Article 29 Working Party Releases 11th Annual Report
On January 21, 2009, the Article 29 Working Party released its 11th Annual Report on Data Protection and the report shows a rise in enforcement activities by the European Union Data Protection Authorities (DPAs) resulting in fines totaling millions of Euros, some criminal prosecutions, and concerns over liberal use of electronic discovery in US litigation involving EU subsidiaries.
While the report covers the year 2007, it is a handy (yet belated) insight into all EU Data Protection Authorities’ enforcement activities. Most importantly, it serves as a useful tool to gauge where data protection enforcement in the EU is heading. In 2007, the DPAs focused on a variety of areas of data processing such as electronic healthcare, law enforcement, employment, financial sector, biometric data, and video surveillance. The report also highlights the local implementation efforts of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (the E-Privacy Directive) and the varying degrees of retention periods set by local legislation.
The Spanish, Dutch, French, and Italian DPAs were just as active in 2007 as in the previous years.
The Spanish DPA noted that in “2007, the number of claims filed by citizens with the AEPD rose by around 7% to a total of 1,624.” The Spanish DPA issued 399 penalties, “a 32.5% increase over the previous year” resulting in fines of 19.6 million Euros—an average of nearly €50,000. Furthermore, “[t]he greater part of the inspections carried out ha[d] to do with telecommunications and financial institutions, followed by video-surveillance, which is now in third place following an increase by over 400%.”
The Dutch DPA stated that in 2007 it had “changed its strategic direction and shifted its priority to carrying out investigations and enforcement actions – the core task of any independent supervisory authority – to ensure a more effective promotion of the awareness of standards.” The Dutch DPA also suggested that it was going after the bigger fish stating that it “g[a]ve priority, as regards requests for help and assistance, to serious violations of a structural nature and to violations which entail major consequences for a substantial number of citizens or for groups of citizens.”
The French DPA reiterated its penalty and audit powers stating that “the CNIL has sanctioning powers enabling it to levy fines to the amount of €150,000 (€300,000 in the case of repetition), within the limit of 5% of turnover.” In 2007, the French DPA issued nine fines ranging from €5,000 to €50,000, five warnings, and 101 formal notifications.
The French DPA also voiced its concerns over US data retention and electronic discovery rules stating that it had “observed a recent increase in the requirement for the communication of personal data held, inter alia, by the French subsidiaries of American companies that are the subject of discovery proceedings before American civil courts or pre-trial discovery.” The French DPA was worried not just about private litigation but discovery by the FTC and SEC. Therefore, the French DPA “attempted to draw the government’s attention to this issue” and set up inter-ministerial discussions.
The Italian DPA also enhanced its inspection activities in 2007. Interestingly, the Italian DPA benefited from the use of the specialized Financial Police when checking compliance with notification requirements, information notices, and security measures. “Overall, 452 inspection proceedings were carried out. They mostly concerned private entities and were aimed at checking compliance with the main requirements laid down in the data protection legislation.” The Italian DPA focused on “personal (medical) data by pharmaceutical companies and healthcare bodies; the online processing of personal data; processing aimed at the provision of goods and services via distance selling mechanisms (including call centres); the processing operations performed by Revenue Offices; the retention of users’/subscribers’ data by telecom operators; and e-banking services.” Out of these 452 inspections, the DPA issued 228 administrative sanctions and referred 15 cases to criminal prosecution. The Italian DPA expects revenues of €750,000 from these sanctions.
In sum, enforcement by EU DPAs and the financial liability for violations of local data protection legislation are both on the rise.