Industry News
Keep up with the latest developments and information.
Resource Center > Industry News > UK to issue fines of up to £500,000 for violations of Data Protection Act
UK to issue fines of up to £500,000 for violations of Data Protection Act
Tuesday, February 09, 2010
By Covington & Burling - Daniel Cooper, Henriette Tielemans and David Fink This article was published in Lexology The UK Ministry of Justice has announced that the Information Commissioner's Office will be permitted to fine companies operating as data controllers in the UK up to £500,000 for serious contraventions of Section 4(4) of the Data Protection Act 1998. The fining authority is expected to come into effect on 6 April. Amendments to the Data Protection Act approved in 2008 granted the ICO the power to issue fines in the following circumstances: there has been a serious contravention of Section 4(4); the contravention was of a kind likely to cause substantial damage or substantial distress; and the contravention was deliberate, or the company knew or ought to have known that there was a risk the contravention would occur, and that such contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the contravention. Section 4(4) transposes key protections of the EU Data Protection Directive into UK law such as requirements for fair and lawful processing, proportionality, data quality and security. The Commission is to take an objective approach in considering whether there has been a "serious" violation of these principles. Guidance issued by the ICO provides two examples of serious violations: (i) a failure to take adequate security measures, resulting in the loss of a compact disc holding personal data; and (ii) a loss of medical records containing sensitive medical data during an office move. The Guidance also indicates that a determination of whether a violation is "substantial" will involve an objective analysis of the importance, value, degree, amount or extent of the harm. In calculating the amount of the fine, the Commissioner will take several factors into account, including, among others, the nature of the breach, the conduct of the company, and the size and financial resources of the company. According to the Guidance, "as a general rule a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention..." Reding Calls for Re-opening the Data Protection Directive Viviane Reding, the Commissioner-designate for Justice, Fundamental Rights, and Citizenship, indicated in remarks on January 28 that the Data Protection Directive will be re-opened. The Commission conducted a consultation in the autumn that was widely viewed as a prelude to re-opening. "I can tell you that most responses [to that consultation] call for stronger and more consistent data protection legislation across the Union," Reding said. "We need to clarify the application of some key rules and principles, such as consent and transparency, in practice." She said the Commission would consider including in the Directive a breach notification provision that would apply beyond electronic communications services, which are covered by the recently enacted breach notification measure in the e-Privacy Directive. Reding also indicated that the following "challenges" may be addressed in the Commission's proposal: clarifying the application of some key rules and principles (such as consent and transparency) in practice; ensuring that personal data are protected regardless of the location of the relevant organization; promoting Privacy Enhancing Technologies (PETs), by introducing new evolving principles (such as "privacy by design"); strengthening enforcement; and incorporating the fundamental principles of data protection to cover all areas of EU competence, including police and judicial cooperation in criminal matters and the EU's external relations. In her remarks, Reding stressed the importance of technology in protecting privacy. "Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle," she said. "Privacy by Design is a principle that is in the interest of both citizens and businesses. Privacy by Design will lead to better protection for individuals, as well as to trust and confidence in new services and products that will in turn have a positive impact on the economy." European Commission launches Infringement Proceedings Against Italy Over Databases for Telemarketing Purposes The European Commission has sent Italy a letter of formal notice (the first step in an infringement proceeding) for not respecting provisions of the e-Privacy Directive (Directive 2002/58/EC) in connection with a database for telemarketing purposes. Under the Directive, subscribers who are included in a public subscriber directory must be informed about the objectives of the directory and consent to the use of their personal data for marketing purposes. Databases have been set up in Italy for telemarketing purposes on the basis of public subscriber directories, but according to the Commission the individuals were neither informed of the transfer of their data from phone directories to the databases nor did they give consent. The use of these databases was permitted by Italian legislation until 31 December 2009, and was then prolonged for a further six months. "Not only is it worrying to see that Italian legislation does not comply with the privacy requirements set out in the Directive but that the Italian authorities also further prolonged the use of databases which include personal data for the use of which no consent had been granted," said EU Information Society Commissioner Viviane Reding. Commission Issues Model Clauses for Subprocessors The European Commission has adopted a Decision updating the "controller to processor" standard contractual clauses set forth in Commission Decision 2002/16/EC. The amending Decision is not yet publicly available. According to a Commission press release, the revised clauses will enable a processor, under certain circumstances, to outsource processing activities to another processor (subprocessing). While the press release does not describe the mechanics for the outsourcing, it seems likely that the subprocessor will assume the same obligations for security and lawful processing as those imposed on the processor. Subprocessing activities are not covered by the current standard clauses, even though the use of outsourcing is increasingly common. This has created complications for many companies and limited the usefulness of the clauses, which are a popular mechanism for transferring data from EU-based controllers to processors located in third countries that are not recognized by the EU as providing an adequate level of data protection. "The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens' personal data, " said Jacques Barrot, Commission Vice President and Commissioner for Justice, Freedom and Security.
