Archive for the ‘Sanctions’ Category

CNIL announces upcoming “cookies sweep day”

Posted on July 17th, 2014 by



On June 11th, 2014 the French Data Protection Authority (CNIL) announced an upcoming “cookies sweep day”, which aims to verify compliance with the cookies legal requirements. Last year, the CNIL issued guidance on how to comply with cookie requirements in France (published in December 2013) and the CNIL now expects companies to be compliant. This enforcement action will also enable the CNIL to test its new on-line investigatory powers that came into force following a revision of the French Data Protection Act in March 2014 (see our previous blog).

In Europe, other data protection authorities have already begun enforcing cookie rules, as recently illustrated by the fines pronounced by the Spanish DPA earlier this year (see our previous blog).

When will the “cookies sweep data” take place?

The “cookies sweep day” is scheduled to take place between 15 and 19 September 2014.

Who is targeted by the “cookies sweep day”?

Any company (within or outside the EU) that uses cookies or other tracking technologies to collect personal data from users in Europe.

Where will the “cookies sweep day” take place?

The CNIL will take part in a “cookies sweep day” at a European level aimed at verifying compliance with the notice and consent requirements. Eeach data protection authority in Europe will carry out its own compliance program under national law and may potentially conduct enforcement actions on its territory.

What will the CNIL verify?

The CNIL will focus its investigation on:

  • The types of cookies and other tracking technologies that are used (e.g., HTTP, local shared objects (flash cookies), finger printing, etc.)
  • The purposes of the cookies used and whether the owner of the website knows and understands the purposes of all the cookies (including third party cookies) used on his website.

Furthermore, where prior consent is required, the CNIL will verify:

  • The method used to obtain consent from the user
  • The quality, accessibility and clarity of the information provided to users
  • The consequences of a refusal from the user to use cookies. As an example, the CNIL refers to users of a e-commerce website whose only option is to refuse all cookies via the cookie settings of their web browser. As a result, such users may not be able to use the website at all.
  • The possibility to withdraw user consent at any time
  • The duration of cookies.

What are the risks for companies?

The risks of not complying with cookie requirements vary from one EU country to another depending on the enforcement/sanction powers of each data protection authority under national law. In France, the CNIL has the power to conduct on-site and on-line inspections that can be followed by administrative sanctions. In particular, the CNIL can issue a public warning or an enforcement notice asking the company to comply within a given period of time. If the company fails to comply with the terms of this notice, the CNIL may then initiate administrative proceedings which ultimately can lead to a fine or an obligation to cease the processing.

What should companies do in advance of this enforcement action?

As explained in our previous blog, cookie compliance is still very much a hot topic in Europe, with different countries amending their laws and DPAs issuing guidance or conducting enforcement actions. Therefore, companies should not wait until they are being investigated to put their house in order. Some basic steps can be taken to make sure you comply with the cookie requirements:

  • Audit your websites to find out what types of cookies (or other tracking devices) you use
  • Analyse the purposes of the cookies
  • Assess the level of intrusiveness of cookies and verify which cookies require prior consent
  • Publish a clear, understandable and accessible cookie policy on your website
  • Implement an adequate cookie consent mechanism

For more information on the “cookies sweep day”, the CNIL’s press release is available (in French) here.

CNIL: a regulator to watch in 2014

Posted on March 18th, 2014 by



Over the years, the number of on-site inspections by the French DPA (CNIL) has been on a constant rise. Based on the CNIL’s latest statistics (see CNIL’s 2013 Annual Activity Report), 458 on-site inspections were carried out in 2012, which represents a 19 percent increase compared with 2011. The number of complaints has also risen to 6,000 in 2012, most of which were in relation to telecom/Internet services, at 31 percent. In 2012, the CNIL served 43 formal notices asking data controllers to comply. In total, the CNIL pronounced 13 sanctions, eight of which were made public. In the majority of cases, the sanction pronounced was a simple warning (56 percent), while fines were pronounced in only 25 percent of the cases.

