This month’s amendments to the Data Protection Act have attempted to address important deficiencies in legislation; they give the Information Commissioner the power to carry out compulsory inspections of government departments and the power to fine data controllers. While these developments are welcome, they fall short of what is required to achieve a properly functioning legal regime.
The Act is designed to protect both citizens’ privacy and their personal data, but to do this it must offer them a clear route for seeking redress of grievances through the courts. But even following April’s amendments, the Act fails to offer sufficient opportunity for citizens to claim financial compensation following a data privacy breach. As it stands, they can only do so if they can prove direct financial loss. There is no self-standing route to make a compensation claim for distress in most cases. This has many negative implications for legal compliance. Firstly – it is very difficult for individuals to prove financial loss in the majority of circumstances because, often because they have no idea where their information has been accessed, how many times, by whom and how. Secondly, if the public does not have a sufficient remedy for the stress caused by data breaches, they cannot hold data controllers to account in the vast majority of situations. Effectively, the law is allowing for the minority of claim situations, and not the majority. This serves no one’s purpose. It is bad for individuals because it reduces their ability to seek redress. It is bad for the Government because once the true nature of the problems are finally revealed it will require further administrative time and taxpayers’ money to remedy them. And it is bad for UK plc because it does not offer a strong financial sanction to encourage data controllers to work harder at avoiding breaches. This, in turn, will mean a failure to reduce the numbers of privacy failings.
