Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By Ali Qassim
Feb. 27 —Data protection authorities in the European Union should be given as much flexibility as possible to enforce any new rules under the proposed EU data protection regulation, in order to avoid spending limited resources and time on minor privacy violations, U.K. Information Commissioner Christopher Graham said Feb. 27.
“I am not interested in European regulation that is going to turn me into a traffic warden,” he said of the ongoing effort to approve a data protection regulation to replace the nearly 20-year-old EU Data Protection Directive (95/46/EC).
Graham said he feared the reforms may force DPAs to punish organizations that commit small breaches, whereas he would like “to reserve the big stick in the cupboard for the people who need a spanking.”
“Where is the money going to come from to investigate all types of breaches given the state of EU economies, and how are governments going to persuade citizens that there is a funding priority for DPAs? It is not going to happen,” he said.
Graham, whose tenure as head of the U.K. Information Commissioner's Office ends in June 2016, made the statements in answering questions at the end of a keynote address at a conference on the impact of the proposed data protection regulation. The conference in London was organized by the U.K.’s Direct Marketing Association.
Other conference speakers focused on the mandatory data breach notification provisions in the proposed data protection regulation, expressing concern that they would burden businesses and undermine attempts by the ICO to work with companies in a cooperative way.
The European Parliament's position on monetary penalties under the regulation, which it approved in March 2014, is that DPAs should be authorized to fine organizations up to 5 percent of their global revenue, or up to 100 million euros ($112 million), for the most serious data protection violations.
The EU Council, the EU institution that represents the governments of the 28 EU member states, is reviewing the Parliament's draft of the regulation and preparing its own position, including on whether to lower sanctions.
The council is considering returning the maximum financial sanctions under the proposed regulation to 2 percent of global revenue.
The proposed regulation as introduced by the European Commission, the EU's administrative arm, in 2012 set maxim fines at 2 percent of global revenue.
But an earlier leaked draft of the EC proposal had set the maximum at 5 percent of global revenue.
Graham said he hoped the final draft would be “more proportional” on the issue of fines “and a good answer” to those calling for a prescriptive approach “is to ask who is going to pay for it.”
“We should not confuse effective regulation with effective enforcement. If regulation is over ambitious, then you are in worse position than when you started,” he said.
Graham said he wants “to be an enabler who works with organizations like allies and who concentrates complaint handling on those businesses that are not getting it right,” rather than meting out fines for minor violations.
His position is consistent with that of U.K. businesses that have objected to the high fines envisioned by the proposed data protection regulation.
In a separate session of the conference, Rosemary Smith, a director at data protection and permissions marketing consulting company Opt-4, said the proposed regulation's proposal to introduce mandatory data breach notification would create a “tsunami of work” for the ICO.
That would leave the ICO with “less time to engage with businesses and brands,” she said.
Andrew Bridges, data governance manager at customer loyalty management company AIMIA, agreed that there is a danger of “creating notification fatigue,” which would “undermine consumers' faith in the Internet.”
Although he acknowledged that organizations “had to be open about breaches,” any eventual regulation should be proportionate to the “the levels of breaches” that would require notification.
The regulation should limit mandatory notice to breaches where the missing or stolen personal information has “compromised” the individual, he said.
Provisions in the draft regulation that would severely restrict companies' ability to profile consumers pose a challenge to effective direct marketing to consumers, Bridges said. “If we don't get this right, the whole advertising world could get affected.”
Smith concurred. “If it were to affect targeting, we'd be back to the scatter gun” approach to marketing, she said.
Regarding the regulations' requirements for organizations to produce documentation of “proof of consent” by customers to the use of their information, Smith said most companies would be unable to prove consent “at a very granular level” for their customer relationship management systems.
To contact the reporter on this story: Ali Qassim in London at firstname.lastname@example.org
To contact the editor responsible for this story: Donald G. Aplin at email@example.com
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)