Founder Will Roebuck said companies should be aware of the vagueness of some laws, for example the Data Protection Act; of overlaps in regulations, as between the Regulation of Investigatory Powers Act and Data Access Regulation; the lack of technical knowledge of legislators; and the burden of over-regulation on IT directors.
IT legal expert Graham Smith, a partner at law firm Bird & Bird, said that under the Regulation of Investigatory Powers Act 2000, employers would be liable under civil law if they monitored their employees' e-mail inboxes but would probably not be if they looked only at sent folders.
"The E-Commerce Directive states that in any legal disputes laws have to be applied according to the country of origin," said Roebuck. "But the EC's Rome II draft states that it should be the country of destination."
Despite the confusion, which will only be clarified through case law, government is gearing up to enforce the legislation. "Large companies are breaking the law every day, for example with their transatlantic data flows," said Andrew Sparrow, partner at Lecote Solicitors. "[Regulators] are looking for big companies to make examples of."
EU law forbids the export of data to countries which do not conform to the eight key principles for European data protection. Under the "safe harbour" compromise, the EU allows data to be shipped to the US if the recipients sign a declaration stating that they believe they comply with EU principles, although US legislation does not.
But Reuters, for instance, insists that all its data collection and processing worldwide conforms to European regulations. "We collect data in New York or Asia but process it as if it were in the UK," said Mark Lomas, head of Reuters' global security policy.