2

Click here to load reader

UK Germany Spain France Italy Highest fine - Osborne … · UK Germany Spain France Italy Highest fine imposed by a lead DP regulator in 2013? £250,000 (US$414,431) imposed by ICO

  • Upload
    lyquynh

  • View
    213

  • Download
    0

Embed Size (px)

Citation preview

Page 1: UK Germany Spain France Italy Highest fine - Osborne … · UK Germany Spain France Italy Highest fine imposed by a lead DP regulator in 2013? £250,000 (US$414,431) imposed by ICO

UK Germany Spain France Italy

Highest fine imposed by a lead DP regulator in 2013?

£250,000 (US$414,431) imposed by ICO against Sony in respect of its 2011 cyber breach.

€145,000 (US$ 198,000) imposed against Google for WLAN-scanning -imposed by the Data Protection Officer of Hamburg.

Google also lost several lawsuits filed by consumer interest groups.

Figures for 2013 are yet to be released, but it's inevitable that the highest was the €900,000 (US$1,229,450) imposed on Google in relation to its approach to changing its privacy policy in 2012, approaches to data retention and to the exercise of rights of access, rectification, cancellation and objection.

€10,000 (US$13,660)imposed by the CNIL against Professional Service Consulting for non-compliance with video-surveillance rules.

Figures for 2013 are yet to be released but it seems likely that the highest was the €400,000 (US$ 546,384) imposed on Consodata SpA in relation to its alleged non-compliance with marketing and data storage privacy rules.

Generally was data protection regulator enforcement action up or down in 2013?

An upward trend was maintained.

The total number of penalty notices issued in 2013 was up 145% compared to 2011.

The average fine levied was £106,000 in 2013.

Enforcement notices (i.e. orders requiring organisations to remedy non-compliance) were up 110% in 2013 compared to 2012.

For the first time we saw companies successfully appealing against an ICO fine – two fines

Of course Germany has a number of regional data protection regulators, but looking at the latest available activity report of the Bavarian regulator (2011/2012):

penalty notice enforcement increased abruptly; but

the number of criminal applications made remains low.

Average fines are low but legally can be up imposed up to €300,000.(US$409,833)

German Data Protection Officers are trying to

In 2012, the total volume of fines imposed increased by 7%, amounting to €21,054,656. (US$28,763,109)

For 2013, no major differences are expected. The volume of fines will probably continue to increase steadily.

Although the number of control orders imposed by the CNIL in 2013 has increased (by more than 400), the number of penalty notice remains low and the 2013 sanctions should be similar to 2012.

The CNIL’s sanction of choice was the issue of formal notices requiring organisations to remedy non-compliance, as well as formal warnings.

As an aside, the CNIL's 2013 annual report (for year 2012), revealed the following:

43 formal notices

2013 enforcement actions are expected to have increased – the report for the first 6 months showed a significant number of proceedings initiated:

473 cases (compared to 578 in the entire 2012).

Fines collected totaled €2m (US$2,732,232).

Fines imposed have mostly been in respect of

Page 2: UK Germany Spain France Italy Highest fine - Osborne … · UK Germany Spain France Italy Highest fine imposed by a lead DP regulator in 2013? £250,000 (US$414,431) imposed by ICO

(one of £250,000 (US$ 414,468) and one of £300,000 (US$497,345)) were overturned in 2013.

focus more on preventive consultation of businesses in order to avoid data breaches.

Appeals against fines are increasingly common in Germany.

(65 in 2011)

13 sanctions (19 in 2011)

9 warnings (13 in 2011)

4 financial sanctions (5 in 2011)

incomplete notification of information (289) and unlawful processing of data (132).

Any other points of note regarding regulator enforcement action?

Fines were issued for breaches of marketing privacy laws – in particular, spam texts, emails and cold calls – for the first time.

Data breach complaints and complaints regarding breaches of marketing privacy laws were the number 1 cause of complaint. Claims relating to the use of Google Analytics and other tracking technologies remain high.

The first penalty procedure initiated against a company for failure to comply with the cookie laws was noteworthy – the first such enforcement anywhere in Europe we think. The matter is still on-going.

The most noteworthy CNIL action came at the end of 2013 – the launch of its proceedings against Google in relation to criticisms of its privacy policy which resulted in a fine of €150,000 (US$204,913).

The attention which regulators gave to tele-marketing rule non-compliance, use of PII without consent, the retention of traffic data and the failure to adopt security measures.

Did data protection regulators exercise rights of audit in your territory?

Yes, but in a low key way.

Dawn raid style enforcement remains limited to serious and criminal breaches.

ICO did undertake a series of voluntary audits of a number of high profile private sector companies under both marketing specific and broad data protection laws.

Audits are mainly undertaken in the Health Sector.

In the financial sector and Web-Sector audits are mainly undertaken without on-site visits.

In 2012, 2,264 inspection actions (preliminary proceedings) were issued by the AEPD that led to 150 on-site audits.

Figures for 2013 have yet to be released.

As a general rule, inspections are not triggered unless the regulator is investigating a specific complaint, or once evidence of non-compliance has come to its attention.

Yes, the CNIL has conducted many controls and dawn raids in many sectors

We would expect the numbers in 2013 to be similar to those in previous years – and there were 458 such actions in 2012 and 385 in 2011.

Yes, In the first six months of 2013, 208 inspections have been conducted.

Investigations are usually carried out with the assistance of the Special Units of the Guardia di Finanza.