The beginning of 2014 was marked by a landmark decision of the CNIL. On January 3, 2014, the CNIL pronounced a record fine against Google of €150,000 ($204,000) on the grounds that the terms of use available on its website since March 1, 2012, allegedly did not comply with the French Data Protection Act. Google was also required to publish this sanction on the homepage of Google.fr within eight days of it being pronounced. Google appealed this decision, however, on February 7th, 2014, the State Council (“Conseil d’Etat”) rejected Google’s claim to suspend the publication order.

Several lessons can be learnt from the CNIL’s decision. First, that the CNIL is politically motivated to hit hard on the Internet giants, especially those who claim that their activities do not fall within the remit of the French law. No, says the CNIL. Your activities target French consumers, and thus, you must comply with the French Data Protection Act even if you are based outside the EU. This debate has been going on for years and was recently discussed in Brussels within the EU Council of Ministers’ meeting in the context of the proposal for a Data Protection Regulation. As a result, Article 4 of the Directive 95/46/EC could soon be amended to allow for a broader application of European data protection laws to data controllers located outside the EU.

Second, despite it being the highest sanction ever pronounced by the CNIL, this is hardly a dissuasive financial sanction against a global business with large revenues. Currently, the CNIL cannot pronounce sanctions above €150,000 or €300,000 ($410,000) in case of a second breach within five years from the first sanction pronounced, whereas some of its counterparts in other EU countries can pronounce much heavier sanctions; e.g., last December, the Spanish DPA pronounced a €900,000 ($1,230,000) fine against Google. This could soon change, however, in light of an announcement made by the French government that it intends to introduce this year a bill on “the protection of digital rights and freedoms,” which could significantly increase the CNIL’s enforcement powers.

Furthermore, it seems that the CNIL’s lobbying efforts within the French Parliament are finally beginning to pay off. A new law on consumer rights came into force on 17 March 2014, which amends the Data Protection Act and grants the CNIL new powers to conduct online inspections in addition to the existing on-site inspections. This provision gives the CNIL the right, via an electronic communication service to the public, “to consult any data that are freely accessible, or rendered accessible, including by imprudence, negligence or by a third party’s action, if required, by accessing and by remaining within automatic data protection systems for as long as necessary to conduct its observations.” This new provision opens up the CNIL’s enforcement powers to the digital world and, in particular, gives it stronger powers to inspect the activities of major Internet companies. The CNIL says that this law will allow it to verify online security breaches, privacy policies and consent mechanisms in the field of direct marketing.

Finally, the Google case is a good example of the EU DPAs’ recent efforts to conduct coordinated cross-border enforcement actions against multinational organizations. In the beginning of 2013, a working group was set up in Paris, led by the CNIL, for a simultaneous and coordinated enforcement action against Google in several EU countries. As a result, Google was inspected and sanctioned in multiple jurisdictions, including Spain and The Netherlands. Google is appealing these sanctions.

As the years pass by, the CNIL continues to grow and to become more resourceful. It is also more experienced and better organized. The CNIL is already very influential within the Article 29 Working Party, as recently illustrated by the Google case, and Isabelle Falque-Pierrotin, the chairwoman of the CNIL, was recently elected chair of the Article 29 Working Party. Thus, companies should pay close attention to the actions of the CNIL as it becomes a more powerful authority in France and within the European Union.

This article was first published in the IAPP’s Privacy Tracker on 27 February 2014 and was updated on 18th March 2014.

How do EU and US privacy regimes compare?

Posted on March 5th, 2014 by



As an EU privacy professional working in the US, one of the things that regularly fascinates me is each continent’s misperception of the other’s privacy rules.  Far too often have I heard EU privacy professionals (who really should know better) mutter something like “The US doesn’t have a privacy law” in conversation; equally, I’ve heard US colleagues talk about the EU’s rules as being “nuts” without understanding the cultural sensitivities that drive European laws.

