Out-Law / Your Daily Need-To-Know

EU data protection reforms will not lead to flood of major fines, says UK watchdog

Out-Law News | 21 May 2015 | 9:54 am | 3 min. read

A stiffening of the financial penalties data protection authorities (DPAs) can impose on companies for breaking data protection laws will not lead to a flood of penalties being levied on businesses after new EU data protection laws are introduced, the UK's main privacy watchdog has said.

Information commissioner Christopher Graham said "it would be a mistake" to think that data protection authorities would use the new powers to issue "huge fines left right and centre". Graham made the comments in a speech at the European conference of data protection authorities being hosted by the Information Commissioner's Office (ICO) in Manchester.

Under the proposed new EU General Data Protection Regulation (GDPR), data protection authorities in the EU look likely to be given new powers to issue fines of up to a percentage of a business' global turnover if those businesses breach the rules set out in the Regulation. If proposals backed by MEPs are accepted, fines of up to 5% of a company's annual turnover could be levied. Justice ministers have given provisional support to a maximum fine of up to 2% of turnover.

Graham said DPAs should not be forced to issue fines for "every case of non-compliance" and instead be given freedom to select the cases in which to pursue monetary penalties. He said this selective approach has been proven to be a successful deterrent to non-compliance.

"The fact that the ICO can impose fines has had as big an impact on businesses we haven’t actually hit as it has on the businesses who have had to pay," Graham said. "In other words … the power of the deterrent lies in the uncertainty around whether or not it will actually be used."

In a research paper published by the ICO to mark the European conference of data protection authorities (37-page / 352KB PDF), the ICO said that whilst the introduction of the GDPR should lead to better cooperation between DPAs in the EU, it is unlikely that the new framework would be considered completely consistently across the trading bloc.

"Whilst the introduction of a data protection Regulation should assist with consistency of data protection rights across the EU and reduce fragmentation, implementation is not imminent and there is a good chance that a considerable degree of national variation in the way data protection law is implemented will remain," the ICO said in its report.

The watchdog admitted that inconsistent application of data protection rules can lead to increased bureaucracy for multinational companies "as they are likely to need to ensure compliance with a different set of data protection requirements in each country they operate in".

In its paper, the ICO also said that DPAs might, in future, look more closely at whether the terms of privacy notices published by businesses are fair. It said that giving consumers "a blanket either/or choice" on whether to consent to the processing of personal data to gain access to products or services minimises consumers' control over the use of their personal data. A survey it commissioned found that consumers value having control over their personal data.

New mechanisms for obtaining consumers' consent to personal data processing could address the issue of transparency and control, the ICO said.

"There are a number of ways in which DPAs could encourage greater transparency such as layered privacy notices which for example at the start have a list of the key points in easy to understand language which then goes on to use the legal language should the public wish to read more detail," the ICO said. "Or there could be more technical solutions to explaining to the public what happens to their personal data for example explaining behavioural advertising using a series of diagrams and pictures."

"It may be that encouraging organisations to use privacy notices which provide the public with choices so that it can be more tailored towards an individual’s personal views on their privacy is the way forward. ‘Just in time’ methods can give the public clear choices at significant points in their ‘informational journeys’. There is a case for considering privacy as more of an activity and less a matter of ‘being told something’ in a long terms and conditions-type privacy notice that very few people read," it said.

The ICO also suggested that a Europe-wide 'privacy seal' scheme could be developed to ensure businesses are able to win certification for good privacy practices that is recognised by all EU DPAs, although it questioned whether such a scheme would be "unnecessarily bureaucratic".