The UK’s data protection regime lags behind Greece, Russia, and Norway – ranking it joint 21st alongside Romania and Latvia – in a new index calculating the likelihood of being punished for breaking privacy rules in Europe.
But far from being castigated for leniency, the index’s author claims the UK’s regime allows an approach which is “more flexible”, and encourages technological innovation.
The Data Privacy Index, from information law portal Data Guidance, puts Spain at the top of the index, with a score of 4.5. There have been a “number of high level fines seen for non compliance with data protection legislation” in Spain, the Index reveals.
Germany – often cited as the country with the strictest rules on marketing data – was joint second with a score of 4. The index pointed to a case in which a company had bought a marketing list of contact, and ensured through contractual clauses that the data had been compiled legally. It later emerged that it had not, and the company directors were successfully prosecuted.
The UK has a score of 3, placing in joint 21st place alongside countries Romania, Latvia and and Sweden. “The UK Information Commissioner does not have a legal right of audit but does ask companies to voluntarily subject themselves to audit,” the index pointed out.
“The UK privacy regime has focused on persuasion rather than punishment to achieve greater data privacy compliance,” explains Data Guidance managing editor Lindsey Greig. “In France, Germany and Spain and other mainland European countries there has been a more aggressive approach to enforcement.”
The UK Information Commissioner’s flexible approach may be a boon to innovation, Greig remarks. “The UK approach is viewed as more flexible, encouraging technological innovation, greater use of cloud computing and as being more in tune with the global flows of data,” he said.
But he adds that the UK’s relative lenience today means that businesses in the country can expect stricter regulation in future.
“The momentum is behind tougher regulatory measures,” he explains. “Justice Commissioner Vivene Reding has made it clear that the data protection proposals to be released [tomorrow] will have tougher sanctions and regulations.”
Greig says the Data Privacy Index is designed to give businesses a high-level view of the relative risk of handling data in the various countries in Europe.
“Data now lies at the heart of business and is a fundamental component of brand value,” he said. “Businesses need to be able to evaluate risk of their particular activities and act accordingly.”
