Tag Archives: Sanction

The challenge of enforcement in the proposal for a General Data Protection Regulation

Ricard Martínez, President of the Spanish Privacy Professional Association (APEP)

Ingimage | Stock Image Details: ISS_11335_02627 - Judge gavel and euro banknotes (licenced via UJI)The coming into effect of the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data will be a Copernican revolution for many data protection authorities. In many cases the actions of DPAs are focused on developing strategies for awareness and promotion of the fundamental right to data protection, the promotion of compliance through incentives to sectors and/or the publication of Guidelines. Although it is true that in many Member States, such as France or Great Britain the powers of enforcement have been growing significantly, it is probably in Spain where such powers have reached their maximum in the whole of the European Union.

From this point of view, a reading of the future Regulation from the Spanish experience might prove rewarding. The best-known feature of Spanish Data Protection Law (Organic Law 15/1999, 13 December) is the provision of fines of up to €600.000. This sanction regime is accompanied by powers of inspection and investigation since the DPA officials are considered a public authority in the execution of its powers.

The Spanish reality thus offers a measure of what can lead to a high level of enforcement. The figures offered by the Annual reports of the Spanish Agency of Data Protection can illustrate what the practical results of the deployment of their powers are. Since the power of “enforcing fines” affects the private sector, we will examine some comparative figures provided by the Annual report 2014 in this area.

First, a significant and repeated phenomenon is the persistence of very specific sectors in the top places among the entities sanctioned, both by number of procedures and the monetary value of the fines imposed.

The total amount of penalties imposed in the last decade has fluctuating figures from 15 to 20 million euros with different oscillations.

A very basic reading of this brief overview highlights some interesting phenomena. First of all, among these is that the fine does not necessarily act as a crucial deterrent. The Top-Five sectors are always the same. And this is probably produced by the volume of processing operations, and therefore, by the statistical risk of making a mistake or the ability to absorb the volume of infringements in the annual budget.

Whatever the cause of this constant, what we also learned in Spain is how a rigid disciplinary system in the fixation of the amounts of the fines, which does not take into account the economic situation of the offender or the profit made, generates asymmetries. Therefore, to limit the perverse effect on small and medium-sized enterprises the legislator had to refine the criteria for modulation of sanctions and provide a symbolic punishment of “warning” in the case of the first violation.

But as significant as the result of the action of the DPA, has been the volume of complaints and procedures handled.

In practice it can be seen that the volume of complaints procedures, which may lead to a fine, is constantly raising from year to year increasing from 7.648 procedures in 2011 to 10.704 procedures in 2014. However, the statements of infringement remain constant in a magnitude that never exceeds from 900.

Article 52 of the future Regulation attributes a wide range of competencies to the DPAs. The first among them, attends to the enforcement (“monitor and enforce the application of this Regulation”). This is joined by dealing with complaints and the development of investigations and audits. The exercise of these powers must be made within a complex framework in which the determination of the responsible DPA (lead authority), co-operation between DPAs and the fixing of common criteria through the mechanisms of cooperation and consistency, will be essential not only for the fundamental right to data protection, but also for the whole of the single market and the European digital economy.

This power of enforcement will be displayed with a sanctioning structure which includes fines up to €20.000.000 or, in case of an enterprise, up 4% of its annual worldwide turnover. There is no doubt that they are clearly dissuasive quantities and they ensure that all sectors must align with the objectives of compliance.

But the lessons learned in Spain show that even this is not enough. In our experience every story about the imposition of a fine, or the simple knowledge of the annual volume of sanctions, attracts new complaints immediately. This constant increase saturates the work of DPA and blocks its capabilities in practice. In this context, the temptation to raise the threshold of requirement to process a complaint can offer counterproductive results. One of them would be the systematic rejection of complaints to eliminate those of citizens whose skills and knowledge are limited and therefore present a poorly elaborated claim. Similarly, the high processing volume can certainly contribute to causing errors that generate lack of protection and, incredible as it may seem, the temptation to discard those cases that would have a pull effect.

For this reason, and always with the respect due to all the DPAs of the Member States, it is necessary to provide a space for further reflection. Positively, enforcement will be the best tool for the promotion of the fundamental right to data protection. In this regard the Regulation provides multiple possibilities of action.

Although the Regulation has blurred the figure of the Data Protection Officer, the promotion of this figure will certainly contribute to its deployment and avoid painful decisions. On the other hand, the implementation of Guidelines, the development of codes of conduct, the generalization and promotion of privacy by design and privacy impact assessment tools will be key strategies. The real success of the enforcement shall reside in the development of proactive and agreed strategies with the sectors and adding value to a “European privacy mark”. The EU must promote Privacy in the European digital economy as a competitive advantage that may raise the confidence of the citizens. It is a challenge that is possible and affordable for the DPAs, and privacy professionals will contribute decisively to this goal.

In my view, this state of affairs should force the consideration of the deployment of very specific actions both in the field of EU law and the Member States. And not only this, but also to consideration of strategies of cooperation between authorities.

Firstly, Member States should deploy the regulatory powers to design the figure of the DPO. It is not to impose a duty of having the DPO as a compulsory full time post. I propose a DPO of variable geometry which, at least in the case of the SME, develops his task in the deployment of treatments, in his review of the compliance audits. The presence of professionals would certainly help prevent breaches.

Secondly, the Spanish experience shows to what extent the application and modulation of sanctions can be a sensitive issue and one that requires a high degree of legal certainty. This is due both to the variability in the interpretation of the occurrence of any wrongdoing, even of the concurrence of various types in a same incident, as in the modulation of the administrative fine that is imposed. In a European context this can lead to two types of risks. One, the legal uncertainty for decision-makers when it comes to modulating their behaviour of compliance. Two, the possibility that a kind of “dumping penalties” arises, a situation in which institutions choose the territory of the more benevolent authority.

