European Union justice ministers will consider a "two-strikes" rule for data breaches.
The Irish Presidency of the European Council published a paper on the protection of citizens' personal data that will be discussed at Justice and Home Affairs Council in Dublin on January 17 and 18.
The paper asks European justice ministers to consider whether sanctions, such as fines, "should be optional or at least conditional upon a prior warning or reprimand."
According to European digital rights group EDRi, such a system would not protect citizens' fundamental rights. "Warnings would have to be issued first, after citizens' fundamental rights were abused, giving companies and state authorities carte blanche to breach our rights until - at the earliest - the data protection authority twice found a company to be in breach of the law. In other words, do what you want, the worst that can happen is that you will receive a warning," the organisation said.
EDRi cited the case of the Irish Data Protection Commissioner's investigation into the Irish police force's PULSE database as an example of what can go wrong under such a plan. "Based on the current situation in Ireland, companies can do whatever they want with personal data, without fear of sanction," said the organisation.
But the Irish Data Protection Commissioner's office strongly denied these allegations today.
In 2007, the Irish Data Protection Commissioner (DPC) agreed to allow the Garda Síochána - the Irish police force - to self-regulate the operation of its database, which contains substantial amounts of private and sensitive information. However, despite several complaints to the DPC and official reports stating that abuses were taking place, the DPC waited until 2012 to audit the PULSE database.
EDRi said that "from what we can tell, the DPC chose yet again not to take enforcement action against the ongoing breaches of citizens' fundamental rights. In the meantime, we can only assume that the abuses continue unabated."
Police were accused of running background checks on people their family members are involved with and checking the accident history of cars they're thinking of buying. One police officer was found to have accessed personal data of her ex-boyfriend.
However the office of the DPC said that EDRi was incorrect in a number of respects. "This office has had continuous engagement with An Garda Síochána over the period with a result that significant improvements in data protection compliance have taken place. A rudimentary internet search or perusal of this office's website would have indicated the actual actions taken. In the past year alone, this office has successfully taken 195 criminal prosecutions against 11 data controllers. As demonstrated by the above, if stronger action is warranted against any organisation, it is taken," said spokeswoman Ciara O'Sullivan.