Archive for the ‘DPAs competence’ Category

UK e-privacy enforcement ramps up

avatar Posted on April 29th, 2013 by Brian Davidson

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

Tags:, , , ,
Posted in Cookie rule, Direct marketing, DPAs competence, Sanctions, Uncategorized

The Leveson Report and UK Data Protection

avatar Posted on November 29th, 2012 by Victoria Hordern

So, the Leveson Report has been published.  Whilst not yet having read all 2000 + pages, the key recommendations that Lord Justice Leveson has made to the Ministry of Justice about the Data Protection Act are:

* Amend s. 32 (journalism, liteature and art exemption) including making it narrower

* Amend the right to compensation under s. 13 so that it includes compensation for pure distress

* Repeal certain procedural provisons around journalism in the DPA

* Consider requiring the ICO to give special regard to the balance of the public interest in freedom of expression alongside the public interest in upholding the DPA

* Bring into force amendments made to s. 55 around increasing sentencing and an enhanced defence for the public interest with respect to journalism

* Extend the prosecuting powers of the ICO to include any offence which also constitutes a breach of the Data Protection Principles

* Impose a new duty on the ICO to consult with the Crown Prosecution Service regarding the exercise of any power to undertake criminal proceedings

* Amend the DPA to reconstitute the ICO as an Information Commission led by a Board of Commissioners

The Report also has a whole part examining the relationship between the Press and Data Protection including comments on the structure and workings of the ICO.

Posted in DPAs competence, Legislative reform, Uncategorized

A week in Brussels

avatar Posted on November 16th, 2012 by Eduardo Ustaran

Life is always busy in Brussels.  Policy making and legislative activities never stop but this particular week has been rather eventful for the current European data protection reform process.  The Data Protection Congress organised by the IAPP has served as an open and constructive forum for some of the key players to get together and debate their views in front of a very sophisticated audience.  The most visible message of the week has been that all parties involved – European Parliament, Commission, Council of the EU, EDPS and of course the data protection authorities – are now working at full pace to consider the issues, listen to other stakeholders and inject their thinking into the end result.

Here are some of the key takeaways about the data protection legislative reform we heard at the IAPP Data Protection Congress:

*    Francoise Le Bail, Director General for Justice at the European Commission, kicked off a prestigious roster of keynote speakers by acknowledging the need to simplify the current proposal, particularly for the benefit of SMEs.  However, she fiercely defended two commonly criticised aspects of the draft Regulation: the Commission’s delegated acts, which she believes are needed to maintain the Regulation’s flexibility; and monetary fines, which are meant to give the new framework much needed teeth.

*    For Jan Philipp Albrecht, Rapporteur of the LIBE Committee with primary responsibility for leading the European Parliament’s position, the main challenge is to convince everyone (individuals and businesses) that a harmonised approach is needed.  Reiterating his aim to approve the final text before the next European Parliament elections in June 2014, he emphasised the need for a regulation (rather than a directive) for the sake of certainty going forward, making clear LIBE’s stance on this issue.  Mr Albrecht also said that whilst we are on the right track in terms of principles, we also need to achieve foreseeability, which suggests that some of the more technology-specific provisions will be revised.

*    Jacob Kohnstamm, Chairman of the Article 29 Working Party showed his concern about some essential elements being under attack, namely: personal data, consent and purpose limitation.  With regard to personal data, he would favour of a slight extension of the definition to cover any data that may be used to single out individuals.  He believes that it is crucial to leave the concept of consent untouched because if data protection is a fundamental right, the individual’s consent must override everything else.  With regard to purpose limitation, as well as profiling, Mr Kohnstamm announced that the Article 29 Working Party is working on alternative proposals.  Not surprisingly, Mr Kohnstamm is wary of the ‘one stop shop’ principle and emphasised the role of the proposed European Data Protection Board to get the balance right.

