EU Regulation Shouldn't Require Punishment For Minor Violations, U.K. Privacy Chief Says

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Ali Qassim

Feb. 27 —Data protection authorities in the European Union should be given as much flexibility as possible to enforce any new rules under the proposed EU data protection regulation, in order to avoid spending limited resources and time on minor privacy violations, U.K. Information Commissioner Christopher Graham said Feb. 27.

“I am not interested in European regulation that is going to turn me into a traffic warden,” he said of the ongoing effort to approve a data protection regulation to replace the nearly 20-year-old EU Data Protection Directive (95/46/EC).

Graham said he feared the reforms may force DPAs to punish organizations that commit small breaches, whereas he would like “to reserve the big stick in the cupboard for the people who need a spanking.”

“Where is the money going to come from to investigate all types of breaches given the state of EU economies, and how are governments going to persuade citizens that there is a funding priority for DPAs? It is not going to happen,” he said.

Graham, whose tenure as head of the U.K. Information Commissioner's Office ends in June 2016, made the statements in answering questions at the end of a keynote address at a conference on the impact of the proposed data protection regulation. The conference in London was organized by the U.K.’s Direct Marketing Association.

Other conference speakers focused on the mandatory data breach notification provisions in the proposed data protection regulation, expressing concern that they would burden businesses and undermine attempts by the ICO to work with companies in a cooperative way.

Maximum Fines Debate 

The European Parliament's position on monetary penalties under the regulation, which it approved in March 2014, is that DPAs should be authorized to fine organizations up to 5 percent of their global revenue, or up to 100 million euros ($112 million), for the most serious data protection violations. 

The EU Council, the EU institution that represents the governments of the 28 EU member states, is reviewing the Parliament's draft of the regulation and preparing its own position, including on whether to lower sanctions.

The council is considering returning the maximum financial sanctions under the proposed regulation to 2 percent of global revenue.

The proposed regulation as introduced by the European Commission, the EU's administrative arm, in 2012 set maxim fines at 2 percent of global revenue. 

But an earlier leaked draft of the EC proposal had set the maximum at 5 percent of global revenue.

Graham said he hoped the final draft would be “more proportional” on the issue of fines “and a good answer” to those calling for a prescriptive approach “is to ask who is going to pay for it.”

Working With Companies 

“We should not confuse effective regulation with effective enforcement. If regulation is over ambitious, then you are in worse position than when you started,” he said.

Graham said he wants “to be an enabler who works with organizations like allies and who concentrates complaint handling on those businesses that are not getting it right,” rather than meting out fines for minor violations.

His position is consistent with that of U.K. businesses that have objected to the high fines envisioned by the proposed data protection regulation.

Mandatory Data Breach Notice 

In a separate session of the conference, Rosemary Smith, a director at data protection and permissions marketing consulting company Opt-4, said the proposed regulation's proposal to introduce mandatory data breach notification would create a “tsunami of work” for the ICO.

That would leave the ICO with “less time to engage with businesses and brands,” she said.

Andrew Bridges, data governance manager at customer loyalty management company AIMIA, agreed that there is a danger of “creating notification fatigue,” which would “undermine consumers' faith in the Internet.”

Although he acknowledged that organizations “had to be open about breaches,” any eventual regulation should be proportionate to the “the levels of breaches” that would require notification.

The regulation should limit mandatory notice to breaches where the missing or stolen personal information has “compromised” the individual, he said.

Direct Marketing Challenges 

Provisions in the draft regulation that would severely restrict companies' ability to profile consumers pose a challenge to effective direct marketing to consumers, Bridges said. “If we don't get this right, the whole advertising world could get affected.”

Smith concurred. “If it were to affect targeting, we'd be back to the scatter gun” approach to marketing, she said.

Regarding the regulations' requirements for organizations to produce documentation of “proof of consent” by customers to the use of their information, Smith said most companies would be unable to prove consent “at a very granular level” for their customer relationship management systems.

To contact the reporter on this story: Ali Qassim in London at

To contact the editor responsible for this story: Donald G. Aplin at