So I thought it would be worth dedicating a few lines to compare and contrast the different regimes, principally to highlight that, yes, they are indeed different, but, no, you cannot draw a conclusion from these differences that one regime is “better” (whatever that means) than the other.  You can think of what follows as a kind of brief 101 in EU/US privacy differences.

1.  Culturally, there is a stronger expectation of privacy in the EU.  It’s often said that there is a stronger cultural expectation of privacy in the EU than the US.  Indeed, that’s probably true.   Privacy in the EU is protected as a “fundamental right” under the European Union’s Charter of Fundamental Rights – essentially, it’s akin to a constitutional right for EU citizens.  Debates about privacy and data protection evoke as much emotion in the EU as do debates about gun control legislation in the US.

2.  Forget the myth: the US DOES have data protection laws.  It’s simply not true that the US doesn’t have data protection laws.  The difference is that, while the EU has an all-encompassing data protection framework (the Data Protection Directive) that applies across every Member State, across all sectors and across all types of data, the US has no directly analogous equivalent.  That’s not the same thing as saying the US has no privacy laws – it has an abundance of them!  From federal rules designed to deal with specific risk scenarios (for example, collection of child data online is regulated under the Children’s Online Privacy Protection Act), to sector-specific rules (Health Insurance Portability and Accountability Act for health-related information and the Gramm-Leach-Bliley Act for financial information), to state-driven rules (the California Online Privacy Protection Act in California, for example – California, incidentally, also protects individuals’ right to privacy under its constitution).  So the next time someone tells you that the US has no privacy law, don’t fall for it – comparing EU and US privacy rules is like comparing apples to a whole bunch of oranges.

3.  Class actions.  US businesses spend a lot of time worrying about class actions and, in the privacy realm, there have been multiple.  Countless times I’ve sat with US clients who agonise over their privacy policy drafting to ensure that the disclosures they make are sufficiently clear and transparent in order to avoid any accusation they may have misled consumers.  Successful class actions can run into the millions of $$$ and, with that much potential liability at stake, US businesses take this privacy compliance risk very seriously.  But when was the last time you heard of a successful class action in the EU?  For that matter, when was the last time you heard of ANY kind of award of meaningful damages to individuals for breaches of data protection law?

4.  Regulatory bark vs. bite.  So, in the absence of meaningful legal redress through the courts, what can EU citizens do to ensure their privacy rights are respected?  The short answer is complain to their national data protection authorities, and EU data protection authorities tend to be very interested and very vocal.  Bodies like the Article 29 Working Party, for example, pump out an enormous volume of regulatory guidance, as do certain national data protection authorities, like the UK Information Commissioner’s Office or the French CNIL. Over in the US, American consumers also have their own heavyweight regulatory champion in the form of Federal Trade Commission which, by using its powers to take enforcement against “unfair and deceptive practices” under the FTC Act, is getting ever more active in the realm of data protection enforcement.  And look at some of the settlements it has reached with high profile companies – settlements that, in some cases, have run in excess of US$20m and resulted in businesses having to subject themselves to 20 year compliance audits.  By contrast, however vocal EU DPAs are, their powers of enforcement are typically much more limited, with some even lacking the ability to fine.

So those are just some of the big picture differences, but there are so many more points of detail a well-informed privacy professional ought to know – like how the US notion of “personally identifiable information” contrasts with EU “personal data”, why the US model of relying on consent to legitimise data processing is less favoured in the EU, and what the similarities and differences are between US “fair information practice principles” and EU “data protection principles”.

That’s all for another time, but for now take away this:  while they may go about it in different ways, the EU and US each share a common goal of protecting individuals’ privacy rights.  Is either regime perfect?  No, but each could sure learn a lot from the other.