*    The ‘one stop shop’ principle became one of the most heatedly debated topics.  Isabelle Falque-Pierrotin, President of the CNIL, indicated that the current proposal was simply not realistic and that local data protection authorities should not be prevented from enforcing the law.  Jan Philipp Albrecht responded by saying that it is very important to have one competent regulator to ensure consistency of interpretation and actions.  The debate on this issue is clearly wide open with Peter Hustinx, the European Data Protection Supervisor, taking a position somewhere in between where there is one regulator as a single point of contact for the same organisation across the EU but all regulators are still competent.

Clearly, the pressure to get the balance right is on and whilst there is no sense of urgency yet, Sophie in ‘t Veld, MEP, summarised the situation perfectly when she referred to the fact that after months of familiarisation with the Commission’s proposals, it was now time to put our heads down and get on with the business of building the future data protection framework for Europe.

 

Posted in Article 29 Working Party, DPAs competence, Legislative reform, Profiling, Sanctions

Getting the ‘one stop shop’ principle to work

avatar Posted on November 5th, 2012 by Eduardo Ustaran

Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners’ Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate.  Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for three days to make the most of this annual gathering.  One of the immediate outcomes was the realisation that much work remains to be done if we are to achieve the necessary balance between progress and protection.  No other issue symbolised the need for this balance better than the ‘one stop shop’ principle under the proposed EU data protection regulation – the sole competence of one single regulator over the same controller all over the European Union.

As a concept, this principle seems like a no brainer that everyone would be happy with.  If anything, having a single regulator with responsibility for supervising the activities of a corporate group across the EU on the basis of the same law should be the most efficient way of managing the limited time and resources that data protection authorities have.  If the organisation to be supervised operates on a pan-European basis and the law is the same everywhere, surely this approach is the most logical in the absence of a central European regulator.  However, why is it that this concept is proving so difficult to shape to everyone’s satisfaction?  There is even a precedent with the concept of a “lead authority” for BCR authorisations which has been working quite effectively for years now.  Are national interests preventing this principle from working or is there a more fundamental issue getting in the way?

In line with the overall harmonisation objective, the ‘one stop shop’ principle brings with it a significant change, as the law is seeking to designate only one competent regulator per EU-based controller.  By definition, this approach relies on the trust that needs to be placed on the competent authority by the authorities of all of the other countries where a given controller operates.  This is certainly an ambitious expectation but surely one that can be met if the collaborative mood of the  Commissioners’ Conference is anything to go by.  So a lack of trust amongst regulators should not be a reason to question the ‘one stop shop’ principle.

A more damaging factor is the suspicion that astute organisations will seek to manipulate the system and aim to be supervised by the ‘easy’ regulators.  Frankly, there are no easy or difficult regulators.  They all take their jobs very seriously and have good days and bad days – like everyone else.  What is essential is a sufficient degree of pragmatism that brings compliance with the law to a viable level that meets the right standards.  For this to happen, dialogue is essential but, again, seeking that level of compliance should not be seen as a sign of defiance or an easy way of avoiding legal requirements.

Could the ‘one stop shop’ principle ever work then?  Of course it can.  As a starting point, it needs dialogue and collaboration amongst the data protection authorities and a realistic approach to data protection compliance.  Linked to this, what is also needed is trust.  Trust by the regulators in their counterparts and ultimately trust in the legal system.  However, trust should not be about ‘easy’ regulators behaving unreasonably to show how ‘tough’ they are, and trust should not be about triggering a dangerously bureaucratic “consistency mechanism” at the first sight of disagreement.  The ‘one stop shop’ principle is ultimately about effective compliance and should be given the chance to succeed.

The next two years of legislative reform are crucial.  We have a golden opportunity to establish a supervisory approach that is geared to deal with global organisations operating in Europe in a consistent and effective way.  Change should be accepted because it is inevitable.  The ‘one stop shop’ model is perfectly workable if it throws away old and unhelpful prejudices.  Efforts should be made to find the best criteria to determine which authority is the competent one in respect of every controller subject to EU law – irrespective of where they are based – and to support that authority in their role.  Diversity is a great thing but when it comes to regulatory enforcement, it creates uncertainty and unfairness.  Let’s not risk that outcome and let’s try to make the ‘one stop shop’ principle work instead.

 
This article was first published in Data Protection Law & Policy in October 2012.

Posted in Applicable law, DPAs competence, Legislative reform