Archive for the ‘Financial penalties’ Category

« Older Entries

CNIL unveils 2012 annual activity report

avatar Posted on April 29th, 2013 by Olivier Proust

On April 23rd, 2013, the French data protection authority (the “CNIL”) unveiled its 2012 Annual Activity Report (the “Report”). The CNIL’s Report gives an overview of the actions and initiatives undertaken in the past year, and is also a good indicator for what to expect in the coming year.

The CNIL has adopted a three-year strategic orientation program for the period 2012-2015. This action plan sets out three priorities, namely:

- To adopt a policy of openness and consultation towards stakeholders ;
- To raise the level of awareness among data controllers (particularly companies) and to help them develop tools that allow them to implement the data protection principles; and
- To increase the level of compliance through a more targeted and efficient enforcement policy.

Focusing on the CNIL’s enforcement strategy, the summary below highlights some of the key points in the CNIL’s Report:

- Complaints: The number of complaints has risen to 6000 in 2012. 46% of complaints concerned the right to object to the data processing. The constant rise of complaints over the past years indicates that citizens are more and more aware of their data protection rights and are taking action more frequently. The telecoms/internet sector appears to have triggered most of the complaints (31%).

- Inspections: The CNIL conducted 458 on-site inspections in 2012, which represents a 19% increase compared to 2011. 285 of the inspections were carried out in the context of the Data Protection Act, while 173 inspections concerned the use of videosurveillance equipment. With regard to the Data Protection Act, 23% of the inspections were triggered by complaints and another 26% were initiated by events picked up in the news. This shows that the CNIL often takes action when a particular event or situation makes the headlines. 40% of the inspections are in line with the priorities set out by the CNIL in its annual inspection’s plan, which shows some consistency in how the CNIL operates within a particular sector or business activity.

- Sanctions: In 2012, the CNIL served 43 formal notices asking data controllers to comply. In most of the cases, the CNIL did not pronounce any sanction because the data controller had complied. In total, the CNIL pronounced 13 sanctions, eight of which were made public. The publicity of the sanction follows a recent amendment of the Data Protection Act, which authorizes the CNIL to publish the sanction it pronounces. In the majority of cases, the sanction pronounced was a simple warning (56%), while fines were pronounced in only 25% of the cases. The CNIL pronounced only one injunction to cease the processing. The low number of fines can be explained by the fact they do not have a very deterrent effect for companies in France (by law, the maximum fine for a first violation is EUR 150,000). On the contrary, a warning can cause serious reputational damage to the data controller, particularly when it is made public, which may explain why the CNIL has chosen to publish its sanctions in 60% of the cases.

- Videosurveillance: In 2012, the CNIL carried out over 170 inspections of videosurveillance systems. In this context, the CNIL received more than 300 complaints, 75% of which concerned the use of video cameras at the workplace. The CNIL notes a lack of clarity surrounding the current legal framework for videosurveillance measures, the insufficient or inexistent information of individuals, the inappropriate use of cameras, and insufficient security measures. In 2012, the CNIL published six practical guidebooks, explaining how to use video cameras in compliance with the law.

- Data breach notifications: Following the implementation of the revised ePrivacy directive into French law, the CNIL received the first notifications for data breaches in the telecoms sector. While the total number of notifications for 2012 remains fairly low, the CNIL expects to receive more notifications in the coming year.

It is also worth noting that the CNIL’s budget and manpower have also increased in 2012. As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. Thus, data controllers should pay close attention to the actions of the CNIL as it becomes a most powerful authority in France and within the European Union.

The CNIL’s 2012 Annual Activity Report is available (in French) at www.cnil.fr

Tags:, , , , , ,
Posted in Audits, Financial penalties, Sanctions, Uncategorized

Position of Spain on the General Data Protection Regulation: flexibility, common sense and self-regulation

avatar Posted on March 7th, 2013 by Nuria Pastor

As expectation and concerns rise whilst we wait for the final position of the LIBE committee and the European Parliament on the General Data Protection Regulation (the “Regulation”), the report issued by the Spanish Ministry of Justice on the Regulation (the “Report”) and the recent statements of the Spanish Minister of Justice is music to our ears.

A few weeks ago the Spanish Minister of Justice expressed concern that SMEs could be ‘suffocated’ by the new data protection framework. This concern seems to have inspired some of the amendments suggested in the Report which are designed to make the Regulation more flexible. These include substantive changes to reduce the administrative burdens for organisations with a DPO or for those that have adhered to a certification scheme, and the calculation of fines on profits rather than turnover.

