Privacy and Security TidBits

Are Companies at Risk for Astronomical Fines for Future EU Data Protection Violations?

At a recent conference in Frankfurt, organized by the Internet Society, Peter Hustinx, the European Data Protection Supervisor, suggested sanctioning violations of the EU data protection laws with the same astronomical fines as violations of competition laws are sanctioned.

Henriette “Jetty” Tielemans, partner at the Brussels office of Covington & Burling LLP, reports as follows:

“The trade press regularly reports on multi-million euro fines for cartels or abuses of dominant positions by companies under the competition rules of the European Union.  These figures are far away from the fines that currently can be levied for data protection violations.  Observers of the competition law scene will agree that the main reason that companies operating in the EU pay attention to competition law is the astronomic fines that can – and are –  levied.

Observers of the privacy scene also agree that one of the reasons that privacy is sometimes still not taken as seriously as it should by companies, is the relative lack of enforcement, and the low fines in case of enforcement.  With shrinking legal budgets for compliance and training, companies often devote more resources to areas where fines are steep such as competition law.

Hustinx’s timing is not a coincidence. The European Union is reviewing the current 1995 Data Protection Directive and a draft proposal is expected this summer.  Traditionally sanctions for violations of data protection laws have been left to the twenty-seven EU Member States (and they vary widely)  but perhaps this will change.  It remains to be seen how Hustinx’s suggestion will be received by the European Commission’s Data Protection Unit which is in charge of the revision of the 1995 Directive, subject to control by the European Parliament and the Council of Ministers.  But the office of the European Data Protection Supervisor, charged with monitoring compliance by the European institutions of data protection rules within their own ranks and advising the European institutions on data protection issues, is influential and highly respected in the privacy community and this proposal will therefore not go by unnoticed.  If accepted, it would revolutionize the data protection landscape in Europe.”

At present, compliance with the national data protection laws within the EU member states is less than satisfactory.

For example, as we reported recently on this website, 82% of French enterprises do not abide by the French Data Protection Act of 2004 (La Loi Informatique & Libertés).

Peter Hustinx’s suggestion should concern not only global companies with a physical presence in one or more EU member states, but also online businesses, websites and mobile applications that target the EU market, as we explained in this post on applicable law.

For our full overview of Peter Hustinx’s opinion in response to  the Commission’s Communication of November 4, 2010  regarding the Review of the Data Protection Legal Framework , see here.