Speaking at Berkeley’s Online Tracking Workshop today, Françoise Le Bail, Director-General of the European Commission’s DG Justice (the leading department regarding the EU data protection reforms) confirmed the European Commission’s vision that the EU needs stronger penalties in order to ensure effective enforcement of European data protection rules. Ms. Le Bail said that European privacy regulators should be able to impose “significant” sanctions on companies for violating EU privacy rules.
Under the current EU Data Protection Directive, dating back to 1995, each EU Member State autonomously decides on the sanctions for data protection violations, resulting in considerable differences throughout the EU. According to critics, the fines are “too small” in most Member States, particularly in comparison to the turn-over of the companies concerned. Frequently used examples are the fines imposed on Google last year by Spain and France (EUR 900,000 and EUR 150,000, respectively).
Sjoera Nas, an internet and telecom expert of the Dutch data protection authority who also spoke at today’s conference, wondered what “a fine of EUR 150,000 does to a company that makes this (amount) in half a minute”, a view which was backed by Ms. Le Bail: she called the fine of EUR 150,000 “pocket money” for Google. According to Ms. Nas, only “the threat of serious financial harm” can have an effective dissuasive effect on companies.
The DG Justice’s Director did not go into detail regarding the level of appropriate fines. “What is important to us is that these fines are significant,” Ms. Le Bail said, emphasizing that potential fines should have a deterrent effect on companies, and that beyond that “it can be 2 percent (or) 10 percent” of companies’ annual turnover. “If you respect the regulation, you don’t have the fines to pay,” she added, reminding the audience that “privacy is a fundamental right in Europe (which) has to be respected.”
In the European Commission’s Proposal for a General Data Protection Regulation (GDPR) (see Inside Privacy, European Commission Proposes Comprehensive Data Protection Reform, January 25, 2012), the Commission introduced EU-wide fines which could amount to between 0.5% of a company’s annual worldwide turnover or EUR 250,000, and 2% of a company’s annual worldwide turnover or EUR 1,000,000, depending on the severity of the violation. However, the leading parliamentary committee on the European Commission’s proposed GDPR, the Civil Liberties Committee (“LIBE”) (See Inside Privacy, LIBE Committee Vote Completes Major Step Towards Adoption of EU Data Protection Regulation, October 21, 2013), has shown even more ambition, harmonizing the different categories of violations, and increasing the maximum fines for GDPR breaches up to 5% of a company’s annual worldwide turnover or up to EUR 100,000,000 – whichever is greater.
Interestingly, Ms. Le Bail’s statements regarding penalties come merely two weeks after the release of a report published by the European Agency for Fundamental Rights (FRA). The report’s main conclusion is that redress mechanisms for data protection violations in the EU need improvement. It highlighted several points for attention, amongst others the noticeable variety between the different Member states regarding sanctions and fines for data protection violations.