Striving for efficient and accessible protection against data protection violation

Obstacles to accessing data protection remedies have been revealed, thanks to new research conducted by The University of Nottingham's Human Rights Law Centre (HRLC).

This research contributes to the findings of a new European Union report that considers the actual experiences of victims and those dealing with data protection violations to identify areas for improvement.

A new European Union Report on Access to Data Protection Remedies by the EU Fundamental Rights Agency (FRA), published on the eve of EU Data Protection Day (28 January 2014), reveals serious flaws in procedures to address data protection violations.

Tackling personal data violations

The report gives an overview of the current legal framework and procedures that people can currently use to redress violations. And it recommends new initiatives to improve individuals' access to data protection remedies in EU member states.

Data protection law exists to controls how people's personal information is used by organisations, businesses or the government. The University of Nottingham research—investigating the situation in the UK—suggests that most data protection violations arise from internet-based activities, direct marketing, financial violations such as credit card fraud and video surveillance.

The majority of problems encountered related to the processing of personal data, such as the unjustified transfer of personal data to third parties, improper and excessive collection and storage, storage or inaccurate information and unlawful disclosure. Other violations were connected to the rights of the data subject to access their personal data including refusal to access or to correct personal data.

The desk and fieldwork research by HRLC examined the existing procedures and the legal consequences concerning data protection violations in the UK. Professor David Harris, HRLC Co-Director and Professor Emeritus, said:

"More and more information is being stored about individuals both by government and privately. This project revealed the great harm that the recording of inaccurate information can cause individuals and the need for them to have accessible and effective remedies when this happens."

Victims 'not motivated' by money

The interviews conducted by HRLC identified the following key findings from the perspective of access to data protection remedies in the UK:

• Victims are less likely to pursue their case in the courts as it is often time consuming, costly and difficult to provide evidence of a data protection violation; instead, most victims complain to the Information Commissioner's Office (the national data protection authority);
• When seeking redress victims of data protection violations are not motivated by financial gain but rather wish to prevent the recurrence of similar data protection violations in the future due to their experiences of psychological and social distress;
• There is a lack of legal expertise in the area of data protection and a lack of resources allocated to organisations who do specialise in the area of data protection;
• The civil society organisations are crucial to the individual by providing advice, legal assistance and representation, as well as playing a part in publicising and raising awareness around data protection issues.

The findings are also consistent with the overall conclusions of the FRA report that explain why the available redress mechanisms are not widely used by capturing the experiences and views of key stakeholders involved in the enforcement and use of redress mechanisms. This includes the national data protection authority, leading legal practitioners on data protection, consumer protection organisations, governmental departments and other non-governmental organisations.

The report recommends the following initiatives to improve individual's access to data protection remedies in EU Member States:

• Raising public awareness of complaint mechanisms, including the existence and role of national data protection authorities;
• Strengthening the independence and resources of data protection authorities;
• Data protection training for legal professionals so they can offer more informed advice.