The DOBlog

Tag: regulation

  • Striking a balance in Data Protection Sanctions

    It was reported yesterday that the Irish Government has issued a “discussion paper” on the proposed administrative sanctions under the new Data Protection Regulation.

    EDRI has criticised the proposals with reference to the “warning/dialogue/enforcement” approach taken by the Irish DPC. Billy Hawkes has, in the past, been at pains to clarify that the Irish DPC uses dialogue to encourage compliance and also seeks to encourage organisations to raise questions and issues with the DPC to avoid breaches. There is a belief that the “brand impact” of even being spoken to by the DPC about an issue can prompt “road to Damascus” conversions in organisations.

    That is all well and good, but my experience working with organisations is that this can result in management playing a game of “mental discounting” (I’ve written about this before in response to the original draft DP Regulation). If there is a perception that the probability of an actual penalty is low, there is little leverage in appealing to intrinsic motivation of a business manager when his extrinsic drivers for behaviour are pushing the decision towards a “suck it and see” approach.

    Having re-read the discussion paper and EDRI’s response to it I can’t help feel that EDRI may be over-stating the “ask” that is being made here a small bit. They cite it as the “destruction of the right to privacy”, citing the Irish DPC’s own experiences with the Garda Pulse system which has been plagued by reports of breaches in Data Protection since its introduction, despite the Gardaí having a statutory Code of Practice for Data Protection. In 2010 the DPC reported that that Code of Practice was not being implemented in the Gardaí.

    However, this says as much to to me about the attitude to Data Protection in some (but not all) parts of the Irish Public Service then it does about the merits of the Data Protection Commissioner’s approach to encouraging compliance or the specifics of anything that might be discussed on foot of this discussion paper. Furthermore it raises questions for me about the capability and resources that the Data Protection Commissioner has to execute their function effectively in Ireland, and even suggests that there may be informal barriers to the effective operation of their function in the public sector which need to be urgently considered (given that the Office of the DPC is supposed to be independent).

    Given the extent of the negative findings in the interim report on the 2012 audit of the PULSE system I personally would hope that there would be some level of penalty for the Garda Siochana for failing to follow their own code of practice. But that is a different issue to what the Discussion paper actually raises.

    What is being discussed (and what would I like them to consider?)

    The Discussion Paper that was circulated invites Ministers at an Informal Council meeting to consider (amongst other things):

    1. If wider provision should be made for warnings or reprimands, making fines optional or at least conditional upon a prior warning or reprimand;
    2. if supervisory authorities should be permitted to take other mitigating factors, such as adherence to an approved code of conduct or a privacy seal or mark, in to account when determining sanctions.

    It flags the fact that the Regulation, as drafted, allows for no discretion in terms of the levying of a penalty. What is proposed here in the discussion is a discussion of whether warnings or the making of fines optional would be the mechanism to go to rather than scaring the bejesus out of people with massive fines. This in itself doesn’t kill the right to Privacy, but it does potentially create the environment where the fundamental Right to Privacy will die, starved of any oxygen of effective enforcement.

    Bluntly – when faced with a toothless framework of warnings and vague threats, businesses and public sector bodies will (and currently do) play a game of mental discounting where the bottom line impact (in terms of making money or achieving a particular goal) outweigh the other needs and requirements of society. So an organisation may choose to obtain information unfairly or process it for an undisclosed secondary purpose because it will hit its target in this quarter and the potential monetary impact won’t emerge for many more months or years, after an iterative cycle of warnings. The big penalty will be seen as something “far away” that can be worried about later. After everyone’s got their bonuses or their promotions etc.

    If strict statutory liability is the model that is being proposed, and the discussion is to look at watering it down to a stern talking to as a matter of formal policy in the Regulation, I must despair of the wingnuts in my government who even thought that would be a good idea to even suggest this. But I do agree that tying the hands of the Regulators to the big ticket monetary penalties might not work in their interests or in the interests of encouraging compliance with the legislation.

    What is needed is a middle ground. A mechanism whereby organisations can make errors of judgement and be warned, but that the warning will have some sanction with it. The sanction needs to be non-negotiable. But it needs to be transparent and obvious that this is what will happen if you ignore DP rules. It needs to be easily enforced and managed. There should be a right of appeal, but appealing the non-negotiable fixed-penalty should carry with it the risk of greater penalties. And the ability of an organisation to benefit from iterative small penalties should be removed if they are a recidivist offender.

