It was clear from the keynote stage here Thursday that it wasn't the first time Helen Dixon had heard the question: When are you going to issue a fine?
Because of the number of tech companies headquartered in Dublin, Dixon conceded, "My office is the internet authority." But she was quick to remind the 4,000 privacy professionals from around the globe that a data protection authority isn't only there to enforce. There's complaint-handling, for example. Since the EU General Data Protection Regulation came into force, the regulator has been hit with 6,000 complaints lodged. The majority of those complaints have been resolved, she said, adding that some of those complaints stemmed from advocacy groups, like None of Your Business, founded by Max Schrems, which exposed "very systemic and structural issues." Currently, the DPA is conducting 18 large-scale investigations, of its own volition, on tech companies.
On the fines, though, Dixon said the office is just about to wrap up, despite their complexity, and she anticipates bringing "first-draft decisions" to the European Data Protection Board this summer.
They "certainly can't be done overnight," she said, noting investigations must follow due process and fair procedures. "Enforcement is coming but it takes time."
Dixon shared the keynote stage with U.K. Information Commissioner Elizabeth Denham, Austrian Data Protection Commissioner Andrea Jelinek and moderator Ruth Boardman of Bird & Bird.
For her part as an enforcer, Denham said while the ICO has focused in the past on direct marketing and security breaches, she is strategically focusing on the "fairness" requirement under the GDPR, though it existed under the Data Protection Directive that preceded it, as well.
"So we've been paddling in those waters for quite some time, and we find ourselves going deeper. Fairness was at the center of my office's case against Facebook. We found it wasn't fair to harvest that data, so our focus there was on unfair, invisible processing."
Similarly, she said, the ICO took action after a National Health Service Trust shared 1.8 million patient records. It has also done work auditing and fining data brokers and credit reference agencies under those same "unfair, invisible processing" charges. Now, she said, her office is taking a closer look at the ad tech industry, specifically looking at transparency and fairness, as well as the legal basis for consent.
But she said she is aware the world is waiting on some fines, and she is keen to deliver that.
"I think what business is interested in is momentum," Denham said. "They want to see from regulators sanctions and fines in real cases that interpret the law. I can tell you that the ICO will be adding to that momentum this spring with a couple of very large cases that are in the pipeline. I think what's important is for us to enforce strongly and firmly here if there has been misuse of data."
She said the majority of companies just want to do the right thing, and if regulators don't enforce, it means "the shoddy data practices from other companies are benefiting from that. So it's really important we take action."
Jelinek said while she has just 34 staff, hers was the first authority to issue a fine, a small one at just 7,000 euros, but it was in proportion to both the infringement and the company's size, she said.
"I think this shows the GDPR really looks into the behavior, on the one side, of the company, and on the other side, the infringement and how we can deal with that. It's important to know the proportionality principle doesn't only deal with big companies but also small companies."
Dixon said her office is focused specifically on Article 38, on the tasks of the data protection officer and companies' involving them in decision-making in a timely way.
"We're hearing from organizations and DPOs themselves that there are some concerns about where [the DPO] sits, how it fits and what the roles are," Dixon said, adding her office recently opened an investigation into a "very specific scenario related to a government department in Ireland."
Denham said her way into the inner-workings of companies has been the breach notification requirement under the GDPR.
"I think in following through with significant data breaches, we take a look at the preparedness those organizations have had in that," she said. In those instances, the ICO has been very focused on the organization's trials of facial-recognition technology and the extraction of data from mobile phones, to name a couple.
Finally, Denham addressed the question she has gotten ad nauseam for the last couple of years: What's going to happen with Brexit?
"Nobody knows," Denham said. "Not government, not Parliament, not the pundits, not the people. It's been a roller coaster ride from one day to the next, where we don't know what's going to happen. What I do know is that my office, my staff and I are as prepared as we can be. We've prepped the country as much as we can for various scenarios."
She did instill some fear in some privacy professionals' minds, surely, when she mentioned that if there is a hard Brexit and the ICO becomes a third country, companies who commit a trans-border breach could face, instead of a one-stop shop under the GDPR, a two-stop shop.
"You could have to address two different sanctions for the same cross-border breach," she said. "I don't expect the ICO will have the role we have now [under a hard Brexit]. In some circumstances, we may have no role at all."
October 31, 2019, is the new Brexit date.
If you want to comment on this post, you need to login.