Lee & White

The UK's Information Comissioner's Office (ICO) has sharper teeth now to deter personal data security breaches - it can now serve monetory penalties of up to 500,000GBP to organisations for breaches of the Data Protection Act. The power is designed to deal with serious breaches of the Data Protection Act.

According to the ICO, for a data breach to attract a monetary penalty there must have been a serious breach that was likely to cause damage or distress and it was either deliberate or negligent and the organisation failed to take reasonable steps to prevent it. It gave the following examples:

Damage
Following a security breach by a data controller financial data is lost and an individual becomes the victim of identity fraud.

Distress
Following a security breach by a data controller medical details are stolen and an individual suffers worry and anxiety that his sensitive personal data will be made public even if his concerns do not materialise.

Deliberate
A marketing company collects personal data stating it is for the purpose of a competition and then, without consent, knowingly discloses the data to populate a tracing database for commercial purposes without informing the individuals concerned.Now, this is a major step forward for a data protection authority (DPA), and it is about time.Unfortunately, at the moment, there are big differences regarding the position of the DPAs in the member states and not all the DPAs have the same power. According to the Article 29 Data Protection Working Party, this is because of differences in history, case law, culture and the internal organization of the member states.

Moreover, article 28 of Directive 95/46/EC lacks precision in several aspects, and has, to a certain extent, been poorly implemented in some jurisdictions -resulting in noticeable differences between the member states regarding, amongst others, the position, resources and powers of DPAs.In any case, with the growth of technology and globalisation, strong supervision and effective powers are needed by DPAs in addition to their current powers.

In Belgium, 97% of organizations' websites are non-compliant. If so, then the question is whether internally, these organizations are adhering to the data protection law.

Perhaps it is necessary for its Privacy Commission to be given a similar sanctioning power as that of the ICO. At the moment, the Privacy Commission has no teeth. Its powers are limited to advising, recommending and handling complaints. Coupled by the public's lack of awareness on data protection - which results in lesser complaints than the reality of the situation, many organizations abuse the situation and operate without fear or respect for the data protection law.It is hoped that someday soon, this will change.