    There is a system that operates like this in most EU countries – it is the Penalty Points system for motoring offences. Hopefully the discussion will move to looking at how a similar system might be implemented for Data Protection offences. The penalties could be tiered (e.g. no cookies notification – €150 fine and 2 points on first offence, €500 and 4 points on second, failure to document processing €500 fine on first offence and 6 points). The points could be cumulative, with the “optionality” of higher sanctions being removed if you were, for example, an organisation with 100 points against you (congratulations, you’ve failed to up your game and now you are being prosecuted for the full tariff). Organisations bidding for public sector contracts could be required to have a “Data Protection Points” score below a certain level.

    This system could be devised in a way that would take account of mitigating factors. If a code of practice was entered in to, and was successfully audited against by an appropriate body, then points could be removed from the “scorecard” at the end of a 12 month period. If there were mitigating factors, a lower level category of offence might actually apply (I’ll admit I’m not sure how that might work in practice and need to think it through myself a little). Perhaps self-notification to the DPC, engagement in codes of practice, mitigating factors or actions etc. would carry a “bonus points” element which could be used to off-set the points total being carried by a Data Controller (e.g. “adopted code of practice and passed audit: minus 3 points, introduced training and has demonstrated improved staff knowledge: minus 3 points).

    Certain categories of breach might be exempt from mitigation, and certain categories of offence, just like with motoring offences, might be a permanent black mark on the organisation’s Data Protection record (e.g.: Failure to engage with DPC in an investigation, failing to take actions on foot of an audit/investigation).

    The scheme could be administered at an EU level by the EDPB, with the points accumulated by organisations operating in multiple member states either being cumulative or averaged based on a standardised list of key offences. Member States could be free to add additional offences to this list locally, within the spirit and intent of the Regulation.

    That would be an innovative idea, based on a model that has been proven to have an influence on compliance behaviour in motoring. And it would provide a transparent mechanism that would ensure that warnings could be given, advice could be sought, and positive engagement could be entered into by Micro Enterprises, SMEs, and large corporates. It would provide a relatively low impact mechanism for levying and collecting penalties from organisations who are in breach (penalties could potentially be collected as part of annual tax returns as a debt owed to the State), and it could be used to reward organisations who are taking positive actions (“bonus points”).

    Finally, it would give the basis of a transparent scorecard for organisations seeking to evaluate data processors or other service providers (in the same way as Insurance providers use penalty points data for motoring to assess driver risk), and it would give a clear escalation path to the full sanctions in the Regulation (e.g. 100 points and you go straight to full penalties).

    What it does not give is a death spiral of warnings that don’t amount to penalty and as a result give a platform for organisations to ignore the Right to Privacy. It is an evolution of the conciliatory approach to encouraging compliance but one that is given teeth in a manner that can be transparent, easily explained, and standardised across the EU27.

    I’ve written about this in 2010 and 2012. Maybe the time is right for it to be discussed?

  • The EU Data Protection Regulation

    This post was originally published on the ICS Data Protection Blog. It is republished here as it is my original work and I am putting my Data Protection musings in one place.

    Earlier this month we saw the leaking of a late draft of the forthcoming EU Data Protection Regulation.  Yes. That’s right. Regulation. In other words direct effect, standardised legal framework across Europe, less wriggle room at local level, and no waffling and stalling by national parliaments as they butcher a Directive into national law.

    The full final text is expected in January, with a 2 year implementation window being mooted.

    Among the criticisms I’ve seen levelled at the Regulation is that it is “longer than the Directive it will replace”. Yes. It is. But that’s because it has had to do more than just replace the existing Directive it has had to:

    • Update the Directive with new concepts such as the “Right to be Forgotten” and increased duties of transparency
    • Introduce new penalty structures (which were previously the preserve of the national enabling legislation that transposed the Directive) such as the 5% of Global turnover penalty for breaches of the legislation.
    • Define new governance structures for Data Protection in Europe at the EU level and between countries.
    • Imposes sanctions on Data Processors who act beyond the terms of their processor agreement (currently the only sanction is for the Controller to sue in Contract law, assuming a contract exists).
    • Adapt the existing regulations and governance models to things like Social Networking, Cloud computing and mobile devices.
    • Figure out how to deal with extra-EU entities selling into the Internal Market (easy.. they will have to comply with our rules now).