Spain favours a Regulation that relies on self-regulation and accountability, clearly steering away from a restrictive ‘one size fits all’ approach which establishes an onerous (and expensive to comply with) framework . The underlying objective of these proposals seems to be the protection of the SMEs at the core of the Spanish economy. A summary of the Spanish position is provided below:

- Regulation v Directive: there is agreement that a Regulation is the best instrument to standardise data protection within the EU. This is despite the fact that this will cause complications under Spanish Constitutional law.

- Data protection principles: the Report favours the language of the Data Protection Directive (which uses the expression “adequate, relevant and not excessive”) as it allows more flexibility than the language of the Regulation which refers to personal data being “limited to the minimum necessary”. In updating personal data, the Report suggests that this should only be required “whenever necessary” and depending upon its expected use as opposed to the general obligation currently set out by the Regulation.

- Information: the requirement to inform individuals about the period during which personal data will be kept is considered excessive and very difficult to comply with. The Report suggests that this should only be required “whenever it is possible”.

- Consent: the requirement of express consent is seen as too onerous in practice and “properly informed consent” is favoured, the focus being on whether individuals understand the meaning of their actions. The adoption of sector by sector solutions in this context is not ruled out.

- Right to be forgotten: this right is considered paramount but the point is made that a balance has to be found between “theoretical technological possibilities” and “real limitations”. Making an organisation solely responsible for the erasure of personal data which has been disseminated to third parties is regarded as excessive.

- Security incidents: various amendments to the articles that regulate breach notifications are suggested to introduce less stringent requirements to the proposed regime. The suggested amendments remove the duty to notify the controller within 24 hours and also limit the obligation to notify for serious breaches only. Notifications to data subjects are also limited to those that would not have a negative impact on the investigations.

- DPOs: it is proposed that the appointment of DPOs should not be compulsory but should be encouraged by incentives such as the suppression of certain administrative burdens (as referred to below). Organisations without the resources to appoint a DPO may also be encouraged to adopt a “flexible and rigorous” certification policy or scheme. Such certifications would be by sector, revocable and renewable.

- Documentation, impact assessments and prior authorisation: the suggested amendments propose a solution whereby organisations which hold a valid certificate or which have appointed a DPO, would not have to maintain documentation, carry out PIAs or request authorisation to data protection authorities as provided for by Articles 28.2, 33 and 34 of the Regulation respectively.

- International transfers: Spain favours the current system but suggests that this could be made more flexible by only requiring the authorisation of the data protection authority for contractual clauses (which have not been adopted by the Commission or an authority) when the organisation does not have a DPO or a certificate.

- One-stop-shop: this concept is endorsed in general but the Report proposes that where a corporation is established in more than one Member State, the DPA established in the country of residence of an individual complainant should have jurisdiction to deal with the matter. The consistency mechanism would be used to ensure a coherent decision where there were several similar complaints in different countries.

- Sanctions and alternatives: Spain considers that the current system could be improved by providing less stringent alternatives to the imposition of fines. Furthermore, it is proposed that the way in which sanctions are calculated is reviewed on the basis that annual turnover does not equal benefits obtained. This is to avoid the imposition of disproportionate sanctions.

- Technological neutrality: technological neutrality is supported although the Report expresses concerns that such neutrality does not provide for adequate solutions for particular challenges, such as those presented by cloud computing or the transfer of personal data over the Internet.

- Cloud computing: the Report suggests that the Regulation takes this “new reality” into account and suggests the adoption some measures, for example, those aimed at (1) finding a balance between the roles of controllers and processors in order to avoid cloud service providers becoming solely responsible for the processing of personal data; and (2) simplifying the rules on international transfers of personal data; for example, by extending binding corporate rules to the network of sub-processors.

Posted in 95 directive, Accountability, Cloud computing, Consent, Financial penalties, Legislative reform, Right to be forgotten, Sanctions

ICO’s enforcement action: what do the cases tell us?

avatar Posted on March 1st, 2013 by Antonis Patrikios

We recently completed our comprehensive analysis of the UK Information Commissioner’s Office (ICO) enforcement actions in 2012. You may find this analysis, along with statistics, pie charts and summaries of the key facts of each case, in our ICO Enforcement Action Tracker 2012.