On the other hand, the discretionary application of sanctions to the Administration can have dangerous consequences because it may constitute a discrimination from a comparative point of view. Besides, it also means losing the effect of induced compliance due to public-private interactions in cases of outsourcing and administrative concession.

To redress these issues, it seems essential to consider the action of the DPAs at the local level. In this sense, the exercise of the corrective and advisory powers should be done with a more repairing function than sanctioning power. That is, its essential aim, at least in the first years of the new General Data Protection Regulation, should serve to promote the learning of the offenders aimed at improving compliance and rewarding proactive behaviour by applying the lowest scale of possible sanctions.

In addition, both the Commission and the European Data Protection Board should promote the use of the mechanisms for cooperation, consistency and mutual support for harmonizing the application of the penalties law throughout the territory of the European Union. In particular, the experience purchased in this matter could serve to promote two actions in the short and the medium term. First, to develop comparative analysis that can serve to promote the homogeneity of the sanctioning regime. Second and finally, to consider the chapter on enforcement as part of the Regulation that should be checked not less than five years after its entry into force by incorporating lessons learned.

Information Commissioner’s Office (ICO)

Pharmacy2U Ltd Monetary Penalty Decision Notice

“An online pharmacy that sold details of more than 20,000 customers to marketing companies has been fined £130,000. Pharmacy 2U offered the customer names and addresses for sale through an online marketing list company.

The ICO investigation found that Pharmacy 2U had not informed its customers that it intended to sell their details, and that the customers had not given their consent for their personal data to be sold on. This was in breach of the Data Protection Act.” ICO found that “Pharmacy2U has obtained personal data unfairly because its online registration form and privacy policy did not inform its customers that it intended to sell their details to third party organisations, in addition to sending out its own marketing material. It would not be within a customer’s reasonable expectation that this form of disclosure would occur, even if they were willing to agree to the receipt of marketing material from Pharmacy2U itself. If a customer wished to take up Pharmacy2U’s offer to opt out of “Selected company data sharing”, they also had to go to the trouble of logging into their account and changing the setting.”

ICO also found that the contravention of the Data Protection Act 1998 was serious, and of a nature likely to cause substantial damage or substantial distress. This was based upon the type of data sold (including data on existing and potentially embarrassing health conditions) and that individuals using the Pharmacy2U website would have had an expectation of confidentiality. However, ICO did not consider that Pharmacy2U had deliberately contravened the DPA, but that it had been negligent.

Information Commissioner’s Office (ICO)

Cold Call Elimination Monetary Penalty Notice

Cold Call Elimination Ltd has been fined £75,000 for making unsolicited marketing calls to sell cold call blocking devices. The penalty was issued because of a serious contravention of regulation 21 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 by the Company

The Chichester-based company was telephoning people to sell a call-blocking service and device to stop unsolicited calls, the same type of calls the company itself was making. The Company’s business involves calling individual subscribers to market a call blocking device and service to stop unsolicited calls. In November 2013 the Company was identified by the ICO as being the subject of a large number of complaints about unsolicited marketing calls.

Several complainants to the ICO described attempts to sign them up to a cold-call blocking service (for a fee) that replicated the features of the Telephone Preference Service (TPS). The TPS is a limited company set up by OFCOM to carry out the maintenance of a register of subscribers who have notified them that they do not wish to receive unsolicited calls for direct marketing purposes of those phone lines. Between 14 June 2013 and 31 March 2015, the TPS received 336 complaints about the Company. The TPS referred all of those complaints to the Company and also notified the ICO.

The Commissioner found that the company had contravened Regulation 21 of the PCER, by making 382 unsolicited calls for direct marketing purposes to subscribers who had registered a preference. “Regulation 21 applies to the making of unsolicited calls for direct marketing purposes. It means that if a company wants to make calls promoting a product or service to an individual who has a telephone number which is registered with the Telephone Preference Service Ltd (“TPS”), then that individual must have given their consent to that company to receive such calls.”

This was seen as a serious contravention because it had occurred over a long period of time, and resulted in a large number of complaints, and because false and misleading statements were made as to the identity of the business and the nature of the product or service being sold, and that the calls had lead to, or were likely to lead causing substantial distress to recipients.

The Commissioner determined that the contraventions were not deliberate, but that they were negligent, and that a monetary penalty could be issued, taking into account mitigating features (compliance with the investigation) and aggravating features (generated commercial advantage, made false and misleading statements in the calls, and misled old and vulnerable recipients). The monetary penalty was £75,000.

Commission Nationale de l’Informatique et des Libertés (CNIL)

Right to delisting: Google informal appeal rejected

On 21 September 2015, the President of the CNIL rejected Google’s informal appeal against a formal notice adopted by the CNIL on 12 June 2015 requesting it to apply delisting on all of the search engine’s domain names.

After the Court of Justice of the European Union of 13 May 2014 recognizing the right to delisting, the CNIL received hundreds of complaints against Google’s refusals and requested Google to implement the delisting irrespective of the extension used (.fr; .uk; .com …). Google had granted this right only on European extensions of the search engine but not on “google.com” or other non-European extensions.

The President of the CNIL put Google on notice to proceed, within a period of fifteen days to the requested delisting on the whole data processing and on all extensions of the search engine. This formal notice has no sanction but, if Google did not comply with it, the proceeding to impose a sanction would start. At the end of July, Google filed an informal appeal asking the President to withdraw this public formal notice arguing the public’s right to information and considering it a form of censorship. After the refusal of CNIL of this informal appeal, Google must comply with the formal notice or the sanction proceeding will start.