EU ministers to consider 'two-strikes' rule for data breaches

EU ministers to consider 'two-strikes' rule for data breaches

But rights groups say if gives carte blanche to access data and only receive a warning

Article comments

European Union justice ministers will consider a "two-strikes" rule for data breaches.

The Irish Presidency of the European Council published a paper on the protection of citizens' personal data that will be discussed at Justice and Home Affairs Council in Dublin on January 17 and 18.

The paper asks European justice ministers to consider whether sanctions, such as fines, "should be optional or at least conditional upon a prior warning or reprimand."

According to European digital rights group EDRi, such a system would not protect citizens' fundamental rights. "Warnings would have to be issued first, after citizens' fundamental rights were abused, giving companies and state authorities carte blanche to breach our rights until - at the earliest - the data protection authority twice found a company to be in breach of the law. In other words, do what you want, the worst that can happen is that you will receive a warning," the organisation said.

EDRi cited the case of the Irish Data Protection Commissioner's investigation into the Irish police force's PULSE database as an example of what can go wrong under such a plan. "Based on the current situation in Ireland, companies can do whatever they want with personal data, without fear of sanction," said the organisation.

But the Irish Data Protection Commissioner's office strongly denied these allegations today.

In 2007, the Irish Data Protection Commissioner (DPC) agreed to allow the Garda Síochána - the Irish police force - to self-regulate the operation of its database, which contains substantial amounts of private and sensitive information. However, despite several complaints to the DPC and official reports stating that abuses were taking place, the DPC waited until 2012 to audit the PULSE database.

EDRi said that "from what we can tell, the DPC chose yet again not to take enforcement action against the ongoing breaches of citizens' fundamental rights. In the meantime, we can only assume that the abuses continue unabated."

Police were accused of running background checks on people their family members are involved with and checking the accident history of cars they're thinking of buying. One police officer was found to have accessed personal data of her ex-boyfriend.

However the office of the DPC said that EDRi was incorrect in a number of respects. "This office has had continuous engagement with An Garda Síochána over the period with a result that significant improvements in data protection compliance have taken place. A rudimentary internet search or perusal of this office's website would have indicated the actual actions taken. In the past year alone, this office has successfully taken 195 criminal prosecutions against 11 data controllers. As demonstrated by the above, if stronger action is warranted against any organisation, it is taken," said spokeswoman Ciara O'Sullivan.

Share:

Comments

Advertisement
Send to a friend

Email this article to a friend or colleague:


PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.


We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

ComputerworldUK Knowledge Vault

ComputerworldUK
Share
x
Open
* *