Tag: EU Regulation

  • Striking a balance in Data Protection Sanctions

    It was reported yesterday that the Irish Government has issued a “discussion paper” on the proposed administrative sanctions under the new Data Protection Regulation.

    EDRI has criticised the proposals with reference to the “warning/dialogue/enforcement” approach taken by the Irish DPC. Billy Hawkes has, in the past, been at pains to clarify that the Irish DPC uses dialogue to encourage compliance and also seeks to encourage organisations to raise questions and issues with the DPC to avoid breaches. There is a belief that the “brand impact” of even being spoken to by the DPC about an issue can prompt “road to Damascus” conversions in organisations.

    That is all well and good, but my experience working with organisations is that this can result in management playing a game of “mental discounting” (I’ve written about this before in response to the original draft DP Regulation). If there is a perception that the probability of an actual penalty is low, there is little leverage in appealing to intrinsic motivation of a business manager when his extrinsic drivers for behaviour are pushing the decision towards a “suck it and see” approach.

    Having re-read the discussion paper and EDRI’s response to it I can’t help feel that EDRI may be over-stating the “ask” that is being made here a small bit. They cite it as the “destruction of the right to privacy”, citing the Irish DPC’s own experiences with the Garda Pulse system which has been plagued by reports of breaches in Data Protection since its introduction, despite the Gardaí having a statutory Code of Practice for Data Protection. In 2010 the DPC reported that that Code of Practice was not being implemented in the Gardaí.

    However, this says as much to to me about the attitude to Data Protection in some (but not all) parts of the Irish Public Service then it does about the merits of the Data Protection Commissioner’s approach to encouraging compliance or the specifics of anything that might be discussed on foot of this discussion paper. Furthermore it raises questions for me about the capability and resources that the Data Protection Commissioner has to execute their function effectively in Ireland, and even suggests that there may be informal barriers to the effective operation of their function in the public sector which need to be urgently considered (given that the Office of the DPC is supposed to be independent).

    Given the extent of the negative findings in the interim report on the 2012 audit of the PULSE system I personally would hope that there would be some level of penalty for the Garda Siochana for failing to follow their own code of practice. But that is a different issue to what the Discussion paper actually raises.

    What is being discussed (and what would I like them to consider?)

    The Discussion Paper that was circulated invites Ministers at an Informal Council meeting to consider (amongst other things):

    1. If wider provision should be made for warnings or reprimands, making fines optional or at least conditional upon a prior warning or reprimand;
    2. if supervisory authorities should be permitted to take other mitigating factors, such as adherence to an approved code of conduct or a privacy seal or mark, in to account when determining sanctions.

    It flags the fact that the Regulation, as drafted, allows for no discretion in terms of the levying of a penalty. What is proposed here in the discussion is a discussion of whether warnings or the making of fines optional would be the mechanism to go to rather than scaring the bejesus out of people with massive fines. This in itself doesn’t kill the right to Privacy, but it does potentially create the environment where the fundamental Right to Privacy will die, starved of any oxygen of effective enforcement.

    Bluntly – when faced with a toothless framework of warnings and vague threats, businesses and public sector bodies will (and currently do) play a game of mental discounting where the bottom line impact (in terms of making money or achieving a particular goal) outweigh the other needs and requirements of society. So an organisation may choose to obtain information unfairly or process it for an undisclosed secondary purpose because it will hit its target in this quarter and the potential monetary impact won’t emerge for many more months or years, after an iterative cycle of warnings. The big penalty will be seen as something “far away” that can be worried about later. After everyone’s got their bonuses or their promotions etc.

    If strict statutory liability is the model that is being proposed, and the discussion is to look at watering it down to a stern talking to as a matter of formal policy in the Regulation, I must despair of the wingnuts in my government who even thought that would be a good idea to even suggest this. But I do agree that tying the hands of the Regulators to the big ticket monetary penalties might not work in their interests or in the interests of encouraging compliance with the legislation.

    What is needed is a middle ground. A mechanism whereby organisations can make errors of judgement and be warned, but that the warning will have some sanction with it. The sanction needs to be non-negotiable. But it needs to be transparent and obvious that this is what will happen if you ignore DP rules. It needs to be easily enforced and managed. There should be a right of appeal, but appealing the non-negotiable fixed-penalty should carry with it the risk of greater penalties. And the ability of an organisation to benefit from iterative small penalties should be removed if they are a recidivist offender.

