mailing list archives
EU ministers to consider 'two-strikes' rule for data breaches
From: Erica Absetz <eabsetz () opensecurityfoundation org>
Date: Thu, 17 Jan 2013 13:54:47 -0500
European Union justice ministers will consider a "two-strikes" rule
for data breaches.
The Irish Presidency of the European Council published a paper on the
protection of citizens' personal data that will be discussed at
Justice and Home Affairs Council in Dublin on January 17 and 18.
The paper asks European justice ministers to consider whether
sanctions, such as fines, "should be optional or at least conditional
upon a prior warning or reprimand."
According to European digital rights group EDRi, such a system would
not protect citizens' fundamental rights. "Warnings would have to be
issued first, after citizens' fundamental rights were abused, giving
companies and state authorities carte blanche to breach our rights
until - at the earliest - the data protection authority twice found a
company to be in breach of the law. In other words, do what you want,
the worst that can happen is that you will receive a warning," the
EDRi cited the case of the Irish Data Protection Commissioner's
investigation into the Irish police force's PULSE database as an
example of what can go wrong under such a plan. "Based on the current
situation in Ireland, companies can do whatever they want with
personal data, without fear of sanction," said the organisation.
But the Irish Data Protection Commissioner's office strongly denied
these allegations today.
In 2007, the Irish Data Protection Commissioner (DPC) agreed to allow
the Garda Síochána - the Irish police force - to self-regulate the
operation of its database, which contains substantial amounts of
private and sensitive information. However, despite several complaints
to the DPC and official reports stating that abuses were taking place,
the DPC waited until 2012 to audit the PULSE database.
EDRi said that "from what we can tell, the DPC chose yet again not to
take enforcement action against the ongoing breaches of citizens'
fundamental rights. In the meantime, we can only assume that the
abuses continue unabated."
Police were accused of running background checks on people their
family members are involved with and checking the accident history of
cars they're thinking of buying. One police officer was found to have
accessed personal data of her ex-boyfriend.
However the office of the DPC said that EDRi was incorrect in a number
of respects. "This office has had continuous engagement with An Garda
Síochána over the period with a result that significant improvements
in data protection compliance have taken place. A rudimentary internet
search or perusal of this office's website would have indicated the
actual actions taken. In the past year alone, this office has
successfully taken 195 criminal prosecutions against 11 data
controllers. As demonstrated by the above, if stronger action is
warranted against any organisation, it is taken," said spokeswoman
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list
Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security equips organizations with security intelligence, risk
management services and on-demand security solutions to establish
customized risk-based programs to address information security and
- EU ministers to consider 'two-strikes' rule for data breaches Erica Absetz (Jan 18)