Out-Law Analysis 8 min. read
05 Jul 2013, 11:10 am
We look at the different approaches that data protection authorities (DPAs) in France, the UK and Germany take to data protection breaches.
Knowing the different attitudes that each of the watchdogs takes to enforcement is a useful tool for companies operating in the EU. Companies can face serious consequences if they breach data protection laws, and those consequences can differ greatly between countries.
One of the leading EU DPAs, France's Commission Nationale de l’Information et des Libertés (CNIL), announced earlier this year that it and counterpart authorities in the UK, Germany, Italy, Spain and the Netherlands would each separately undertake regulatory investigations into Google and determine whether to impose penalties against the internet giant over alleged privacy policy failings.
Last year Google consolidated over 60 privacy policies it had operated for different services it runs, such as Gmail and YouTube, into one single policy. At the time CNIL led an investigation on behalf of a body representing all of the EU's privacy watchdogs into the policy and concluded that the policy was not compliant with the EU's Data Protection Directive.
Amongst its findings, CNIL said that Google did not have a "valid legal basis" in some cases to combine personal data collected from users of multiple services. Google has argued that its privacy policy complies with EU data protection rules, but CNIL placed a deadline on Google to make changes to its policy.
CNIL announced earlier this year that Google had not adequately addressed its concerns and that six of the leading DPAs in the EU, including the UK's Information Commissioner's Office and the Hamburg Commissioner for Data Privacy and Freedom of Information, would each be looking more closely at the issue to assess compliance with the applicable national data protection laws within their jurisdiction.
CNIL recently provided a progress report on the regulatory action taken so far.
So what tools do CNIL, regional German commissioners and the ICO each have at their disposal for enforcing data protection law?
CNIL
The French Data Protection Act (Law 78-17 of 6 January 1978 as amended) provides the Selected Committee of CNIL and the CNIL chairman with a wide range of enforcement powers.
Should companies fail to comply with their obligations under the Act, the Selected Committee may issue a warning to the data controller, which is considered as a sanction.
Alternatively, the CNIL chairman may also serve a formal notice to comply. Should companies fail to adhere to the formal notice to cease their non-compliance, the Selected Committee may, following a hearing of parties, impose an injunction on businesses to cease processing or withdraw its authorisation of processing if one has been granted, or impose a fine.
The French Data Protection Act caps the amount of money companies can be fined for data protection offences. For a first breach organisations cannot be fined more than €150,000. Repeat offending businesses can be fined up to either €300,000 or 5% of their annual turnover net of tax up to €300,000 for companies.
CNIL's powers are triggered when the processing or the use of processed data leads to a violation of human rights, human identity, privacy or individual or public liberties.
In those cases the Selected Committee of CNIL can elect, after hearing submissions from all parties, to initiate an emergency procedure through which it can issue a warning to companies about their activity, interrupt or completely prevent certain data processing activities for up to three months, or even notify the French Prime Minister who can take measures necessary to ensure compliance.
In case of serious and immediate violation of human rights, human identity, privacy or individual or public liberties, the CNIL Chairman can seek the authority of the French courts to order businesses to pay a daily penalty for their non-compliance or impose that companies adopt any security measure necessary for the protection of individuals' privacy rights.
Where it considers a criminal offence has been committed, CNIL can also decide to notify France's Public Prosecutor who will then decide whether to prosecute before the French Criminal Court.
In addition to the above, CNIL is able to make public any sanctions it imposes.
Last month CNIL served a formal notice on Google in which it set a three month deadline for the company to change its privacy policy. CNIL wants Google to define the "specified and explicit purposes" for which users' personal data will be processed and define how long the information will be retained, and commit not to combine users' data from across different services without having a legal basis for doing so, amongst making other changes.
The data protection authorities in the 16 German Federal States
With respect to data protection law applicable to private companies, German data protection law is the same across all 16 German Federal States.
The German Google entity has its seat in Hamburg. This is why the Hamburg Commissioner for Data Privacy and Freedom of Information, Johannes Caspar, and not any of the other State authorities, is responsible for determining its enforcement of German data protection law against Google.
Generally the DPAs in the northern German Federal States, in particular Schleswig Holstein and Hamburg, have adopted a stricter approach to enforcing data protection laws. The DPAs in Hamburg and Schleswig Holstein have also seemed to focus more on media and internet related data protection law issues.
German data protection legislation provides the State DPAs with a range of powers in terms of enforcement.
The DPAs will firstly write to companies suspected of breaching the laws and ask them to comment on the allegations.
