DPC urged to take tougher stance

08-05-2008

by Billy MacInnes

The Data Protection Commissioner (DPC) has been urged to take a firmer stand against abusers of the data protection regime and to fine serial offenders.

The publication of the DPC's annual report on Thursday -- which was partly overshadowed by the news that a blogger had managed to access the DPC's site and leak the contents of the report on Wednesday -- drew criticism for not going far enough in punishing those guilty of breaches of the data protection provisions.

Paul C Dwyer, CEO at security firm Team InfoSec, argued the presence of telecommunications company NewTel Communications in the report, having also featured in the 2005 and 2006 annual reports, demonstrated there was "no significant downside to being caught".

"The Data Protection Commissioner doesn't go far enough," he claimed, pointing to powers to fine companies EUR100,000 per incident and stop them from processing data. "Why has he never fined anybody EUR100,000?," Dwyer asked, speaking with ENN.

Someone guilty of serial speeding offences was likely to lose their driving licence but the sanction for serial offenders of the data protection system was insignificant, he added.

In his annual report for 2007, Data Protection Commissioner Billy Hawkes revealed that complaints had risen to 1,037 from 658 in 2006 and 300 in 2005, partly fuelled by 390 complaints concerning unsolicited SMS text messages.

He argued the rise in the number of complaints represented "the mainstreaming of data protection into the operations and functions of public bodies and private organisations and in the public consciousness generally. Naturally, I very much welcome this trend."

Replying to the criticism levelled by Dwyer, Hawkes told ENN the DPC office did not have the power to levy fines directly in most cases, adding it favoured compliance rather than punishment. "We aim for solutions to complaints that result in positive benefits...our approach is on correcting behaviour."

He described the case involving NewTel Communications, which conducted a cold-call marketing operation, as an "isolated incident", adding the company corrected the situation "very promptly".

The report also noted the trend among private companies to contact the DPC's office voluntarily when they became aware of accidental disclosures of customer or employee information. Hawkes described it as a "welcome trend" but believed the time was coming when Ireland would need to consider imposing a legal obligation on companies to disclose security breaches as already happens in many states in the US.

The report highlighted a number of complaint case studies involving companies such as Aer Lingus, NewTel Communications, the Gresham Hotel in Dublin and Eircom. In the latter case, ex-customers had complained that Eircom had targeted them with marketing calls aimed at trying to win back their business. Following an investigation by the DPC's office, the company agreed to stop the practice and pay EUR35,000 to charity.