 

 

 

History in the making: the first ‘cookie rule’ fines in Europe

Posted on January 30th, 2014 by



On 14 January, the Spanish Data Protection Regulator (the “Spanish DPA“) issued its first fines for infringement of Spain’s implementation of the EU’s “cookie consent” requirement. The decision (in Spanish) may be found here.

The decision

Two companies were investigated and fined. The decision concludes that the two companies had failed to comply with the obligation to provide clear and comprehensive information about the cookies they used.

The total amount of the fines, 3,500 EUR, is very modest, especially if one considers the great enforcement powers of the Spanish DPA who could have potentially issued a fine up to 30,000 EUR per infringement in this case.

Does this mean that European regulators are going to be ‘soft-touch’ when it comes to the cookie rule enforcement? Let’s not rush into conclusions and consider some key facts and take-away points from this case.

Why were these companies targeted?

Like most privacy enforcement actions, the investigation in this case was triggered by the complaint of an individual to the Spanish DPA in September 2012. The services provided by the websites investigated and the cookies used are not uncommon or particularly intrusive to individuals’ privacy. The companies belong to the jewellery sector and most of the websites were purely promotional, with only one of them (out of 8) selling products on-line.

Long-winded process

The actual enforcement procedure did not start until 15 July 2013 (nine months after the complaint) and it took another six months to issue the fines. In my view, the timings of this case tell us two things.

Firstly, it took the industry and data protection regulators a while to figure out how the cookie rule should be complied with in practice. In fact, the time of the investigation coincides with the publication by the Spanish DPA, together with representatives of the advertising industry, of a guidance document on the use of cookies in April 2013.

Secondly, the Spanish DPA took its time to thoroughly investigate the websites and cookies used and to review the documents provided by the companies.  This is as you would expect, given that it was the first time it carried out a formal investigation in this respect.

Setting the bar high  

Reading the decision one gets the impression that the companies fined tried hard to cooperate and get things right. At the time the investigation started, most of the websites did not include any information about the use of cookies. By the time the investigation finished the companies had made a number attempts to satisfy the relevant transparency and consent requirements. These were not considered sufficient to meet the standard of compliance that the Spanish DPA seeks.  

Importantly, the decision confirms what was said in the guidance document, namely that information may be provided by implementing a layered approach and that an action-based consent mechanism would work in Spain. The decision also lays out the minimum information that the first and second layer must include and, in doing so, it provides useful insight to what exactly in practice will be compliant or not. The main point to take away is that the level of detail required in cookie notices is high.

What about consent?

The Spanish DPA briefly examined whether consent was lawfully obtained or not. The conclusion it reached was that consent was not validly obtained because the information provided was not sufficient.

However, the actual consent mechanisms used were not analysed in detail, and so the Spanish DPA did not discuss the legitimacy of implied versus express consent mechanisms. This is because, for technical legal reasons specific to Spain (but not other EU Member States), the Spanish DPA cannot currently impose fines for failing to comply with the consent requirement – only the information provision requirement.

This issue is expected to be addressed by a draft law that is on its way. The new law will introduce a two tier approach that allows the Spanish DPA to fine for failure to implement a valid consent mechanism.  Minor infringements (up to 30,000 EUR) and serious infringements (max 150,000 EUR) will apply depending on the facts of each case.

Messages to take away

  • Even though cookies are part of our every day life, European regulators perceive the use of cookies as intrusive – this is explicitly stated in the decision. As a result, time, resources and efforts will be invested to tackle their unlawful use.
  • Unconfirmed reports state that another 19 cases are under investigation in Spain. Having taken the lead, it is entirely possible that other European regulators will now follow suit. Their enforcement actions will be determined by their local enforcement strategy and the powers they are granted under local laws.
  • The low level of this fine should not be interpreted as necessarily meaning that regulators will take a soft approach to cookie enforcement. In this particular case, attenuating circumstances and the technical legal issues impacted the calculation of the fine.
  • Final and most important point is that the grace period has long been over. If you have not already done so, it is important to get your house in order now. 

