UK’s Information Commissioner demands prison penalties for serious data offences

22. July 2013

Information Commissioner Christopher Graham said, that people who misuse personal information should face tougher penalties, including the threat of prison in the most serious cases.

The Information Commissioner referred to a case in which a former manager of a health service based at a council-run leisure centre was prosecuted by the Information Commissioner’s Office for unlawfully obtaining sensitive medical information belonging to more than 2,000 people. The manager used the information, which he had sent to his personal email account, to approach patients to advertise a similar service he had set up.

The manager was  prosecuted under section 55 of the Data Protection Act and fined £3,000. He was also ordered to pay a £15 victim surcharge and £1,376.50 prosecution costs.

Mr. Graham issued following statement:

“Nobody expects that their health records will be taken and used in this way. The manager [name removed ] had been told about the need to keep patients’ details confidential, but he decided to break the law to benefit his new business. At very least, behaviour of this kind should be recognised as a ‘recordable offence’ which it isn’t now. For the most serious cases the current ‘fine only’ regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated. The government must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”

Category: UK
Tags: , ,

UK Ministry of Justice clarifies Negotiating Position on proposed EU Data Protection Regulation

4. July 2012

According to a report by huntonprivacyblog.com, the UK Ministry of Justice outlined its negotiating position on the basis of a previously started Call for Evidence. The Call for Evidence gave a perspective and feedback on the impact of the proposed EU Data Protection Regulation on business and individuals.

The results led to the position of the Ministry of Justice that reassured organizations to negotiate against regulations that would overburden business and for a legislative framework that support economic growth and innovation. The Ministry also stressed that people’s personal data must be protected at the same time.

Following issues need to hold negotiations from the perspective of the Ministry:

  • Right to be forgotten: It should be overhauled to clarify its scope and cost implications;
  • Bureaucratic and costly burdens on organizations: The Ministry will resist them if no greater protection for individuals is foreseeable; In particular mandatory data protection impact assessments, prior authorization from supervisory authorities and mandatory data protection officers were mentioned as such burdens without benefit for individuals;
  • Data Breach Notification: This Provisions will be supported depending on reflected timescales needed to properly investigate the breach and sensible and proportionate thresholds;
  • Penalties for Data Breaches: These administrative penalties will be supported with the objective to a more proportionate level of maximum fines;

Powers for the European Commission: The Ministry will push for the removal of many of the powers, especially where there is scope for the European Commission to substantially alter fundamental requirements.

American Bar Association urges U.S. courts to regard foreign privacy laws

23. May 2012

One step further in resolving the dilemma of pre-trial Discovery in the U.S. in conflict with non-U.S. data protection laws: The American Bar Association adopted a resolution with the stated purpose to urge courts to respect foreign data protection and privacy laws in case of decisions on discovery issues.

Currently the interests of U.S. litigants to discovery are privileged by the courts when requirements of foreign privacy laws are not regarded. Other parties are in the situation to face inconsistent legal requirements and possible sanctions of foreign legal systems.

The resolution reads as follows:

“RESOLVED, That the American Bar Association urges that, where possible in the context of the proceedings before them, U.S. federal, state, territorial, tribal and local courts consider and respect, as appropriate, the data protection and privacy laws of any applicable foreign sovereign, and the interests of any person who is subject to or benefits from such laws, with regard to data sought in discovery in civil litigation.”

The American Bar Association says that the permission of unlimited discovery could impede global commerce or harm the interests of U.S. parties in foreign courts. Especially the laws in European jurisdictions and the EU Data Protection Directive limit the legal processing of personal data and the transfer of personal data outside of the EEA. There is also the fact, that some jurisdictions have enacted blocking statues to prohibit the seeking for disclosure of information that shall be used for evidence in foreign proceedings. For example in France a French lawyer had to pay a 10.000 Euro fine for obtaining discovery in France for a litigation in the U.S.

The resolution of the American Bar Association is not binding but could encourage U.S. courts to have a critical look at foreign privacy jurisdiction and the consequences of discovery for affected litigants or third parties. At the moment, data controllers who are forced to transfer data from the EU to U.S. for the purpose of discovery would be well advised to follow at least the guidance of Article 29 Working Party to comply with EU data protection obligations and to check in detail which way is the best.

Category: USA
Tags:
Pages: Prev 1 2 3 ... 55 56 57 58 59 60 61 62 63 64 65
1 63 64 65