The analysis highlights some very interesting facts and trends, and provides valuable insights into ICO’s enforcement strategy and how it translates into action. Here are a few examples:

  • - 2012 was the most prolific year yet for ICO enforcement action: ICO imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings
  • - Whilst the public sector has been the main focus of enforcement action, the focus is now shifting to the private sector (which has been confirmed by the enforcement activity in early 2013)
  • - Data security breaches remain the most regulated type of failure (no surprises here). For instance, out of the 25 fines, 22 were for security breaches, 1 was for breach of the data accuracy rule of the Data Protection Act 1998, and 2 were for breach of the direct marketing rules of the Privacy and Electronic Communications Regulations 2003.
  • - Data controllers who voluntarily self report an incident to ICO are not given immunity from enforcement; for instance, 21 of the 25 fines were for self reported breaches.

 

It is obvious from the cases that ICO does not hesitate to take serious enforcement action and is becoming a real force to be reckoned with and a driver for change. Looking at the year ahead, we can expect ICO’s enforcement activity to continue at this pace or even intensify, focusing in the areas that ICO has prioritised as posing a higher data protection risk, namely health; internet and mobile; financial services; security; and criminal justice. Although the public sector will remain firmly on ICO’s radar, we expect the regulator to turn more of its attention to the private sector. This is likely to mean more serious enforcement action, but also, we believe, a greater appetite to challenge enforcement actions.

In Session 1 of our Privacy and Security Breakfast Briefings for 2013 (scheduled for April 2013) we will present and expand on the findings of our analysis as set out in the Tracker. We will dissect ICO’s strategy and enforcement action in order to identify the highest risk areas, understand the trajectory of enforcement action and what our organisations should be doing to manage the risk of failure and enforcement action.

To receive a copy of our ICO Enforcement Action Tracker 2012 or to secure an invitation to Session 1 of our Privacy and Security Breakfast Briefings for 2013 please email antonis.patrikios@ffw.com.

Tags:
Posted in Data security, Direct marketing, Financial penalties, Sanctions, Uncategorized

European Parliament’s take on the Regulation: Stricter, thicker and tougher

avatar Posted on January 9th, 2013 by Eduardo Ustaran

 

If anyone thought that the European Commission’s draft Data Protection Regulation was prescriptive and ambitious, then prepare yourselves for the European Parliament’s approach. The much awaited draft report by the LIBE Committee with its revised proposal (as prepared by its rapporteur Jan-Philipp Albrecht) has now been made available and what was already a very complex piece of draft legislation has become by far the strictest, most wide ranging and potentially most difficult to navigate data protection law ever to be proposed.

This is by no means the end of the legislative process, but here are some of the highlights of the European Parliament’s proposal currently on the table:

*     The territorial scope of application to non EU-based controllers has been expanded, in order to catch those collecting data of EU residents with the aim of (a) offering goods or services (even if they are free) or (b) monitoring those individuals (not just their behaviour).

*     The concept of ‘personal data’ has also been expanded to cover information relating to someone who can be singled out (not just identified).

*     The Parliament has chosen to give an even bigger role to ‘consent’ (which must still be explicit), since this is regarded as the best way for individuals to control the uses made of their data. In turn, relying on the so-called ‘legitimate interests’ ground to process personal data has become much more onerous, as controllers must then inform individuals about such specific processing and the reasons why those legitimate interests override the interests or fundamental rights and freedoms of the individual.

*     Individuals’ rights have been massively strengthened across the board. For example, the right of access has been expanded by adding to it a ‘right to data portability’ and the controversial ‘right to be forgotten’ potentially goes even further than originally drafted, whilst profiling activities are severely restricted.

*     All of the so-called ‘accountability’ measures imposed on data controllers are either maintained or reinforced. For example, the obligation to appoint a data protection officer will kick in when personal data relating to 500 or more individuals is processed per year, and new principles such as data protection by design and by default are now set to apply to data processors as well.

*     The ‘one stop shop’ concept that made a single authority competent in respect of a controller operating across Member States has been considerably diluted, as the lead authority is now restricted to just acting as a single contact point.

*     Many of the areas that had been left for the Commission to deal with via ‘delegated acts’ are now either specifically covered by the Regulation itself (hence becoming more detailed and prescriptive) or left for the proposed European Data Protection Board to specify, therefore indirectly giving a legislative power to the national data protection authorities.

