Organizations should assess the enforcement risks in the countries in which they are operating and focus resources, experts say.
The European Union’s Data Protection Directive, which calls for the protection of personal data of individuals as it is processed or transferred, has been in force throughout Europe for more than a decade, but implementation varies by country, according to experts speaking at the 2010 International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C. Companies doing business in the EU should be aware of these differences so that they can allocate resources accordingly, panelists said.
“There is a set of specific requirements in any member state’s law that are basically the same, but they are enforced very, very differently,” said Jim Halpert, a partner in the communications, e-commerce, and privacy practice of international law firm DLA Piper.
For example, in the United Kingdom, where public confidence has been shaken by several large data breaches in recent years, there is a heightened sensitivity to data breaches. In April, the U. K.’s data protection authority, the Information Commissioner’s Office, was given new authority to impose fines of up to £500,000 ($760,000) for serious data breaches. Previously the privacy watchdog could only issue warnings.
In addition, data breach notification is currently optional in the United Kingdom, but it is expected to become mandatory for the telecom sector, and a broader law may be introduced as well.
Spain, which traditionally brings the most enforcement actions, has the largest penalty enforcement structure of all the European data protection authorities, but it has recently decreased the fines for individual offenses. For a minor offense, the fine can be up to €60,101 ($79,000); for a serious offense, the fine is between €60,101 and €300,506 ($400,000); and for a very serious offense, the fine is between €300,506 and €601,012 ($800,000). Halpert warned, however, that the Spanish data protection authorities often impose multiple fines for multiple violations. One company received fines in 2009 that totaled €1.2 million ($1.6 million) for a total of 22 infringements.
The French data protection authority, the CNIL, is also ramping up enforcement. In March, the CNIL reported that it will conduct more than 300 onsite inspections in 2010, compared to 270 in 2009, a 24 percent increase from the year prior.
The CNIL will focus on ensuring data controller compliance with its decisions and assessing the effectiveness of data protection officers (DPOs). A bill being considered would require organizations to have a DPO and to make the DPO the chief data compliance officer.
The CNIL also reported that it will focus on certain industries, such as the airlines and real estate, and on certain issues, such as the use of CCTV and the protection of the personal data of minors.
Germany has a federated enforcement structure, which means that enforcement comes from provincial data protection authorities. “So you need to look not simply at the fact that you’re in Germany, but where are you in Germany?” Halpert said.
IAPP President Nuala Kelly said the challenges associated with data protection are complex and are the same for companies large and small. “It is almost impossible, if not impossible, to correctly comply with every single European Union data protection law and have a global database, because the laws are at odds in many cases,” said Kelly, who is the chief privacy leader and a senior counsel at General Electric Company.
The Article 29 Working Group, a body that has representation from each European data protection authority, is working to harmonize enforcement, Halpert said.
Meanwhile, the key, he said, is for companies to consider the risks where they are operating. “Look at the specific places where you are exposed, and think about ...the best way to spend your money,” he said. “You need to allocate and do some triage, given what you have to work with.