    There is a system that operates like this in most EU countries – it is the Penalty Points system for motoring offences. Hopefully the discussion will move to looking at how a similar system might be implemented for Data Protection offences. The penalties could be tiered (e.g. no cookies notification – €150 fine and 2 points on first offence, €500 and 4 points on second, failure to document processing €500 fine on first offence and 6 points). The points could be cumulative, with the “optionality” of higher sanctions being removed if you were, for example, an organisation with 100 points against you (congratulations, you’ve failed to up your game and now you are being prosecuted for the full tariff). Organisations bidding for public sector contracts could be required to have a “Data Protection Points” score below a certain level.

    This system could be devised in a way that would take account of mitigating factors. If a code of practice was entered in to, and was successfully audited against by an appropriate body, then points could be removed from the “scorecard” at the end of a 12 month period. If there were mitigating factors, a lower level category of offence might actually apply (I’ll admit I’m not sure how that might work in practice and need to think it through myself a little). Perhaps self-notification to the DPC, engagement in codes of practice, mitigating factors or actions etc. would carry a “bonus points” element which could be used to off-set the points total being carried by a Data Controller (e.g. “adopted code of practice and passed audit: minus 3 points, introduced training and has demonstrated improved staff knowledge: minus 3 points).

    Certain categories of breach might be exempt from mitigation, and certain categories of offence, just like with motoring offences, might be a permanent black mark on the organisation’s Data Protection record (e.g.: Failure to engage with DPC in an investigation, failing to take actions on foot of an audit/investigation).

    The scheme could be administered at an EU level by the EDPB, with the points accumulated by organisations operating in multiple member states either being cumulative or averaged based on a standardised list of key offences. Member States could be free to add additional offences to this list locally, within the spirit and intent of the Regulation.

    That would be an innovative idea, based on a model that has been proven to have an influence on compliance behaviour in motoring. And it would provide a transparent mechanism that would ensure that warnings could be given, advice could be sought, and positive engagement could be entered into by Micro Enterprises, SMEs, and large corporates. It would provide a relatively low impact mechanism for levying and collecting penalties from organisations who are in breach (penalties could potentially be collected as part of annual tax returns as a debt owed to the State), and it could be used to reward organisations who are taking positive actions (“bonus points”).

    Finally, it would give the basis of a transparent scorecard for organisations seeking to evaluate data processors or other service providers (in the same way as Insurance providers use penalty points data for motoring to assess driver risk), and it would give a clear escalation path to the full sanctions in the Regulation (e.g. 100 points and you go straight to full penalties).

    What it does not give is a death spiral of warnings that don’t amount to penalty and as a result give a platform for organisations to ignore the Right to Privacy. It is an evolution of the conciliatory approach to encouraging compliance but one that is given teeth in a manner that can be transparent, easily explained, and standardised across the EU27.

    I’ve written about this in 2010 and 2012. Maybe the time is right for it to be discussed?

  • Some food for thought

    The Official Twitter Account of the Irish EU Presidency (@eu2013ie) tweeted earlier today about recipes.

    That gave me a little food for thought given the subject matter I posted on yesterday.

    1. Ireland will hold the Presidency of the EU in the first half of 2013.
    2. Part of what we will be tasked with is guiding the Data Protection Regulation through the final stages of ratification
    3. Viviane Reding has been very vocal about the role Ireland will play and the importance of strengthening enforcement of rights to Personal Data Privacy in the EU. 
    4. World wide media  and our European peers will be looking at Ireland and our approach to Data Protection.

    In that context I would hope that any Dáil Committee would have the importance of the right to Privacy (as enshrined in EU Treaties and manifested by our current Data Protection Acts and the forthcoming Data Protection Regulation) when reviewing legislation and regulation around Social Media.

    While I don’t think that the recipes being tweeted about by the @eu2013ie account contained any Chinese recipes, the news today about changes in the Chinese Social Media regulatory environment are disturbing in the context of the rights to privacy and free speech. One interesting point about China’s approach to control of on-line comment from the FT article linked to above is this:

    It has also tried to strengthen its grip on users with periodical pushes for real name registration. But so far, these attempts have been unsuccessful in confirming the identity of most of China’s more than 500m web users

    Food for thought.

