Unless the Information Commissioner's Office (ICO) is given the power to conduct random checks on organisations for compliance with data protection law and issue penalties based on those checks the European Commission will take action, it said.
The ICO must also be given the powers to assess other countries' data protection regimes before international transfers of information from the UK are made, the Commission said.
The Commission has sent the UK a 'reasoned opinion', the second step in a three stage process of enforcing EU directives when countries do not pass them fully into law.
"The case concerns the implementation of the EU’s 1995 Data Protection Directive both in UK law (the Data Protection Act of 1998) and its application by UK courts," said a Commission statement. "The Commission has worked with UK authorities to resolve a number of issues, but several remain, notably limitations of the Information Commissioner's Office's powers."
The first stage of the Commission's formal process when taking countries to task is to send nations a Letter of Formal Notice. If the response to that is unsatisfactory then a Reasoned Opinion is sent.
Countries have two months in which to comply with the Reasoned Opinion. If they do not then that country is referred to the European Court of Justice (ECJ), Europe's highest court.
"However, in over 90% of infringement cases, Member States comply with their obligations under EU law before they are referred to the Court," said a Commission explanation of the process. "If the Court rules against a Member State, the Member State must then take the necessary measures to comply with the judgment."
The Commission said that the UK must also change the law on people's rights to have their information deleted by organisations.
"Courts in the UK can refuse the right to have personal data rectified or erased. The right to compensation for moral damage when personal information is used inappropriately is also restricted," it said. "These powers and rights are protected under the EU Data Protection Directive and must also apply in the UK. As expressed in today’s reasoned opinion, the Commission wants the UK to remedy these and other shortcomings."
The Commission has consistently complained to the UK about its implementation of the Data Protection Directive. Complaints first emerged in 2004 and resurfaced in 2007 and last year.
In 2007 the Commission found fault with the UK's transfer into law of 11 of the Data Protection Directive's articles, almost a third of the whole Directive.
These deficiencies included the issues raised this week. Those same issues also formed part of Commission complaints in 2004.
Last year the Commission said that the Data Protection and Privacy and Electronic Communication Directives were not properly implemented in the UK. The Commission was responding to concerns over controversial Phorm advertising technology.
