another mechanism would be to take a tariff approach to compensation, to ensure that compensation stays within reasonable boundaries. Furthermore, it is worth remembering that having to prove financial loss has not deterred the development of compensation cultures in other areas, such as personal injury law. Yet, by worrying about the compensation culture we are artificially preventing citizens from going to court, thereby masking the true nature of the data handling problems in the UK. If we open the courts up to the public it would result in more problems coming to light and a quicker resolution to the overarching issues. This would benefit citizens, data controllers and UK plc.

The adequacy of the ICO's powers is also a relatively simple change - don't limit the fine. If the potential financial impact is unlimited, data controllers will be unable to avoiding assessing the risk to their businesses of data breaches. It will force them to think harder and deal faster with areas of potential weakness and will encourage them to elevate their entire company's understanding of privacy issues and information management.

There has been a considerable amount of reform to the Data Protection Act over the last couple of years, recognising that the previous legislation was defective. But the changes made to deal with those defects lacks sufficient bite and focus and do not move the game on enough for the very people at most risk from privacy attacks. And the risk is growing. Today's modern culture is one where new technology is driving an ever expanding abundance of data. Mobile devices, networking technology and converged digital systems are creating a digital society in which individuals' and companies' need to streamline everyday processes is creating more information than current systems can cope with. More data means more opportunities for privacy attacks and more citizens' information that could be exposed. Government needs to recognise today the small steps it can take now that would have a big impact on the privacy landscape. Doing so will not only reduce the risks to individuals, but speed the resolution of broader privacy issues by making data controllers think long and hard about whether they can handle the consequences of putting people's data at risk of exposure.

Stewart Room is a partner in the privacy and information law group at Field Fisher Waterhouse. He is speaking at the A Fine Balance privacy conference in Westminster on the 8 June.