Tougher sanctions for data protection breaches will be lethal for ‘bewildered’ businesses, a magic circle firm has warned in its latest report on threats to the rule of law.   

Organisations can be fined up to £500,000 for serious contraventions of the Data Protection Act 1998 (DPA).

If the new EU harmonised Data Protection Regulation comes into force, organisations could face sanctions of between 2% and 5% of their global turnover.

Linklaters’ report, In defence of the Rule of Law, described the act as one of the ‘most maligned’ examples of principles-based regulation, which made it difficult for businesses to be confident they were complying with regulatory obligations.

The 1998 act requires companies to make sure personal information is used fairly and lawfully.

But Linklaters said the act did not provide any ‘overarching guidance’ on the meaning of fairness, which is a ‘subjective’ concept.

Instead, businesses had to refer to guidance issued by the Information Commissioner, decisions of specialist appeals tribunals, higher courts, the European Court of Justice, and guidance from the ‘Article 29 working party’, a panel of EU regulators.

‘Businesses doing so may come across guidance on “accountability”, “privacy impact assessments”, “privacy by design” and “binding corporate rules and binding processor rules”,’ the report states.

‘None of these concepts exist in the DPA but are all derived, to some extent, from the fairness principle and now form part of the common parlance of a small number of EU data protection lawyers, privacy professionals and regulators to which most businesses feel compelled to turn, bewildered by the runic guidance they find in the public domain.’

The firm said the act’s uncertainties, until now, had produced ‘few serious inconveniences’ to business, with the current sanctions regime ‘relatively low key’.

But should sanctions increase, ‘a well-intentioned but arbitrary requirement will thus become a potentially lethal one for businesses in the UK and Europe’.