After recent stringent proposals for data protection regulation it seems particularly bizarre that European Union justice ministers will now consider a 'two-strikes' rule for data breaches.
The Irish Presidency of the European Council published a paper on the protection of citizens' personal data that will be discussed at the Justice and Home Affairs Council in Dublin on January 17 and 18.
The paper asks European justice ministers to consider whether sanctions, such as fines, "should be optional or at least conditional upon a prior warning or reprimand."
According to European digital rights group EDRi, such a system would not protect citizens' fundamental rights. "Warnings would have to be issued first, after citizens' fundamental rights were abused, giving companies and state authorities carte blanche to breach our rights until - at the earliest - the data protection authority twice found a company to be in breach of the law. In other words, do what you want, the worst that can happen is that you will receive a warning", the organisation said.
Obviously debate is not law and should be encouraged - but it does seem particularly contradictory to be creating stringent new DPA law on one hand and then, potentially, to introduce a penalty system that lets organisations "get away with it" until caught twice.
As a case in point EDRi cited the Irish Data Protection Commissioner's investigation into the Irish police force's PULSE database as an example of what can go wrong. "Based on the current situation in Ireland, companies can do whatever they want with personal data, without fear of sanction" said the organisation.
In 2007 the Irish Data Protection Commissioner (DPC) agreed to allow the Garda Síochána to self-regulate the operation of its database, which contains substantial amounts of private and sensitive information. However, despite multiple complaints to the DPC and official reports revealing that abuses were happening, the DPC waited until 2012 to audit.
EDRi said that "from what we can tell, the DPC chose yet again not to take enforcement action against the ongoing breaches of citizens' fundamental rights. In the meantime, we can only assume that the abuses continue unabated".
Unsurprisingly the DPC has said that EDRi was incorrect in a number of respects.
"This office has had continuous engagement with An Garda Síochána over the period with a result that significant improvements in data protection compliance have taken place. A rudimentary internet search or perusal of this office's website would have indicated the actual actions taken. In the past year alone, this office has successfully taken 195 criminal prosecutions against 11 data controllers. As demonstrated by the above, if stronger action is warranted against any organisation, it is taken" said spokeswoman Ciara O'Sullivan.
If a "two strikes and out" regime was to be adpoted in combination with the proposed, complex, new Data Protection Regulation then I see a scenario where the new rules would be too complex for many businesses to adopt until they are caught first time (knowing that they wouldn't incur a penalty) - putting all the load back onto the shoulders of the ICO.
In this scenario no-one wins; data subject rights don't get protected; business practice doesn't evolve and the ICO won't cope.