Background
On November 9, 2009, the UK's Ministry of Justice launched a consultation seeking the public's views on the proposed implementation of a maximum penalty of £500,000 (approximately US$837,950) for serious breaches of the UK Data Protection Act 1998 (the "DPA"). This Consultation follows the Information Commissioners' publication of draft guidance this week, explaining the circumstances in which a fine will be imposed. The launch of the Consultation puts to rest recent speculation as to the level of fine likely to be imposed for a deliberate or serious breach of the DPA, including for data security breaches.
The DPA imposes obligations on data controllers that process personal data to: (i) process personal data fairly and lawfully; (ii) obtain personal data only for specified lawful purposes, and not further process personal data in any manner incompatible with such purposes; (iii) ensure that personal data are adequate, relevant and not excessive in relation to the purposes for which they are processed; (iv) ensure that personal data are accurate and, where necessary, kept up-to-date; (v) keep personal data only for as long as is necessary for the purposes for which they are collected; (vi) process personal data in accordance with individuals' rights; (vii) implement appropriate technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and (viii) not transfer personal data to a jurisdiction outside the European Economic Area unless that jurisdiction affords adequate protection levels for individuals' rights and freedoms in relation to the processing of personal data.
In 2008, the DPA was amended by Section 144 of the Criminal Justice and Immigration Act 2008 ("CJIA") to provide the Information Commissioner with the power to impose civil monetary penalties on data controllers who commit serious breaches of any of the obligations set out above (known as the "data protection principles"). Before doing so, the Information Commissioner must be satisfied that the contravention: (i) was serious and of a kind likely to cause substantial damage or distress to an individual; and (ii) was either deliberate or the data controller knew, or ought to have known, that there was a risk that the contravention would occur and that it would be likely to cause substantial damage or distress, but failed to take reasonable steps to prevent it. In addition, before imposing a monetary penalty, the Information Commissioner is required to serve the data controller with a notice of intent, which must inform the data controller of the proposed amount of the monetary penalty and of its right to make written representations to the Information Commissioner within a specified period. The Information Commissioner may not issue the monetary penalty until the period for making such representations has expired.
The Consultation
The Consultation provides organizations with an opportunity to express their views about the proposed maximum penalties. The Consultation paper issued by the Ministry of Justice highlights the UK government's underlying aim of safeguarding personal data effectively and processing it responsibly and lawfully. In addition, the UK government is of the view that the implementation of such penalties should contribute to increased compliance with the DPA and greater confidence for individuals whose personal data are processed. The Consultation also stresses, however, that any financial sanctions imposed must be proportionate, taking into account specific circumstances, such as the financial hardship a penalty may bring to a data controller that has contravened the DPA. On this basis, the Ministry of Justice has suggested that, for small companies, the maximum fine should not exceed 10% of annual turnover.
Data controllers in the UK and their representative bodies have been invited to submit their responses to the Consultation by December 21, 2009, addressing, in particular, the issue of whether a penalty of up to £500,0000 is a "proportionate sanction for serious contraventions of the data protection principles." The Ministry of Justice will publish a paper summarizing the responses received by January 11, 2010.
The Information Commissioner's Position
Section 144 of the CJIA also requires the Information Commissioner to publish guidance on the circumstances in which monetary fines will be issued, and how the level of a fine will be determined. The Information Commissioner issued such statutory guidance in draft form on November 4, 2009 and it is expected that the guidance will become final after the Consultation process is complete.
The guidance emphasizes that a monetary penalty will be appropriate only in the most serious situations and, in particular, where it will act both as a sanction penalizing wrongful acts and a deterrent preventing future non-compliance. In determining the amount of a financial penalty, the Information Commissioner will take into account the sector (for example, whether the data controller is a voluntary organization or an organization in the public sector), the size, and the financial and other resources of a data controller. As a general rule, a data controller with substantial financial resources is more likely to attract a higher monetary penalty than a data controller with limited resources for a similar contravention of the DPA.
Monetary penalties can be issued only in respect of "serious" contraventions of the DPA. A contravention is more likely to be serious where one of the following factors is present: (i) it is or was particularly serious because of the nature of the personal data concerned; (ii) the duration and extent of the contravention; (iii) the number of individuals actually or potentially affected by the contravention; (iv) the fact that it related to an issue of public importance; or (v) the contravention was due to either deliberate or negligent behavior on the part of the data controller.
The Information Commissioner will typically consider whether a data controller has taken reasonable steps to prevent a contravention on a case by case basis. A data controller is more likely to be deemed to have taken reasonable steps to prevent a contravention if, for example: (i) a risk assessment was carried out or there is evidence to suggest that the data controller had recognized the risks of handling personal data and taken steps to address such risks; or (ii) guidance or codes of practice published by the Information Commissioner or others and relevant to the contravention were implemented by the data controller.
The underlying theme of the guidance focuses on reasonableness and proportionality. As a general rule, the Information Commissioner will seek to ensure that the imposition of a monetary penalty is appropriate and the amount of the penalty is reasonable and proportionate, taking into account the particular facts of the case and the objective of the penalty. In particular, the Information Commissioner will consider the particular facts and circumstances of a contravention and of any representations made to him by a data controller.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code