Bolkestein rebukes UK over lack of data privacy

By Peter Chapman

Date: 15/07/04

THE United Kingdom is breaching EU rules intended to protect citizens' private data and is allowing companies to send personal information to far-flung countries without adequate checks, the European Commission has warned.

Frits Bolkestein, the commissioner for the internal market, has sent a letter to the UK listing a number of problems with the way the British apply the EU's 1995 data-privacy directive.

The Commission alleges that the UK's data-protection regime does not give enough protection to its citizens and is allowing companies too much freedom over sensitive information.

Bolkestein claims that Britain's data-privacy watchdog, the information commissioner Richard Thomas, has not been given enough powers to do his job properly.

The Commission says it has seen "no evidence that the information commissioner in the UK is carrying out any sort of central control" on transfers of data to countries outside the Union.

Under the EU directive, national authorities are obliged to prevent personal information from leaking to countries that do not have "adequate" protection measures in place.

Bolkestein believes the UK data-protection act of 1998 gives too much scope for companies to use personal data about their customers to send them information and sales pitches about other products. They can do so even when it is unclear whether a customer has given his or her consent - for example by ticking a box in a form.

The European Commission's spokesman Jonathan Todd said the letter was only the first step towards action at the European Court of Justice.

The British have been given two months to respond to the EU executive's allegations.

"But clearly, we would not be opening this case if we did not have some serious concerns," he said, adding that the action was prompted by "complaints from members of the public".

Mike Pullen, a lawyer advising multinational companies on how to comply with data- protection rules, said the UK's regime put the onus on companies to act responsibly.

"But there are a number of firms, including blue chip companies quoted on the London Stock Exchange, that are not taking data- protection compliance seriously - because there is little chance of being prosecuted," he said.

Britain's spokesman on the EU Jonathan Allen said he could not comment as the UK considered contacts with the Commission on alleged infringements of EU rules as confidential.

Richard Thomas, who stands to receive greater powers, also refused to comment.

The Commission takes issue with a UK court case and subsequent guidelines issued by Thomas which it believes are "less strict than required" because they limit the scope for citizens to check and edit records about themselves.

Bolkestein says the UK's law wrongly gives discretion to judges "arbitrarily" to dictate when people can and cannot see and rectify data held on them.

The Commission also criticizes the limited rights granted to Thomas.

Instead of having the power to carry out surprise "dawn raids" on companies and agencies he suspects of breaching the rules, he currently has to forewarn data controllers before he can carry out an audit of their practices. Thomas and his successors must also have "punitive powers" to penalize data controllers who do not respect their obligations.

The Commission decided in 1999 to take France, Germany, Ireland, Luxembourg and the Netherlands to court for failing to meet an October 1998 deadline for implementing the directive.

Ireland has passed legislation recently which has still to be notified to the Commission.

France has not yet passed the legislation necessary to bring its 1978 data protection law into line with the directive.

The French parliament is currently working on a draft law.

Frits Bolkestein, European Commissioner for the Internal Market, has written to the UK Government warning that the European Union's 1995 Data Privacy Directive is not being applied as intended, with companies being allowed to send personal information to other countries without adequate checks.

• Primary Source