*     An area of surprising dogmatism is international data transfers, where the Parliament has added further conditions to the criteria for adequacy findings, placed a time limit of 2 years to previously granted adequacy decisions or authorisations for specific transfers (it’s not clear what happens afterwards – is Safe Harbor at risk?), reinforced slightly the criteria for BCR authorisations, and limited transfers to non-EU public authorities and courts.

*     Finally, with regard to monetary fines, whilst the Parliament gives data protection authorities more discretion to impose sanctions, more instances of possible breaches have been added to the most severe categories of fines.

All in all, the LIBE Committee’s draft proposal represents a significant toughening of the Commission’s draft (which was already significantly tougher than the existing data protection directive). Once it is agreed by the Parliament, heated negotiations with the Council of the EU and other stakeholders (including the Commission itself) will then follow and we have just over a year to get the balance right. Much work no doubt awaits.

 

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Consent, Financial penalties, Legislative reform, Privacy by design, Profiling, Right to be forgotten, Sanctions

Cookie consent enforcement – ICO’s latest

avatar Posted on December 19th, 2012 by Eduardo Ustaran

The UK Information Commissioner’s Office has quietly published today a report detailing the concerns reported to them, the current picture and the action they are taking as of December 2012 in relation to the cookie consent requirement.

The highlights of the report are as follows:

*   Consumers are unhappy with implied consent mechanisms, especially where cookies are placed immediately on entry to the site.

*   Consumers often complain about the fact that they have not been given enough information generally, and specifically not enough information about how to decline cookies or manage them later.

*   The ICO is continuing to write to websites they receive concerns about – This means that nobody is off the hook.

*   The ICO has also looked at the types of cookie in use – This means that the regulator has the means to investigate and find out about cookie practices on a per site basis.  If a site operator does not have this information, how is that going to look???

*   The provider must ensure that users can see clear and relevant information explaining what is likely to happen while they are accessing the site, and their choices as regards controlling what happens.

*   Failure to comply will result in formal action to ensure compliance, and the ICO may decide to name the site in order to make consumers aware of its use of cookies – In other words, the ICO is not going to sit still.  The prospect of facing enforcement action is there.

*   If an organisation refuses to take steps to comply, or has been involved in a particularly privacy-intrusive use of cookies without telling individuals or obtaining consent, the ICO will consider using formal regulatory powers in line with our criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties – This is the clearest threat of enforcement action to date!

 

Posted in Cookie rule, Financial penalties, Sanctions

Privacy in the global village

avatar Posted on September 4th, 2012 by Eduardo Ustaran

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

 
This article was first published in Data Protection Law & Policy in August 2012.

Posted in Accountability, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Direct marketing, Financial penalties, Privacy professionals, Sanctions

Have your say on the draft Data Protection Regulation

avatar Posted on February 8th, 2012 by Hannah Jackson

Is a fine of up to 2% of annual worldwide turnover too big? Is it possible to report data breaches within 24 hours?

The Ministry of Justice has opened a call for evidence on the European Commission’s draft General Data Protection Regulation. The information obtained from the four-week long evidence gathering exercise will be used to help inform the Government’s negotiating position on the Regulation.

The call for evidence itself is wide-ranging and comments are requested on:

- the potential consequences of the Regulation on the processing of personal data;

- the likely benefits to individuals and the effect on their data protection rights;

- the extent to which the proposal builds “trust in the online environment”; and

- the impact of the proposal on economic growth.

Stressing the need for responses to include “quantifiable costs and benefits” and “real life examples”, the Ministry of Justice appears receptive and keen to hear views on the proposed Regulation.

To make the most of this opportunity, we suggest that you review the draft Regulation in the context of your industry and think about how the rights and obligations it creates will apply to your business. For example, how will an individual’s ‘right the be forgotten’ sit with the way that your sector uses personal data? Will the changes regarding the use of data processors affect the way that you operate? We can of course help you decode the Regulation and consider how it may apply – we also recognise from our own experience working on the Regulation that the challenge for business will be in framing a response which clearly sets out its impact.

Although time is short (there is a four week window) in which to delve through the Regulation and draft an effective response to the call for evidence, the willingness on the part of the Ministry of Justice to engage with stakeholders suggests that it will be worth it. Given the scale of the proposed changes and on the premise that if ‘you don’t ask, you don’t get’, the call for evidence offers interested parties a valuable opportunity to engage with, and help shape the future of data protection both in Europe and, if the current draft Regulation is anything to go by, worldwide!

