At a recent presentation in Frankfurt, Peter Hustinx, head of the European Data Protection Supervisor Office in Brussels, launched an intriguing idea: sanctioning violations of data protection law in the same manner as violations of competition law.
The trade press regularly reports on multi-million euro fines for cartels or abuses of dominant positions by companies under the competition rules of the European Union. These figures are far away from the fines that currently can be levied for data protection violations. Observers of the competition law scene will agree that the main reason that companies operating in the EU pay attention to competition law is the astronomic fines that can – and are – levied.
Observers of the privacy scene also agree that one of the reasons that privacy is sometimes still not taken as seriously as it should by companies, is the relative lack of enforcement, and the low fines in case of enforcement. With shrinking legal budgets for compliance and training, companies often devote more resources to areas where fines are steep such as competition law.
Hustinx’s timing is not a coincidence. The European Union is reviewing the current 1995 Data Protection Directive and a draft proposal is expected this summer. Traditionally sanctions for violations of data protection laws have been left to the twenty-seven EU Member States (and they vary widely) but perhaps this will change. It remains to be seen how Hustinx’s suggestion will be received by the European Commission’s Data Protection Unit which is in charge of the revision of the 1995 Directive, subject to control by the European Parliament and the Council of Ministers. But the office of the European Data Protection Supervisor, charged with monitoring compliance by the European institutions of data protection rules within their own ranks and advising the European institutions on data protection issues, is influential and highly respected in the privacy community and this proposal will therefore not go by unnoticed. If accepted, it would revolutionize the data protection landscape in Europe.