FTC in largest-ever Safe Harbor enforcement action

Posted on January 22nd, 2014 by



Yesterday, the Federal Trade Commission (“FTC“) announced that it had agreed to settle with 12 US businesses for alleged breaches of the US Safe Harbor framework. The companies involved were from a variety of industries and each handled a large amount of consumer data. But aside from the surprise of the large number of companies involved, what does this announcement really tell us about the state of Safe Harbor?

This latest action suggests that the FTC is ramping up its Safe Harbor enforcement in response to recent criticisms from the European Commission and European Parliament about the integrity of Safe Harbor (see here and here) – particularly given that one of the main criticisms about the framework was its historic lack of rigorous enforcement.

Background to the current enforcement

So what did the companies in question do? The FTC’s complaints allege that the companies involved ‘deceptively claimed they held current certifications under the U.S.-EU Safe Harbor framework‘. Although participation in the framework is voluntary, if you publicise that you are Safe Harbor certified then you must, of course, maintain an up-to-date Safe Harbor registration with the US Department of Commerce and comply with your Safe Harbor commitments 

Key compliance takeaways

In this instance, the FTC alleges that the businesses involved had claimed to be Safe Harbor certified when, in fact, they weren’t. The obvious message here is don’t claim to be Safe Harbor certified if you’re not!  

The slightly more subtle compliance takeaway for businesses who are correctly Safe Harbor certified is that they should have in place processes to ensure:

  • that they keep their self-certifications up-to-date by filing timely annual re-certifications;
  • that their privacy policies accurately reflect the status of their self-certification – and if their certifications lapse, that there are processes to adjust those policies accordingly; and
  • that the business is fully meeting all of its Safe Harbor commitments in practice – there must be actual compliance, not just paper compliance.

The “Bigger Picture” for European data exports

Despite this decisive action by the FTC, European concerns about the integrity of Safe Harbor are likely to persist.  If anything, this latest action may serve only to reinforce concerns that some US businesses are either falsely claiming to be Safe Harbor certified when they are not or are not fully living up to their Safe Harbor commitments. 

The service provider community, and especially cloud businesses, will likely feel this pressure most acutely.  Many customers already perceive Safe Harbor to be “unsafe” for data exports and are insisting that their service providers adopt other EU data export compliance solutions.  So what other solutions are available?

While model contract have the benefit of being a ‘tried and tested’ solution, the suite of contracts required for global data exports is simply unpalatable to many businesses.  The better solution is, of course, Binding Corporate Rules (BCR) – a voluntary set of self-regulatory policies adopted by the businesses that satisfy EU data protection standards and which are submitted to, and authorised by, European DPAs.  Since 2012, service providers have been able to adopt processor BCR, and those that do find that this provides them with a greater degree of flexibility to manage their internal data processing arrangements while, at the same time, continuing to afford a high degree of protection for the data they process.       

It’s unlikely that Safe Harbor will be suspended or disappear – far too many US businesses are dependent upon it for their EU/CH to US data flows.  However, the Safe Harbor regime will likely change in response to EU concerns and, over time, will come under increasing amounts of regulatory and customer pressure.  So better to consider alternative data export solutions now and start planning accordingly rather than find yourself caught short!

 

If I’m not mistaken, that’s a breach….

Posted on November 4th, 2013 by



Last year the UK Information Commissioner (ICO) issued 25 fines (22 of which were for data security breaches).  This year ICO has issued 16 fines so far.  We’ll have to see what happens in the next two months but my guess is we’ll be seeing a fair few more fines in the run up to Christmas.

In a recent blog post on ICO’s website, we are told that the local government sector has received fines totalling more than £2million since the ICO’s fining power begun in 2010.  That’s a staggering amount of money which ultimately is paid out of the public purse (presumably to the detriment of the public services it was there to support). 