The call for evidence closes on either 4 March 2012 (according to the Call for Evidence paper itself) or 6 March 2012 (the date provided on the Justice website). Further information, including the call for evidence questionnaire can be found at http://www.justice.gov.uk/consultations/data-protection-proposals-cfe.htm.

Posted in 95 directive, Financial penalties, Privacy professionals, Right to be forgotten

An ambitious new framework for a data reliant world

avatar Posted on January 25th, 2012 by Eduardo Ustaran

The most radical global attempt ever to regulate the exploitation of personal information is now in the public domain.  Following several weeks of increasing expectation about the content of the proposals, the European Commission published this morning two legislative documents: a Regulation setting out a general EU framework for data protection and a Directive on protecting on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities. 

Looking at the Regulation, the immediate reaction is that after many years of a principles-based approach, the new law will go much further than that and establish a new system of powerful rights and very prescriptive and uniform obligations across the EU.

The draft Regulation sets out very clearly its extra-territorial reach, which as Viviane Reding put it, will apply to companies that are active in the EU market and offer their services to EU citizens – although it is really ‘EU residents’.  What is also obvious is that the new law is targeted at companies operating on the internet and aims to shake up the way they tackle privacy issues.

The bulk of the proposed Regulation brings with it a whole new set of practical obligations for organisations – from data protection by default and the appointment of representatives by non-EU companies to the production of compliance policies and privacy impact assessments, and the compulsory designation of data protection officers.  Plus of course, nearly immediate data breach notification.  These obligations are a trade off for the overall reduction in regulator-facing administrative requirements, but also the basis for a new way of demanding practical compliance in the black letter of the law.

The prospect of substantial monetary fines based on the annual worldwide turnover of a company (up to 2%) may contribute to get the attention of some decision makers, but the real test for the proposed framework will be its viability in an ever-changing data reliant world.

This is by no means the end of the road.  My expectation is that 2012 will be a crucial year to influence the outcome of the new law and policy makers will be looking for input from all key stakeholders.

 

Posted in 95 directive, Accountability, Applicable law, Financial penalties, Sanctions

Deconstructing the privacy macaron

avatar Posted on December 7th, 2011 by Eduardo Ustaran

Compact.  Self-contained.  Multi-layered.  Hard to penetrate and rich inside with a mix of flavours and tones.  Judging by the commentary surrounding the forthcoming EU data protection framework circulating in the corridors of the IAPP European Data Protection Congress that took place in Paris at the end of November, we could have been describing a typical Parisian macaron instead of a new law.  But if the indications of what we are about to see in the regulation being proposed by the European Commission are true, complying with the future European privacy regime is going to require fine confectionery skills.

So what are the likely ingredients of this extremely elaborate piece of legislation and how will they blend together?

*   A Regulation – It is widely accepted that a regulation, rather than another directive, will be the best recipe for a harmonised regime that delivers a consistent level of protection across the EU.

*   Two-fold objective – Like the original directive, the new regulation will most certainly have a dual aim: protecting personal data and facilitating the intra-EU movement of that data.

*   Applicability based on establishment and targeting of European residents – The novelty being that the use of equipment in the EU will be replaced by data processing directed at those individuals who live in the EU.

*   Privacy principles – Transparency, finality, proportionality and data quality – they are all likely to be there but for added flavour, expect some new ones like data minimisation and accountability.

*   Consent – Individual’s consent will remain a cornerstone of European data protection law but the standard for valid consent will be higher than ever before, with a greater emphasis on the individual’s freedom of choice.

*   Big rights – Some rather radical changes are likely to come in the shape of new or strengthened individuals’ rights.  Top of the list will be the much publicised right to be forgotten followed closely by data portability rights.  No doubt the Commission will want to give people as much control as possible over their data, particularly in relation to profiling activities.

*   Controller’s responsibilities – As a flipside of the increased rights of individuals, controllers are bound to face very specific responsibilities ranging from the adoption of policies and principles such as privacy by design and privacy by default to the training of staff and the appointment of data protection officers.

*   Data breach notification – As is already the case for providers of communications services, an obligation to notify security breaches to data protection authorities (and in some cases to the individuals affected) will now apply to all controllers.

*   International data transfers – Greater flexibility is expected on this issue alongside an express recognition for binding corporate rules, which will be available to both controllers and processors.  An area of concern however is the potential conflict between data requests by non-EU authorities and the limitations on data disclosures, which will probably require the involvement of data protection authorities in determining how to resolve such conflict.

