The French Data Protection Authority (CNIL) made some interesting statements last week in their annual report, covering June 2006 through June 2007, about some fines they’ve given during the past 12 months for non-compliance with their data protection laws.
Over the years I’ve been interested to see the trends in sanctions applied for privacy and data protection noncompliance; they are consistently getting larger. Not only in other countries, but also for certain U.S. laws, such as the FTC Act, FACTA and COPPA. Generally the longer the laws have been in effect, the greater the fines and penalties applied.
During the June 2006 through June 2007 timeframe France gave 16 fines, totaling [Euros]168,300 ($228,888). Not that significant in some folks’ opinions, true, but definitely higher than they have been in the past. The CNIL report also shows an increase in the activity of CNIL to pursue and apply sanctions.
The report revealed a 570% increase in CNIL compliance enforcement activitiy since 2003. CNIL registered over 73,000 new databases containing PII throughout the last 12 months; they received over 3,500 complaints about data protection and privacy issues; and they were asked to assist over 1,600 citizens who requested help from law enforcement and national defense databases containing PII.
Some interesting increases also included:
* Receiving 360 requests for the creation of biometric-based identification systems during 2006, as compared to 40 in 2005.
* Receiving 880 requests to operate video-surveillance systems in 2006, compared to just 300 in 2005.
Most of the sanctions described in the report were anonymized (the involved parties not named), with only high level and brief descriptions of the associated activities. However, the anonymous sanctions descriptions were interesting:
* “a certified court marshall paid a [Euros]5,000 ($6,800) fine in June 2006 for abusive data transfers and failure to cooperate with CNIL investigators”
* “two direct marketing firms specializing in the sale of customized windows shared a [Euros]60,000 ($81,600) fine in December 2006 for unsolicited telephone calls and failure to respect “do not call” lists”
* “a retailer was hit with a [Euros]1,500 ($2,040) fine for unsolicited marketing activities in September 2006”
* “a financial sector firm was hit with a [Euros]1,000 ($1,360) fine for abusive marketing operations”
* “a catalogue sales firm was hit with a [Euros]5,000 ($6,800) fine in December 2006 for abusive telephone marketing and failure to honor a “do not call” list”
* “a telecommunications firm received a [Euros]10,000 ($13,600) fine in March 2007 for refusing to allow authorities access to its database”
* “a financial sector firm was fined [Euros]5,000 ($6,800) in March 2007 for failing to declare the creation of bad credit lists and exceeding data storage limits”
* “a distance marketing firm was hit with a [Euros]10,000 ($13,600) fine in March 2007 for abusive telephone marketing and failure to respect a “do not call” list”
* “a real estate rental agency was fined [Euros]15,000 ($20,400) in May 2007 for illegal maintenance of a non-authorized “black list” on tenants with “failure to pay” notices”
What I didn’t see within the report was any mention of the amount of time businesses had to stop operations until they got the noncompliance issues fixed.
However, I know of at least a couple of U.S.-businesses who lost weeks of online time and business availability/processing time from not being able to perform business functions until they had gotten the noncompliance issues resolved to the satisfaction of the CNIL. These non-business times cost the companies much more in revenue losses and lost customers than the fines did.
A few of many lessons to learn…
* Just because no significant fines have yet been applied for noncompliance with data protection (privacy) laws and regulations does not mean that they won’t. History shows fines increase over time. Do you want your organization to be the one to make the headlines as receiving the largest fine to date for noncompliance with a law?
* Even if the fines do not impact your organization significantly, an order to halt your business until you are in compliance with the laws and regulations could have huge financial impact on your business.
* Always be aware of the data protection and privacy laws in all the countries where you have customers, employees and conduct business.
Tags: awareness and training, CNIL, cross border data flow, data protection, employee privacy, France, government, Information Security, IT compliance, policies and procedures