Posted on January 17, 2012 by Gonzalo Gallego

Spanish Data Protection Authority Launches Public Consultation on Cloud Computing

By Pablo Rivas in our Madrid Office

Following the example of the French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés or CNIL), the Spanish Data protection Authority (Agencia Española de Protección de Datos or AEPD) has opened a public consultation on cloud computing to learn the opinions and experiencse of service providers and users.

Interested parties have until January 27 to submit their comments. This public consultation is an good opportunity to enhance the AEPD's understanding of problems on data protection arising from cloud computing and may also help the AEPD find viable solutions and alternatives for data protection compliance within the cloud computing encironment.   

Interested parties can participate in the public consultation by fulfilling and online form (in Spanish) accessible by the AEPD's website, www.agpd.es.

We will keep you posted on the conclusions of this public consultation of the AEPD.

Tags: , , , ,
Posted on November 27, 2009 by Andrea Ward

UK Takes Step That Likely Will Result in Significantly Increased Penalties for Data Breaches

In a move that likely will result in a significant increase in civil penalties that can be assessed in the UK for data security breaches, this month the UK Ministry of Justice began consultation on the introduction of a maximum civil monetary penalty for serious breaches of the Data Protection Act 1998 (DPA), entitled ‘Civil Monetary Penalties: Setting the maximum penalty’.

The prospect of a maximum financial penalty was introduced into the DPA in 2008 by the Criminal Justice and Immigration Act 2008, but has yet to be implemented. After the consultation closes on 21 December 2009 it is likely to become law in April 2010.

 

The focus of the consultation is whether the current sanctions available to the ICO are sufficient. Last month we reported on the government’s consultation on possible prison sentences for serious breaches of the DPA and this latest consultation builds on the same theme. The current maximum financial penalty the ICO can impose against a data controller for data breaches is £5,000, which is fairly negligible and seriously undermines the ICO’s authority. Other regulators, such as the FSA have much greater powers and may impose severe penalties of up to 10% of an organisation’s turnover; the disparity in approach is obvious. The government’s aim therefore, is to increase the monetary penalties available to the ICO, to increase compliance with the DPA as well as increase public confidence in the system. It is noted that incidences of data loss and other serious breaches of the DPA are increasing, yet the ICO has limited powers to address the problems.

The question posed by the consultation is very simple: “Do you consider that a penalty of up to £500,000 provides the ICO with a proportionate sanction for serious contraventions of the data protection principles?” We might predict a resounding ‘yes’ to this, but must wait and see. We do know however, that, due to the likely administrative burden, the ICO have already rejected an assessment of penalties based on a data controller’s turnover, so a fixed maximum penalty of up to £500,000, (or possibly a different sum) will be adopted.

Further details of the consultation and the proposed introduction of the maximum civil monetary penalty for serious breaches of the DPA can be accessed through the Ministry of Justice website. The link also includes the ICO’s draft guidance on the criteria and circumstances it will consider when using civil monetary penalties. As a rough guide, the seriousness of the breach and whether it was deliberate or not, will be important factors, as is the prospect of substantial damage and distress caused, or likely to be caused.
 
Tags: , , , , , , ,
Posted on October 29, 2009 by Andrea Ward

UK Government consults on custodial sentences for data protection offences

Under the Data Protection Act 1998 (“DPA”), it is an offense to knowingly or recklessly obtain or disclose personal data, or the information contained in personal data, without the consent of the data controller.  Section 55 of the DPA details the offenses and any exclusions, or defenses, which may apply.  It also sets out the procedure for monetary penalties to be imposed.  Under the current law, the maximum penalty for those found guilty of offenses such as selling personal data is a £5,000 fine in the Magistrates Court and an unlimited fine in the Crown Court.  However, cases leading to substantial fines are rare.

The Ministry of Justice (which oversees the Information Commissioner’s Office) has recently announced a consultation exercise to decide whether to introduce tougher penalties for breaches of section 55, DPA, which could lead to the introduction of custodial sentences for those convicted.  Although provision was made to introduce prison sentences through the Criminal Justice and Immigration Act 2008, this has yet to be implemented and is subject to the consultation exercise, which is expected to close on 7 January 2010.

If adopted as law, the maximum penalty for the knowing or reckless misuse of personal data would be a prison sentence of up to 12 months (if heard in the Magistrates Court) or up to 2 years (if heard in the Crown Court).  This is an important development for the ICO, which has fairly limited powers of enforcement, and is arguably a necessary response to the increasingly serious breaches of the DPA involving the misuse of personal data.
 

Tags: , , , , , ,