In April 2010, following a long campaign, the ICO was granted powers to impose fines on businesses of up to £500,000 for serious breaches of security.
But on June 24, the European Commission announced that UK privacy laws still fell short of the current EU Data Protection Directive, and it gave the UK government two months to respond with a plan for compliance.
The ICO responded on June 28 with a short statement, saying: "It is important that we have effective data protection regulations to help protect individuals' personal information. We look forward to discussing the Commission's detailed concerns with the Ministry of Justice and providing input into the UK government's response."
Then, on July 6, the Ministry of Justice issued a "Call for Evidence on current data protection law to help inform the UK's position on negotiations for a new EU data protection instrument, which are expected to start in early 2011." The period of consultation will last three months, and will close on October 6, 2010.
The European Commission's June 24 statement said it had worked closely with the UK government to help it comply with the EU's 1995 Data Protection Directive, but it said the ICO's powers still need to be strengthened in a number of areas.
For instance, the ICO cannot monitor whether other countries' data protection is adequate. Such assessments of security, advocates said, should come before international transfers of personal information, and would be key when companies want to use a cloud service provider outside the EU.
The ICO also lacks the power to perform random checks on people who are using or processing personal data, or to enforce penalties following those checks, the Commission said. Furthermore, it says UK courts can refuse the right to have personal data rectified or erased from court documents and public records. The right to compensation for moral damage when personal information is used inappropriately is also restricted.
An ICO spokesman confirmed that the courts do have discretion over whether personal records can be amended or deleted. Examples of such cases could include records needed as legal evidence, or criminal records within which law enforcement still disputes the innocence of the individual concerned.
Viviane Reding, a commissioner for justice at the European Commission said: "I urge the UK to change its rules swiftly so that the data protection authority is able to perform its duties with absolute clarity about the rules. Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement."
But some have already expressed fears that new rules will make it hard to do business.
Ewen Anderson, managing director of Midlands-based IT consultancy Centralis Ltd. said the law has to take account of new working practices. "Organisations can only take measures to prevent accidental loss [of personal data], and that is increasingly difficult as employees move away from traditional workplaces and access [the data] via mobile devices," Anderson said. "It is simply not possible to prevent the deliberate removal of personal data from systems unless those systems are made so inflexible as to prevent their legitimate use."