The relative impotence of the UK’s data protection watchdog has recently hit the headlines. It’s not surprising Information Commissioner Richard Thomas craves more powers-just look at the recently published annual report of his Iberian counterpart. Stephen Groom reports from Madrid (he wishes).
Who: The Spanish Data Protection Agency
When: September 2007
Law stated as at: 30 November 2007
The Spanish data protection watchdog the Data Protection Agency, issued its 2006 annual report.
The Spanish "DPA" is famous, or notorious depending on your viewpoint, for running probably the best resourced and most heavily armed and active data privacy law enforcement operation in Europe.
While other European data protection authorities speak loudly but mostly carry a blunt stick in terms of powers to impose serious penalties on those breaching EU data protection laws, the SPA has for years been a beacon of hope for businesses who trouble to comply with data laws but often see their competitors ride rough shod over personal data rights with impunity.
Incentivised by its ability to bank for its own purposes any financial penalties imposed on data law infringers, the DPA has from the first been well staffed, well resourced and highly proactive in its enforcement activities.
2006 was no exception to this pattern.
Over 24m EUR in fines
Fines imposed during that year totalled no less than EUR 24,400,000.
In the advertising sector there were 53 inspections of businesses' data processing activities and 29 sanctions were imposed, whilst in relation to unsolicited commercial email, for example, there were even more inspections (56) and 14 sanctions imposed.
The DPA also published no less than 553 legal reports clarifying its position in various key areas and authorised 133 transfers of personal data from Spain to countries which did not have data protection laws that were recognised by the EU as providing "adequate" protection for personal data.
New powers also entitled the DPA to publish details of those transfers and the companies proposing to export the data, in advance of the proposed transfer, thus giving affected individuals the opportunity to object to the transfer.
Why this matters:
European data protection laws may be harmonised, but the same certainly cannot be said for the relevant enforcement mechanisms, hence the considerable disparities in this regard across Europe.
The UK's own Information Commissioner's Office ("ICO"), for example, is still calling for greater powers and resources after years of doing so and is only now, after recent public authority data debacles, getting a semi serious response in the form of a grudging acceptance that it might perhaps be given the power to inspect the premises of public bodies where data protection law breaches are suspected.
As regards penalties, ICO must regard with envious eyes the numbers quoted in the DPA report, with fines imposed as a result of ICO enforcement action in 2006 probably falling some way short of 0.1% of the DPA figure.
Recently there have been noises in Brussels about moves to introduce more enforcement consistency for EU data protection laws. This report only serves to underline the urgency of such a move.