We are also told in the blog that “all these breaches” could have been prevented if the Data Protection Act had been correctly complied with.  I’m not sure I entirely agree with that statement; can total compliance really eliminate all risk of incidents occurring?

While it is true that organisations should implement rigorous data protection and information governance frameworks to help safeguard the data they handle (think “technical and organisational measures” required by the DPA), surely no amount of policies, guidance or training is going to prevent an accidental slip-up from occurring.  The unfortunate reality is that we humble human beings do make the occasional mistake.  We all know – or can imagine – how easy it is to misdial a number or click on ‘send’ and inadvertently send something to the wrong person.   Indeed, our 2012 ICO Enforcement Tracker (please get in touch for a copy) revealed that of all the fines issued by ICO last year the overwhelming majority were for breaches involving misdirected communications.

So practically speaking, what is the answer? 

Well, the best solution is surely to assess and manage the risks in the hope that you can ensure no harm or damage is suffered in the event an incident occurs.  The best thing you and your organisations can do is (i) sit up and pay a bit of attention to the types of data you handle; (ii) get fully up to speed with what your legal obligations are in relation to it; and (iii) implement a robust system to demonstrate not only that you are doing everything possible to avoid a breach occurring in the first place, but also so that you can be confident you have a proper action plan in place to manage an incident if and when it arises. 

It also goes without saying that we can learn an awful lot from the mistakes that others have already made; we know that the “hot spots” for regulatory action include things like misdirected communications, lack of policies and training, and the failure to encrypt portable media that contains personal information.  Organisations should exploit that knowledge and use it to build better and more effective breach management strategies.

Belgian DPA overhauls enforcement strategy

Posted on October 21st, 2013 by



Belgium has long been one of the low risk EU Member States in terms of data protection enforcement. Aside from the fact that pragmatism can be considered part of a Belgian’s nature, this view was also due to the fact that the Belgian DPA, the Privacy Commission, could be termed as one of those so-called ‘toothless tigers’.

As De Standaard reports, it seems this is now about to change, with the Privacy Commission set to follow the example of the Dutch DPA by adopting a more severe enforcement strategy.

Until now, the Privacy Commission did not pro-actively investigate companies or sectors, despite the fact that the Belgian Privacy Act grants them such powers. However, the Privacy Commission has recently decided to establish a team of inspectors who will actively search for companies that process personal data in a non-compliant manner. It seems the Privacy Commission is finally adopting an approach which the CNIL has been applying for a number of years, with the idea being that each year a specific sector would be subject of increased scrutiny.

In addition, anticipating the adoption of the Regulation, the Privacy Commission has called upon the Belgian legislator to grant it more robust enforcement powers. Currently, if a company is found to be in breach of the Belgian data protection laws, the Privacy Commission has a duty to inform the public prosecutor. However, in practice criminal prosecution for data protection non-compliance is virtually non-existent and leads to de facto impunity.  This could drastically change if greater enforcement powers are granted to the Privacy Commission.

In the wake of the coming Regulation, this new enforcement strategy does not come as a surprise. In addition, earlier this year, Belgium faced a couple of high-profile mediatised data breach cases for the first time. Both the Ministry of Defense, the Belgian railroad company and recruting agency Jobat suffered a massive data leak. More recently, the massive hacking of Belgacom’s affiliate BICS gave rise to a lot of controversy. It would appear that these cases highlighted to the Privacy Commission the limits of its current powers .

However, if even a pragmatic DPA, such as the Privacy Commission, starts adopting a more repressive enforcement strategy, it is clear that the days of complacency are fading. Organisations processing personal data really cannot afford to wait until the Regulation becomes effective in the next few years. They will have to make sure they have done their homework immediately, as it seems the DPA’s won’t wait until the Regulation becomes effective to show their teeth.

