Federal Trade Commissioner Julie Brill frequently has commented that when it comes to privacy enforcement, more "cops on the beat" is better. In today’s guest blog, reprinted with permission from the blog of Google’s Global Privacy Counsel Peter Fleischer, the spectre of multiple privacy enforcement authorities with substantial fining authority is raised:
When Apollo wanted to stop Laokoon from warning the Trojans that there were Greek soldiers in the famous Trojan Horse, he sent two giant snakes to kill Laokoon and his sons. Talk about sanctions! Have we considered using killer snakes to punish data protection violations and to discourage future bad practices?
Since 2012 has now begun, here’s a prediction about the future: there’s going to be a lot more privacy enforcement actions. By a lot of different government authorities, not just DPAs. And the sanctions/damages are going to go through the roof. Indeed, it’s not easy to keep track of which government officials are in charge of data protection enforcement actions. There are a lot of them.
We all think of Data Protection Authorities, and similar bodies, like the Federal Trade Commission, as responsible for enforcing privacy laws. These bodies around the world have vastly different enforcement powers, investigative cultures, and sanctions traditions, even within Europe. Some, like the Spanish DPA, impose a lot of large fines. Others, like the French CNIL, imposed only 5 financial sanctions in an entire year. The largest fine the CNIL has issued in its entire history was 100,000 euros.
And yet others, like the Belgian DPA, don’t have the legal power to impose fines at all. Other DPAs hardly ever use sanctions at all, in the classic sense, other than press releases and "name and shame" tactics. Moreover, in recent years, the US Federal Trade Commission has been moving in a different direction, namely negotiating consent decrees that are forward-looking, 20-year commitments for particular companies to abide by certain privacy standards and be subject to regular audits.
But if the plethora of DPAs and their varied enforcement practices were not divergent enough, privacy enforcement is by no means limited to these specialist regulators. In the US, the individual State Attorneys General regularly bring privacy actions. There’s also an entire industry of US privacy-based class actions which has sprung up in the last few years.
Moreover, in many countries, privacy laws have been inscribed into the penal codes. Consequently, any criminal prosecutor can bring such privacy penal actions. For example, my prosecution and conviction in Italy for a "privacy violation" was brought by a Milanese public prosecutor and imposed by a criminal judge.
In the future, the proliferation of the numbers of authorities who can bring privacy enforcement actions is likely to increase. First, more and more countries are creating data protection authorities, e.g., roughly a dozen new ones have been created across Latin America and Asia in the last year.
And in Europe, where class actions generally don’t exist and don’t fit into the existing legal framework, there are now serious proposals to create mechanisms for "collective redress" of privacy claims. And of course, there have always been the normal judicial channels, where anyone can bring privacy claims against someone else if they feel their privacy has been violated. The numbers of such cases is also exploding around the world, especially as more and more data about people is collected, exchanged and published.
I regularly hear people claim that there’s not enough legal enforcement of privacy. In some places, as a matter of practice, that may well be true. But there is no shortage of overlapping authorities with the power to bring or adjudicate privacy claims. Curiously, in privacy circles, most of the focus is on the enforcement actions of the DPAs. But in practice, the DPAs are just one of many different authorities who can and do bring privacy enforcement actions. And the trend is clearly going up, both in terms of the numbers of laws that can be violated, in terms of the severity of sanctions, in terms of the numbers of complaints that are brought, and in terms of the breadth of authorities who are involved in enforcing privacy.
The European Commission has proposed instituting new fines for data protection breaches ranging up to 5% of global turnover! To a global company, that’s probably scarier than killer snakes.