  • New rules, Old roots, Old attitudes

    So, today the European Commission is announcing new rules for Data Protection and Privacy in the EU (and the EEA countries and those countries seeking accession to the EU). There is hype and hoopla about the rules and what they mean, particularly for organisations conducting business on-line, companies based outside the EU selling into the EU, standardisation of penalties, and realignment and consolidation of the Regulatory and Enforcement regime.

    Oh yeah, and it is being done by Regulation which means the rules will be the same across the EU.

    But at its heart the fundamental principles remain the same. Organisations who seek to process personal data of individuals need to make sure that the ‘deal’ is fair. After all, to paraphrase Commissioner Reding’s comments at the DLD conference in Munich earlier this week

    Personal information is the currency of the Information Age

    And as with all markets where items of value are traded, checks and balances need to be in place to ensure the asset is valued appropriately and treated with care. Hence the focus in the new Regulation on concepts such as Privacy by Design, ensuring appropriate training of staff, specific requirements re: organisational governance and internal controls and clarity of documentation about the meaning, purpose, and methods of use of personal data. There is an economic trade off required to obtain the thing that is of value. That trade off is good management of Personal Data through the life cycle of the Information Asset.

    As a Data Governance and Information Quality guy I’m glad to see that the legislators in my third area of passion have finally caught up with the need to ensure organisations have defined Quality Systems with defined decision rights and accountabilities over Information as an Asset.

    So, while many of the rules are new, their roots are old. Based on my reading of the version of the Regulation that was leaked just before Christmas revealed a Regulation with one foot in the camp of Fundamental Human Rights (and the trade offs that need to be made there for economic activity to take place) and the other firmly in the camp of Quality Management practices and principles, with a clear focus on creating a Constancy of Purpose in management towards the goal of striking a sensible balance and ensuring a fair deal in the processing of personal data.

    And that is where the problem begins.

    There is a window now for national governments and the European Parliament to make contributions to the Regulation. Many in national government and the EP will make sensible contributions that will evolve the framework and make it easier to implement in practice.

    However, in a month where one Government Minister acted in blissful ignorance of the Data Protection Acts one week, another flew a policy kite that would require an illegal extension in scope of the database being built by the first Minister, and where the unelected officials of the largest City Council in the country appear to be unable to point to the legitimate grounds on which they transferred the personal data of over 100,000 residents to a private company, I hold out little hope of sensible debate and dialogue from the Irish body politic.

    In a month where we greeted the year (for the second year in a row) with a story about poor planning of projects involving personal data (both under the stewardship of the same person) I hold out little hope of sensible engagement from the Irish body politic.

    And in a month where the reversal of a bad law to control copyright on the Internet (SOPA) after leading websites across the world “went dark” we find a Junior Minister of the Government, in the Department that is in charge of attracting and retaining exactly those companies who opposed the US law, seeking to implement a similar law by Statutory Instrument with no debate or discussion, even after the legal position and EU policy position has changed in relation to Internet blocking, and only the opinions of the dying industry this law would protect seem have been sought in advance, I hold out little hope for the Irish Body Politic not to make an arse of this.

    And as for the Irish media… with a few notable exceptions the absence of attention to Data Protection issues (except where it involves embarrassing a Government Minister and the copy can be lifted from this blog) is staggering. So yet again I hold out little hope of sensible engagement.

    Adapting to the new Data Protection landscape will require individuals to change their mind set. But I fear that the entrenched attitudes in the body Politic and the traditional media may be such that Ireland (the little nation that faced trade sanctions in 2003 for not implementing Directive 95/46/EC by 1998 as we were required to) will fail to step up to the plate and drive the change in thinking and attitude necessary to achieve sustainable and sustained change in Data Protection practices in Ireland.

    W. Edwards Deming wrote in his famous 14 Points for Transformation that it was essential for the transition that organisations “Institute Leadership”. I see precious little leadership in this area from our politicians and only dazzling pin-pricks of illumination from the main stream media. So I must keep my hope guarded in the face of the likely knee jerk reactions against the changes and the almost inevitable white noise of ignorance until the Regulation passes into law with a direct effect sometime in 2014.

    Prove me wrong. Please.