One-stop-shop – In search of legal and political effectiveness

Posted on October 7th, 2013 by



The proposed EU Data Protection Regulation is an ambitious piece of legislation by any measure. Perhaps the most ambitious element of all is the introduction of the one-stop-shop principle: one single data protection authority being exclusively competent over an organisation collecting and using data throughout the EU. The reason why this is such a big deal is that even if the law ends up being exactly the same across all Member States (in itself a massive achievement), regulators are human and often show different interpretations of the same issues and rules. So if one-stop-shop becomes a reality, all EU data protection regulators will simply have to accept the position adopted by the one deemed to be competent and keep their own interpretation to themselves. But will they???

Today the Council of the EU is debating how to structure and shape this principle in a way that provides the benefits that the European Commission and global organisations are seeking, whilst meeting the national expectations of each Member State at the same time. It is a matter of legal and political effectiveness. So far and not surprisingly, the Council’s scale seems to be tilting towards greater national intervention than what the Commission originally aimed for. Whilst most Member States appear to be in favour of the philosophy underlying the one-stop-shop mechanism, only a few accept that one single authority should have exclusive jurisdiction to supervise all of the processing activities of a pan-European data user and decide exclusively upon all measures (including penalties). They cite the likely detriment to the protection of the data protection rights of individuals as their main stumbling block.

Therefore, there are a number of possible changes to this principle that will be discussed today, including:

* Limiting the powers of the ‘competent’ authority to authorisation and consultation functions only. So basically, leaving the paperwork for one regulator whilst any other EU authorities would continue to have enforcement powers.

* Replacing the one-stop-shop with a co-decision model (at least for the most important cases) where all relevant regulators need to agree.

* Adopting a consultation model where the competent authority is legally required to consult the other supervisory authorities concerned with a view to reaching consensus.

* Allowing appeals by unhappy authorities to the European Data Protection Board, which would then collectively be empowered to make the final decision.

How realistic these potential changes are is no doubt something that will come up in the discussions. What is clear is that any weakening of the one-stop-principle will affect the effectiveness of the core ‘one law/one regulator’ thinking of the Commission.

ICO’s draft code on Privacy Impact Assessments

Posted on August 8th, 2013 by



This week the Information Commissioner’s Office (‘ICO’) announced a consultation on its draft Conducting Privacy Impact Assessments Code of Practice (the ‘draft code’). The draft code and the consultation document are available at http://www.ico.org.uk/about_us/consultations/our_consultations  and the deadline for responding is 5 November 2013.

When it comes into force, the new code of practice will set out ICO’s expectations on the conduct of Privacy Impact Assessments (‘PIAs’) and will replace ICO’s current PIA Handbook. So why is the draft code important and how does it differ from the PIA Handbook?

  • PIAs are a valuable risk management instrument that can function as an early warning system while, at the same time, promoting better privacy and substantive accountability. Although there is at present no statutory requirement to carry out PIAs, ICO expects them.
  • For instance, in the context of carrying out audits, ICO has criticised controllers who had not rolled out a framework for carrying out PIAs. More importantly, the absence or presence of a risk assessment is a determinative factor in ICO’s decision making to take enforcement action or not. When ICO talks about the absence or presence of a risk assessment, it means the conduct of some form of PIA.
  • Impact assessments are likely to soon become a mandatory statutory requirement across the EU, as the current version of the draft EU Data Protection Regulation requires ‘Data Protection Impact Assessments’. Note, however, that the DPIAs mandated by article 33 of the Draft Regulation have a narrower scope than PIAs.  The former focus on ‘data protection risks’ as opposed to ‘privacy risks’, which is a broader concept that in addition to data protection encompasses broader notions of privacy such as privacy of personal behaviour or privacy of personal communications.
  • The fact that ICO’s guidance on PIAs will now take the form of a statutory Code of Practice (as opposed to a ‘Handbook’) means that it will have increased evidentiary significance in legal proceedings before courts and tribunals on questions relevant to the conduct of PIAs.