The UK Ministry of Justice has announced that the Information Commissioner's Office will be permitted to fine companies operating as data controllers in the UK up to £500,000 for serious contraventions of Section 4(4) of the Data Protection Act 1998. The fining authority is expected to come into effect on 6 April. Amendments to the Data Protection Act approved in 2008 granted the ICO the power to issue fines in the following circumstances:
Section 4(4) transposes key protections of the EU Data Protection Directive into UK law such as requirements for fair and lawful processing, proportionality, data quality and security.
The Commission is to take an objective approach in considering whether there has been a "serious" violation of these principles. Guidance issued by the ICO provides two examples of serious violations:
(i) a failure to take adequate security measures, resulting in the loss of a compact disc holding personal data; and
(ii) a loss of medical records containing sensitive medical data during an office move. The Guidance also indicates that a determination of whether a violation is "substantial" will involve an objective analysis of the importance, value, degree, amount or extent of the harm.
In calculating the amount of the fine, the Commissioner will take several factors into account, including, among others, the nature of the breach, the conduct of the company, and the size and financial resources of the company. According to the Guidance, "as a general rule a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention..."
Reding Calls for Re-opening the Data Protection Directive
Viviane Reding, the Commissioner-designate for Justice, Fundamental Rights, and Citizenship, indicated in remarks on January 28 that the Data Protection Directive will be re-opened. The Commission conducted a consultation in the autumn that was widely viewed as a prelude to re-opening. "I can tell you that most responses [to that consultation] call for stronger and more consistent data protection legislation across the Union," Reding said. "We need to clarify the application of some key rules and principles, such as consent and transparency, in practice."
She said the Commission would consider including in the Directive a breach notification provision that would apply beyond electronic communications services, which are covered by the recently enacted breach notification measure in the e-Privacy Directive. Reding also indicated that the following "challenges" may be addressed in the Commission's proposal:
In her remarks, Reding stressed the importance of technology in protecting privacy. "Businesses must use their power of innovation to improve the protection of privacy and personal data from the very beginning of the development cycle," she said. "Privacy by Design is a principle that is in the interest of both citizens and businesses. Privacy by Design will lead to better protection for individuals, as well as to trust and confidence in new services and products that will in turn have a positive impact on the economy."
European Commission launches Infringement Proceedings Against Italy Over Databases for Telemarketing Purposes
The European Commission has sent Italy a letter of formal notice (the first step in an infringement proceeding) for not respecting provisions of the e-Privacy Directive (Directive 2002/58/EC) in connection with a database for telemarketing purposes. Under the Directive, subscribers who are included in a public subscriber directory must be informed about the objectives of the directory and consent to the use of their personal data for marketing purposes.
Databases have been set up in Italy for telemarketing purposes on the basis of public subscriber directories, but according to the Commission the individuals were neither informed of the transfer of their data from phone directories to the databases nor did they give consent. The use of these databases was permitted by Italian legislation until 31 December 2009, and was then prolonged for a further six months.
"Not only is it worrying to see that Italian legislation does not comply with the privacy requirements set out in the Directive but that the Italian authorities also further prolonged the use of databases which include personal data for the use of which no consent had been granted," said EU Information Society Commissioner Viviane Reding.
Commission Issues Model Clauses for Subprocessors
The European Commission has adopted a Decision updating the "controller to processor" standard contractual clauses set forth in Commission Decision 2002/16/EC. The amending Decision is not yet publicly available.
According to a Commission press release, the revised clauses will enable a processor, under certain circumstances, to outsource processing activities to another processor (subprocessing). While the press release does not describe the mechanics for the outsourcing, it seems likely that the subprocessor will assume the same obligations for security and lawful processing as those imposed on the processor.
Subprocessing activities are not covered by the current standard clauses, even though the use of outsourcing is increasingly common. This has created complications for many companies and limited the usefulness of the clauses, which are a popular mechanism for transferring data from EU-based controllers to processors located in third countries that are not recognized by the EU as providing an adequate level of data protection.
"The updated standard contractual clauses ensure a balance between global business needs and protection of EU citizens' personal data, " said Jacques Barrot, Commission Vice President and Commissioner for Justice, Freedom and Security.
Argentina
Belgium
Canada (English)
France
Germany
Ireland
Luxemburg
Puerto Rico
South Africa
South Korea
Singapore
UAE
UK
USA