*   Role of data protection authorities – The main novelty on this front is bound to be in relation to their geographical competence.  In all likelihood, the data protection authority of the Member State where the main establishment of a data processing organisation is based will be responsible for supervising that organisation across the whole of the EU.  We can also assume that greater international coordination mechanisms will be in place.

*   Enforcement powers – The promise by the Commission of stronger enforcement powers for the data protection authorities is bound to bring harmonised and succulent monetary fines, which can only be more substantial than what most Member States have at the moment.

All in all, it is beyond doubt that the Commission has been working very hard to craft a framework that fits the regulatory requirements of today’s and tomorrow’s data protection.  Whether the result will suit everyone’s taste is a different matter.

This article was first published in Data Protection Law & Policy in November 2011.

Posted in 95 directive, Accountability, Applicable law, Binding Corporate Rules, Binding Safe Processor Rules, Breach Disclosure, Data minimisation, Financial penalties, Privacy by design, Profiling

Perfect enforcement

avatar Posted on October 28th, 2011 by Eduardo Ustaran

One of the key topics at the forthcoming international conference of privacy and data protection commissioners in Mexico City will be the role of enforcement.  Given that the conference is organised by the Mexican supervisory authority for data privacy, this is obviously not surprising.  However, one of the reasons why this topic features prominently on the agenda right now is that never before have privacy regulators focused so intensely on devising the ideal strategy to achieve their objective.  Let’s not forget, enforcement is not an end in itself, but a means to an end – ensuring compliance with the regulatory framework.  But it is a hard fact that effective regulation depends entirely on the supervision and enforcement mechanisms in place.

Traditionally, a combination of carrot and stick has been seen as the right mix in the area of data privacy regulation.  The idea behind this approach is that regulators should split their efforts between assisting those who wish to comply with the law and punishing those who don’t.  That makes good sense in an area like privacy and data protection where the combination of technology, human rights and law create a complex and demanding framework.  In the past, thanks to this dual approach, regulators have been able to make up for the general lack of judicial input in a fairly prolific way whilst trying to get citizens to understand the importance of the issues involved.  Not an easy task by any measure.

However, increasingly some privacy regulators have abandoned the carrot side of things to focus on sharpening their stick.  The rationale behind this change is that non-compliance with privacy laws is so endemic that firm corrective intervention has become the top priority.  This hard line approach has its merits but it also has one major flaw.  It encourages a defensive attitude amongst those who are targeted – particularly if the legal arguments are not rigorously construed and solidly tested.  That may well be a battle that regulators are gearing up to fight, but playing tough is a great responsibility and even more so with taxpayers’ money.

In any event, even the most carefully devised and best researched enforcement strategy faces a great challenge: the resources available to data protection authorities are far from unlimited.  In fact, even the mightiest authority will tell you that they can barely cope with volume of complaints, requests for advice and many other tasks within its remit.  So here is an alternative: turn every citizen into a regulator.  Imagine if data subjects were able to take the law into their own hands and start suing perpetrators of data privacy and security breaches.  That is something that European law already contemplates but has hardly happened.  Time for a legislative tweak perhaps? 

Strengthening enforcement is of course one of the priorities of the legislative reform currently taking place in Europe.  Once again, let’s hope for some creative thinking there but something that may contribute to make enforcement fairer and more consistent is the concept of the lead authority.  Here’s a simple way of managing limited resources: avoid duplication and appoint one single authority as the primary regulator for pan-European organisations.  That would be an easy win and possibly, the single most important step towards achieving effective data privacy enforcement on an international basis.  In other words, an inconsistent enforcement regime is a weak regime and a lead authority approach would prevent that.

Effective enforcement is a sign of a mature and well functioning regulatory environment.  Without enforcement any system of rules, rights and obligations collapses, creating an unfair unbalance between those who comply and those who don’t.  Therefore, it is in everyone’s interest that the enforcement mechanisms in place work in a fair and robust manner, which combines positive encouragement with firm action based on solid and accurate legal arguments.  In the same way that perfect, continuous compliance with all data protection rules is hardly achievable, perfect enforcement is only a goal, but one that is worth aiming for.

This article was first published in Data Protection Law & Policy in October 2011.

Posted in Financial penalties, Sanctions

« Older Entries