The PIA Handbook is generally too cumbersome and convoluted. The aim of the draft code is to simplify the current guidance and promote practical PIAs that are less time consuming and complex, and as flexible as possible in order to be adapted to an organisation’s existing project and risk management processes.  However, on an initial review of the draft code I am not convinced that it achieves the optimum results in this regard.  Consider for example the following expectations set out in the draft code which did not appear in the PIA Handbook:

  • In addition to internal stakeholders, organisations should work with partner organisations and with the public. In other words, ICO encourages controllers to test their PIA analysis with the individuals who will be affected by the project that is being assessed.
  • Conducting and publicising the PIA will help build trust with the individuals using the organisation’s services. In other words, ICO expects that PIAs will be published in certain circumstances.
  • PIAs should incorporate 7 distinct steps and the draft code provides templates for questionnaires and reports, as well as guidance on how to integrate the PIA with project and risk management processes.

Overall, although the draft code is certainly an improvement compared to the PIA Handbook, it remains cumbersome and prescriptive.  It also places a lot of emphasis on documentation, recording decisions and record keeping.  In addition, the guidance and some of the templates include privacy jargon that is unlikely to be understood by staff who are not privacy experts, such as project managers or work-stream leads who are most likely to be asked to populate the PIA documentation in practice.

Many organisations are likely to want a simpler, more streamlined and more efficient PIA process with fewer steps, simpler tools / documents and clearer guidance, and which incorporates legal requirements and ICO’s essential expectations without undully delaying the launch of new processing operations. Such orgaisations are also likely to want to make their voice heard in the context of ICO’s consultation on the draft code.

UK Government to consult on introducing custodial penalties for breaches of the DPA (again!)

Posted on July 12th, 2013 by



One of the issues that the Information Commissioner (ICO) (along with other voices) has been persistent about in recent years is the need for stiffer penalties for breaches of the Data Protection Act 1998. It is understandably frustrating for the regulator that those individuals who flagrantly disregard data protection responsibilities (e.g. through offences such as blagging) typically only face a penalty of up to £5,000. There has been a campaign from various quarters to increase the maximum sentence that can be awarded for a breach of s. 55 of the DPA (the unlawful obtaining and use of personal data) and the previous Government provided for a tougher regime when they amended the DPA through the Criminal Justice and Immigration Act 2008 to increase the penalty to a maximum of 2 years imprisonment. However, this provision has still to be brought into force. The campaign to increase the penalty gained greater impetus when Lord Justice Leveson, in his 2012 report, also recommended that the maximum sentence be increased. It was examined again recently by the UK Parliament’s Justice Committee in their report on the role of the ICO.

Yesterday Lord McNally’s response on behalf of the Government to the Justice Committee’s report was published. In his short letter, Lord McNally commented on the ICO’s status and funding, accountability to Parliament and powers to compel audits of the public sector. He also announced that the Government will be holding a public consultation on the full range of data protection proposals that Lord Justice Leveson recommended including, of course, the proposal to introduce custodial penalties for breaches of s. 55. In reality, this announcement is not a surprise given the Government’s response to other related work in this area such as the Shakespeare Review of Public Sector Information in June this year.

The previous Government consulted twice on the proposal to introduce custodial penalties – in 2006 and 2009 – but in each case decided not to do so even though there was considerable support from the public for the change. Since then, the usual Government response to select committee’s recommendations has been to hold the line and not take the plunge of introducing stricter penalties. So in 2011, the Government responded to the Justice Committee’s report on referral fees and the theft of personal data by stating that it wasn’t yet convinced that it was the right time to introduce custodial sentences for s. 55 offences (partly this was because the Government wanted to wait until the Leveson Inquiry (then in full swing) had reported). The Government has already been extensively criticised for not responding more fulsomely to the Leveson proposals. Now that the s. 55 proposal is being put to a third round of public consultation with the weight of the Leveson Report behind it, it will become more difficult for the Government to side-step this thorny issue again.