Ricard Martínez, President of the Spanish Privacy Professional Association (APEP)
The coming into effect of the Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data will be a Copernican revolution for many data protection authorities. In many cases the actions of DPAs are focused on developing strategies for awareness and promotion of the fundamental right to data protection, the promotion of compliance through incentives to sectors and/or the publication of Guidelines. Although it is true that in many Member States, such as France or Great Britain the powers of enforcement have been growing significantly, it is probably in Spain where such powers have reached their maximum in the whole of the European Union.
From this point of view, a reading of the future Regulation from the Spanish experience might prove rewarding. The best-known feature of Spanish Data Protection Law (Organic Law 15/1999, 13 December) is the provision of fines of up to €600.000. This sanction regime is accompanied by powers of inspection and investigation since the DPA officials are considered a public authority in the execution of its powers.
The Spanish reality thus offers a measure of what can lead to a high level of enforcement. The figures offered by the Annual reports of the Spanish Agency of Data Protection can illustrate what the practical results of the deployment of their powers are. Since the power of “enforcing fines” affects the private sector, we will examine some comparative figures provided by the Annual report 2014 in this area.
First, a significant and repeated phenomenon is the persistence of very specific sectors in the top places among the entities sanctioned, both by number of procedures and the monetary value of the fines imposed.
The total amount of penalties imposed in the last decade has fluctuating figures from 15 to 20 million euros with different oscillations.
A very basic reading of this brief overview highlights some interesting phenomena. First of all, among these is that the fine does not necessarily act as a crucial deterrent. The Top-Five sectors are always the same. And this is probably produced by the volume of processing operations, and therefore, by the statistical risk of making a mistake or the ability to absorb the volume of infringements in the annual budget.
Whatever the cause of this constant, what we also learned in Spain is how a rigid disciplinary system in the fixation of the amounts of the fines, which does not take into account the economic situation of the offender or the profit made, generates asymmetries. Therefore, to limit the perverse effect on small and medium-sized enterprises the legislator had to refine the criteria for modulation of sanctions and provide a symbolic punishment of “warning” in the case of the first violation.
But as significant as the result of the action of the DPA, has been the volume of complaints and procedures handled.
In practice it can be seen that the volume of complaints procedures, which may lead to a fine, is constantly raising from year to year increasing from 7.648 procedures in 2011 to 10.704 procedures in 2014. However, the statements of infringement remain constant in a magnitude that never exceeds from 900.
Article 52 of the future Regulation attributes a wide range of competencies to the DPAs. The first among them, attends to the enforcement (“monitor and enforce the application of this Regulation”). This is joined by dealing with complaints and the development of investigations and audits. The exercise of these powers must be made within a complex framework in which the determination of the responsible DPA (lead authority), co-operation between DPAs and the fixing of common criteria through the mechanisms of cooperation and consistency, will be essential not only for the fundamental right to data protection, but also for the whole of the single market and the European digital economy.
This power of enforcement will be displayed with a sanctioning structure which includes fines up to €20.000.000 or, in case of an enterprise, up 4% of its annual worldwide turnover. There is no doubt that they are clearly dissuasive quantities and they ensure that all sectors must align with the objectives of compliance.
But the lessons learned in Spain show that even this is not enough. In our experience every story about the imposition of a fine, or the simple knowledge of the annual volume of sanctions, attracts new complaints immediately. This constant increase saturates the work of DPA and blocks its capabilities in practice. In this context, the temptation to raise the threshold of requirement to process a complaint can offer counterproductive results. One of them would be the systematic rejection of complaints to eliminate those of citizens whose skills and knowledge are limited and therefore present a poorly elaborated claim. Similarly, the high processing volume can certainly contribute to causing errors that generate lack of protection and, incredible as it may seem, the temptation to discard those cases that would have a pull effect.
For this reason, and always with the respect due to all the DPAs of the Member States, it is necessary to provide a space for further reflection. Positively, enforcement will be the best tool for the promotion of the fundamental right to data protection. In this regard the Regulation provides multiple possibilities of action.
Although the Regulation has blurred the figure of the Data Protection Officer, the promotion of this figure will certainly contribute to its deployment and avoid painful decisions. On the other hand, the implementation of Guidelines, the development of codes of conduct, the generalization and promotion of privacy by design and privacy impact assessment tools will be key strategies. The real success of the enforcement shall reside in the development of proactive and agreed strategies with the sectors and adding value to a “European privacy mark”. The EU must promote Privacy in the European digital economy as a competitive advantage that may raise the confidence of the citizens. It is a challenge that is possible and affordable for the DPAs, and privacy professionals will contribute decisively to this goal.
In my view, this state of affairs should force the consideration of the deployment of very specific actions both in the field of EU law and the Member States. And not only this, but also to consideration of strategies of cooperation between authorities.
Firstly, Member States should deploy the regulatory powers to design the figure of the DPO. It is not to impose a duty of having the DPO as a compulsory full time post. I propose a DPO of variable geometry which, at least in the case of the SME, develops his task in the deployment of treatments, in his review of the compliance audits. The presence of professionals would certainly help prevent breaches.
Secondly, the Spanish experience shows to what extent the application and modulation of sanctions can be a sensitive issue and one that requires a high degree of legal certainty. This is due both to the variability in the interpretation of the occurrence of any wrongdoing, even of the concurrence of various types in a same incident, as in the modulation of the administrative fine that is imposed. In a European context this can lead to two types of risks. One, the legal uncertainty for decision-makers when it comes to modulating their behaviour of compliance. Two, the possibility that a kind of “dumping penalties” arises, a situation in which institutions choose the territory of the more benevolent authority.
On the other hand, the discretionary application of sanctions to the Administration can have dangerous consequences because it may constitute a discrimination from a comparative point of view. Besides, it also means losing the effect of induced compliance due to public-private interactions in cases of outsourcing and administrative concession.
To redress these issues, it seems essential to consider the action of the DPAs at the local level. In this sense, the exercise of the corrective and advisory powers should be done with a more repairing function than sanctioning power. That is, its essential aim, at least in the first years of the new General Data Protection Regulation, should serve to promote the learning of the offenders aimed at improving compliance and rewarding proactive behaviour by applying the lowest scale of possible sanctions.
In addition, both the Commission and the European Data Protection Board should promote the use of the mechanisms for cooperation, consistency and mutual support for harmonizing the application of the penalties law throughout the territory of the European Union. In particular, the experience purchased in this matter could serve to promote two actions in the short and the medium term. First, to develop comparative analysis that can serve to promote the homogeneity of the sanctioning regime. Second and finally, to consider the chapter on enforcement as part of the Regulation that should be checked not less than five years after its entry into force by incorporating lessons learned.