The European Commission has called on the UK to strengthen the powers of its data protection authority, the Information Commissioner's Office (ICO).
The EC request is aimed at bringing the UK in line with the European Union's Data Protection Directive, and represents the second stage of EU infringement procedures.
In the UK, national data rules are curtailed in several ways, leaving the standard of protection lower than required under EU rules, the EC said.
The single most important change required in UK data protection regulation is to bring the law into line with European legislation, according to Stewart Room, partner at law firm Field Fisher Waterhouse.
Section 13 of the UK Data Protection Act (DPA) is totally out of kilter with the EU directive on personal data, he told a recent privacy conference hosted in London by the UK Digital Systems Knowledge Transfer Network.
The UK now has two months to inform the EC of measures taken to ensure full compliance with the EU Data Protection Directive.
The work of data protection authorities must not be unbalanced by the slightest hint of legal ambiguity, said Justice Commisioner Viviane Reding.
"I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules," she said.
The case concerns the implementation of the EU's 1995 Data Protection Directive in UK law and its application by UK courts.
The EC has worked with UK authorities to resolve a number of issues, but several remain, notably limitations of the Information Commissioner's Office's powers.
The EC said the ICO cannot monitor whether other countries' data protection is adequate, and it cannot perform random checks on people using or processing personal data, nor enforce penalties following the checks.
The EC is also unhappy that courts in the UK can refuse the right to have personal data rectified or erased, and that the right to compensation for moral damage when personal information is used inappropriately is restricted.