EU commissioner calls for larger data breach fines

Euros. Image courtesy of Shutterstock.

Euros. Image courtesy of Shutterstock.The European Union commissioner for justice, Viviane Reding, has called for bigger fines for companies who breach data privacy laws within the union.

Her comment came after data protection authorities in Spain and France ruled that Google’s new consolidated privacy policy violated the existing data protection rules yet yielded small fines for the company.

In December, the Richmond company was fined 900,000 euros by the Spanish privacy watchdog who said that its consolidation of over seventy privacy policies into one broke the nation’s laws.

Then, this month, the Commission Nationale de l’informatique et des Libertes (CNIL) fined Google after claiming that its new all-encompassing privacy policy does not inform users just how their personal data is used or collected, does not obtain user consent prior to storing cookies, fails to define data retention periods, and combines data across its services without any legal basis.

The fine levied by CNIL was much smaller at just 150,000 euros, the largest penalty that the independent commission is allowed to apply. Reding commented:

In Spain, Google was fined the maximum amount of EUR 900,000, while in France – whose data protection authority is one of the most respected and feared in Europe – the fine levied was EUR 150,000, also the highest possible sum. Taking Google's 2012 performance figures, the fine in France represents 0.0003% of its global turnover. Pocket money.

Reding questioned whether such a small fine actually served as a deterrent:

Is it surprising to anyone that two whole years after the case emerged, it is still unclear whether Google will amend its privacy policy or not?

Two years ago Reding put forward new data protection plans that have yet to be adopted by the Commission.

In the original draft of the legislation an offender could have been hit with a fine equal to two percent of its annual turnover a proposal that would, in the Google case, have led to a financial penalty of around 731 million euros ($1 billion).

More recently, the European Parliament considered going even further after voting in favour of fines of up to 5% of a company’s global revenue.

On Monday, Reding stated that “Europeans need to get serious”, adding that larger fines for data protection breaches would act as a more significant deterrent, being a “sum much harder to brush off.”

But the proposals are unlikely to be realised any time soon. Reding’s own reforms have been amended over 4,000 times so far and Germany has raised concerns that a single European data protection authority may compromise its own existing data protection legislation. Reding commented:

Member States, however, have been stalling. Even after the shocking revelations of mass spying and surveillance which continue to dominate the headlines, they have so far mainly reacted with words. EU Heads of State and Government have committed to a "timely" adoption of the new framework. But in real terms there has been little action.