News that the UK might have to grant more rights of access to personal data to comply with the EU Data Protection Directive caused legal experts to warn of the harm such a move could do to businesses.

In a formal letter of notice sent to the UK government in early July 2004, the European Commission (EC) questioned whether several aspects of the UK's Data Protection Act (DPA) conformed with its directive. The details of the letter have not been published, but according to legal advice site Out-law, it is likely to argue that the government has failed to guarantee sufficient rights of access to personal data.

The concerns of the EC were probably prompted by a UK Court of Appeal ruling in the recent Durant v FSA case, which offered a narrow definition of personal data under the terms of the DPA.

George Gardiner of law firm Gardiner & Co supported the court's decision. "There has been a huge increase in vexatious data subject requests as a prelude to litigation, but now these individuals have to look elsewhere for their disputes," he said.

However, the EC prefers a broader definition of personal data and may want the UK to follow suit - a move that could cost businesses thousands if they are faced with a barrage of data subject requests as a result. "The EC is giving carte blanche for everyone to pay the £10 cost of the request and cause havoc for business," warned Gardiner.

Changes to the law could also harm the wider UK economy, if they deter companies from setting up business here, said Robert Courtneidge, partner at law firm Osborne Clarke. "It is common knowledge that businesses coming into Europe will take into consideration the data protection environment," Courtneidge explained. "There are countries in the EU whose data protection laws are losing them business. The UK is not one of them."

Courtneidge said the UK should help law-abiding firms to carry out their business with the least permissible amount of red tape. "I believe the UK has achieved this by not simply incorporating the directive at its strongest," he added.

A spokeswoman for the Office of the Information Commissioner, the government body responsible for policing the DPA, said it had not yet been involved in the matter. "It concerns these two separate organisations [the UK government and the EC] and when they [will] choose to include us, we don't know," she said.

The EC's letter is also likely to raise concerns that the UK does not demand sufficient controls on international data transfers; and that it has not granted the information commissioner adequate investigative power, according to Out-law.

If the EC is not satisfied with the government's response, it could request amendments to UK legislation. Failing that it could take the government to court.