Monday, January 2, 2012

Harsher data protection sanctions are coming

When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?

Since 2012 has now begun, here's a prediction about the future: there's going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it's not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.

We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros. And yet others, like the Belgian DPA, don't have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.

But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There's also an entire industry of US privacy-based class actions which has sprung up in the last few years.

Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.

In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year. And in Europe, where class actions generally don't exist and don't fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.

I regularly hear people claim that there's not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.

The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that's probably scarier than killer snakes.


Sophie said...

interesting parallel between mythology and privacy... but privacy is not a myth - yet, and strong sanctions(by killer snakes, hydra or minotaur) may be a way to prevent further degradations as I have personally not encountered the God of data meant to protect us all from villain web creatures :-)

Anonymous said...

The regulation for the protecting personal data is more and more strenthened in the world. I believe that EU is a leading continent of personal data protection.I will keep watching how EU strenthen the regulation.

Álvaro Del Hoyo said...

Hi, Peter

In Spain this kind of sanctions have been set forth years ago for privacy breaches by telcos regarding traffic, location and ID data.


Álvaro Del Hoyo said...

Hi, Peter

In Spain this kind of sanctions have been set forth years ago for privacy breaches by telcos regarding traffic, location and ID data.


Bean said...

Hi Peter,

Appreciate your view on the proliferation of legislation and enforcement. Do you have any view on the CIPP certifications and whether enforcement authorities view the IAPP as a valid certification body?

Peter Cranstone said...

Hi Peter,

I think your spot on. We've been thinking about user centric privacy for 6 years and now have developed a Mobile browser (for Android & iPhone) that for the first time adds "user centric" privacy.

The user can now control every aspect of what they want to share and with whom on the Internet. We've fully integrated it into the browser - it now shows up as a menu option (Privacy) and from there connects you to a secure database that allows you to select down to a single field what gets sent.

When the data is transmitted it's all encrypted so there's no chance to alter your privacy.

If you'd like to learn more or download the browser just do a search on my name.


Peter Cranstone