Stiffer U.K. penalties coming for personal data misuse

The British Ministry of Justice recently published proposed new penalties for knowingly misusing personal data in violation of section 55 of the Data Protection Act. The proposals raise the maximum penalty to include jail time, in addition to the financial penalty already applied under the law. The reasons cited by the U.K. government for proposing the stronger penalties include the need for a bigger deterrent to those who obtain personal data illegally, and to increase public confidence in the legitimate collection, storage, and use of personal data. (Bear in mind that with a National Health System and other major government programs, the U.K. government maintains centralized data on its citizens in a variety of contexts and purposes, including health records.)

This overseas activity is paralleled to some extent in recent increases in domestic penalties associated with HIPAA violations (codified at 42 USC §1320d) as well as requiring the formal investigation of knowing and willful violations of the law. Along with lack of proactive enforcement measures (as opposed to current voluntary reporting of violations), HIPAA and other U.S. privacy laws are often criticized for having insufficient penalties imposed for violations. There is little movement in the United States to adopt the sort of strong citizen-centered privacy laws in force in the European Community, but it is nonetheless heartening to see risks to personal data taken seriously among major economic powers.