Protection has its price

The new Data Protection Act will hit some companies hard, but not everyone will be protected, reports Kiran Sandford. Kiran Sandford is a partner in the IT/Telecoms group in City law firm, Taylor Joynson Garrett.

Law firms are busy preparing for a last minute rush of enquiries from clients concerned about how the new Data Protection Act will affect their businesses.

The new Act, which implements the EU Data Protection Directive, is due to come into force in October.

For the first time, organisations will have to obtain individuals' consent to hold even the most basic information on their mailing lists.

In practice, companies will no longer be able to rely on asking individuals to tick a box if they do not wish information used or disclosed to others, but must ask them to agree to that information being used instead.

Individuals will also have the right to prevent the processing of data which is "likely to cause" them "damage or distress" or for the purposes of direct marketing.

New conditions apply to the processing of information which is of a sensitive nature such as ethnic origin or religion. In most cases an individual must give "explicit" consent to the processing of such information.

The new Act has been widely trumpeted as protecting the individual's right to privacy by the Government and others.

Many of these protections may be more illusory than real, however, as there are sweeping exemptions from many of the Act's provisions. For example, bodies such as law enforcement agencies and the Inland Revenue do not have to comply with the bulk of the protections for personal data under the new Act.

The Act imposes new restrictions on the transfer of data overseas. For a long time we have had the means to send information just as easily from London to Connecticut as to Coventry.

As the new legislation only allows data to be sent outside the European Economic Area if the destination country has adequate data protection legislation in place, anyone sending data to Connecticut will have to assess whether Connecticut's data protection legislation is adequate before transmitting it.

This is not as far fetched as it sounds – there is a range of differing legislation in place in the US and neither the Directive nor the Act lay down any concrete rules about what constitutes an "adequate" level of data protection.

Recognising the difficulties this may cause, the EU Commission issued a working paper on this issue last year. The paper puts forward the possibility of putting in place a "White List" of countries whose data protection regimes would be considered adequate. So far no White List has appeared.

The post of Data Protection Registrar will continue to exist but it will be renamed the Data Protection Commissioner. The position will be much more power than is currently available under the 1984 Act.

The Directive may achieve the EU's objective of removing existing national restrictions on the transfer of personal data to another EU state based on its failure to safeguard the individual's right to privacy.

Whether it achieves those safeguards in practice in a climate where information is so easily transferable is another matter.