They have the power to set concrete measures companies must follow. This includes setting administrative deeds that describe which preconditions are to be fulfilled to allow data processing or transfers to take place.
In more serious cases the State watchdogs can also place an absolute prohibition on businesses' collection, processing or use of certain data, whilst in the most extreme cases businesses can even be banned by the watchdog from engaging in any collection, processing or use of personal data.
Businesses can also be fined by the DPAs over their non-compliance with German data protection rules. The German Data Protection Act places a general €300,000 cap on the maximum penalty that can be imposed on non-compliant companies, although the Act does allow for higher fines to be served where the financial benefit of non-compliance can be shown to exceed the €300,000 cap.
Earlier this week the Hamburg DPA confirmed that it has initiated an administrative action against Google over the privacy policy issue. Google has until mid-August to submit its views on the case and the Hamburg authority has said it will determine what the next step will be on the basis of what Google has to say.
The UK's ICO
The Information Commissioner's Office (ICO) has the power to issue civil monetary penalties of up to £500,000 against organisations that are guilty of a serious breach of the UK's Data Protection Act. A fine can only be imposed where the ICO can be satisfied that the breach was likely to cause substantial damage or distress to the data subjects affected and if the data controller knew or ought to have known that the breach would occur and would be likely to cause substantial damage or distress.
Businesses issued with a civil monetary penalty notice have a right of appeal, but in cases where they are forced to pay but do not do so within the prescribed timetable, the ICO may seek an order from either the High Court of County Court in order to recover fines that are not paid.
If the ICO determines that the criteria for serving a monetary penalty is not met or where it deems it inappropriate, it can turn to a number of other tools in a bid to make organisations comply with the law.
The ICO can issue binding information notices to companies to force those organisations to hand over to it certain information it seeks in connection with its investigations into alleged non-compliance.
The ICO may also seek a signed undertaking from a data controller to commit to a certain prescribed course of action in order to improve its compliance. This is not a formal regulatory power designated under the Data Protection Act, but it is an enforcement tool that the ICO has used in a number of instances.
Alternatively the ICO can serve non-compliant companies with enforcement notices. These can be issued to compel the companies to take specific steps to rectify the contravention or to refrain from processing certain specified personal data. Non-compliance with an enforcement notice is a criminal offence.
Earlier this week the ICO said that it has serious concerns about whether Google's privacy policy complies with the Data Protection Act. The ICO has given Google until 20 September to "take the necessary action to improve the policies compliance" and has threatened to take "formal enforcement action” if the company does not do so.
How the DPAs have used their powers and the future of enforcement
None of CNIL, the Hamburg Commissioner or the ICO has made full use of all the powers before it against organisations.
It is rare for CNIL to impose administrative fines against companies, but it does like to publicise the action it does take. CNIL has served a €100,000 fine on Google. It was issued after it emerged that technology deployed on Google's Street View cars collected the personal data of French citizens without authorisation.
The Hamburg authority is aggressive in announcing the actions it is taking when investigating allegations of non-compliance but much more reluctant in actually using its powers. The Commissioner earlier this year served a €145,000 fine on Google in relation to the Street View issue. At the time Caspar bemoaned the "totally inadequate" sanctions available to him.
The ICO has been quite active in its enforcement of the Data Protection Act in the UK. In 2012 alone it served 23 separate monetary penalty notices on organisations over breaches of the Act totalling in excess of £2.5 million against a number of organisations in 2012. Most were in the public sector.
The ICO has on three separate occasions investigated Google over its Street View data collection and on each occasion decided against imposing a monetary penalty against the company. The £250,000 fine the ICO issued against Sony over data security failings in the PlayStation Network showed, however, that the watchdog is willing to issue sanctions against major technology companies, albeit the case is subject to appeal with a four-day hearing scheduled for November.
The Google case will show whether these regulators are prepared to use the full extent of their powers or not.
The future of data protection enforcement, though, is in increased joint co-operation. Already we have seen increased co-operation on global terms, with the Canadian and Dutch Commissioners acting in cohort against Whatsapp, for example.
The Google privacy policy case initially saw all 27 DPAs in the EU, prior to Croatia joining the trading bloc, engaged in scrutinising the company, and now six of the most prominent DPAs have initiated separate regulatory actions.
A new EU Data Protection Regulation would, if introduced, also require a lot more co-operation under the 'consistency mechanism' proposed by the European Commission.
Marc Dautlich, Morgane Kauffmann and Stephan Appt are data protection law experts at Pinsent Masons, the law firm behind Out-Law.com
