Over the past few posts I’ve been writing about how Irish organisations who process personal data need to prepare themselves for the introduction of penalties to further strengthen the powers of the Data Protection Commissioner as the “Data Protection” watchdog.
Back in June, the EU’s Justice Commissioner, Viviane Reding gave the UK Government two months to take steps to strengthen their laws or face action at the European Court of Justice (the avenue for enforcement of Directives by the Commission). At the time she was quoted as saying:
“Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement.”
So, the UK needs to increase the powers the ICO (their Data Protection Commissioner) has. The ICO has been lobbying for increase powers for quite some time. What are they specifically looking for? Well, two key points where there are gaps in the UK legislation vs the Directive seem to be:
- The power for the Commissioner to conduct investigations or audits on their own account
- The power for the Commissioner to enforce penalties on companies in breach of the Data Protection Regulations.
Good news Ireland. Our legislation gives the Data Protection Commissioner the power to do the first one (Section 10 and Section 24).
We tick the box on the second point by reason of Section 31 of the Data Protection Acts 1988 and 2003, but it may be that we must do more to meet the intent of the Commission under the Directive. There are limited fines that can be levied for a breach of the Data Protection Acts (short of a full prosecution). Higher penalties exist relate to e-privacy and spam (and have been successfully used in a number of high profile cases and even more no-profile/low-profile cases).
It may be the case that to ensure higher levels of compliance a more ‘surgical’ approach to penalties may be required with different offences incurring differing penalties (e.g. failure to display a Fair Processing Notice where you have CCTV may incur a different penalty to knowingly shipping personal data off to Turkmenistan without consent or lawful reason). Such an approach would also help tailor the enforcement of the legislation to the reality of today’s Web2.0 world where it is not just large organisations who process personal data any more but SMEs, schools, etc. Just as the Road Traffic Acts bring differing penalties and fines for differing offences, why not the Data Protection Acts? Just as the Road Traffic Acts allow for on-the-spot fines, why not the Data Protection Acts?
The message from the Commission is clear and unambiguous. National Governments must increase the powers of their watchdogs and give them teeth with which to enforce the directive or face prosecution by the Commission. This adds yet another driver to the inevitability that penalties under the Irish Data Protection Acts will be increased sooner rather than later.
- The State needs additional sources of revenue (however small). Adding an enforcement layer with penalties to existing legislation will provide that.
- The enforcement layer will probably be standardised as part of the revised Directive currently in the pipeline
- The European Commission has shown itself more than willing to at least wave the stick of legal action against EU Member States who are failing to provide adequate protections under their interpretations of the Directive (the national legislation) and have installed toothless watchdogs on short chains. The Commission wants teeth put in and the watchdogs free to roam.
- Pragmatically, the Irish Government is not in a position to negotiate heavily with the Commission on matters of policy at this time- they need all the favours they can get given the need for EU support for our Bank bail-out and other economic issues. Beefing up the Data Protection Commissioner’s powers would be a comparatively small “give” in a larger negotiation. The UK is presenting their discussions with the Commission as a negotiation, but this is likely more a ‘face saving’ exercise than a real negotiation.
So, four good reasons, all of them driven less by respect for fundamental human rights and more by raw Real Politik. The Government needs the money. The Commission wants national watchdogs more empowered, the Government hasn’t got credit to draw on in a negotiation, and it is likely to happen anyway via a revised directive. Ireland has an opportunity here get ahead of the crowd and implement a graduated penalties scheme tied to the different types of breach , rather than a “one size fits all” model. This would be a nice win for the Government, would increase protections for Data Subjects, and could increase the potential revenue side-effect for the State from Data Protection enforcement.
Irish Data Controllers and Data Processors should take prudent steps now to get ahead of inevitability of increased penalties and powers being introduced in Ireland before long.
(For more information on the UK situation, this article from The Register gives some background and further links)