    Buried among the new changes was one aspect that jumped out at me was the introduction of lower value “administrative” financial penalties for smaller incidents of breaches of the legislation. I for one hope that that proposal makes it into the final draft of the Regulation as it would provide a tiered approach to penalties and put something tangible between the “softly softly encourage compliance” and “hit Controller with full prosecution”

    Another reason why I’d be interested to see this make into the final Regulation can be found in this post here (in which I argue in favour of just this form of small scale fines based system)

    (Yes folks, you read it on this blog first).

  • Putting Teeth In the Tiger

    This post was originally published in August 2010 on the Irish Computer Society’s Data Protection Blog. I’ve copied it to here as it is my work and I want to put all my Data Protection musings in one place. Please feel free to go and look at it on the ICS site as well.

    The Information Commissioner’s office in the UK has recently flagged their lack of powers to the European Commission. This is slightly amusing for those of us working under the Irish data protection regime, who look at the powers that the UK ICO have to levy penalties for breaches of the UK Data Protection Act, compared to the relatively limited powers of the Irish Data Protection Commissioner to issue Enforcement or Prohibition Notices and only to take prosecutions for breaches of the e-privacy regulations.

    Of course, the Irish Commissioner does have the power since the 2003 Act to conduct audits and investigations on their own account (i.e. not on foot of an actual complaint). The UK ICO has limited powers by comparison. Likewise, they lack an equivalent Data Breach provisions that the Irish Data Protection  Commissioner introduced last month (but there are plans to do so in the UK soon).

    There is a new draft Data Protection Directive in the pipeline (albeit stalled at the request of the French to allow sufficient time for effective consultation). Just as Directive 95/46/EC (the root of Ireland’s 2003 Data Protection Amendment Act) was introduced to address divergences in the implementation of the previous Convention on Data Privacy (Convention 108), it is likely that this revised directive will seek to address some of the remaining areas of divergence in national laws which implement Directive 95/45/EC.  One area which is likely to be addressed will be the nature and type of penalties which will be applicable to various categories of breach.

    The drafting of the revised Directive has been delayed. Even when the Directive comes into being, the Irish Government’s track record in implementing Data Protection regulations in a timely manner has been less than impressive. So it may well be that, from point of view of EU mandated changes, we could be in for a long wait.

    However there is a significant elephant in the room. The State needs to balance the books. The two traditional levers which can be pulled by the State are either Taxation or reductions in spending. Both of these levers are politically difficult to pull. Increasing taxes creates resistance and revolution  (increases in taxation historically trigger revolutions – particularly taxes on property or on the middle classes). Cutting spending likewise creates resistance and exacerbates social disadvantage (in many cases undoing valuable work previously done using tax euros).

    Both of these are the items on the current agenda.

    Of course, there is a third lever which can be used to generate revenue for the State and which can (at least in the short to medium term) bring about a change in behaviour. That third lever is the levying of fines and penalties. While this lever may not contribute as quickly or substantially to balancing the books, it would be remiss of the government to overlook any potential source of revenue at this time. And as this revenue is being generated on foot of behaviour which is illegal, under legislation which has been in existence for a number of years, and (unlike a tax) it can be avoided by simply taking the necessary steps to comply with the legislation.

    The introduction of such penalties would require a minor amendment to the existing legislation.

    So, given that there are indications emerging which suggest upcoming changes to standardise the types of penalty which will apply to breaches of the Data Protection regulations across the EU27 States, and that the State has an increasingly urgent need to generate revenue, I would not be surprised if we were to see some changes in the Data Protection legislation in Ireland sooner rather than later which would introduce some penalties which will put some additional teeth in the Data Protection Commissioner’s enforcement powers.

    But this is only a worry for anyone who isn’t complying with the Data Protection Acts. The prudent course of action for anyone processing personal data would be to make sure that they get their house in order ahead of any potential changes, either emerging from Europe or from the Government’s need to claw in as much income as possible.