FRA: Citizens require efficient and accessible protection against data protection violations
People across the EU have become victims of data protection violations brought on by the widespread use of information and communication technologies by public and private bodies. Web-based activities, direct marketing, and video surveillance account for most data protection violations. The latest report from the European Union Agency for Fundamental Rights (FRA), ‘Access to data protection remedies in EU Member States’, reveals victims’ lack of understanding and awareness about data protection and the authorities that serve to help them. The report findings also underline the urgent need for the EU’s reformed data protection rules to come into effect.
“Today it is too easy to simply collect and abuse the personal data of Europe’s citizens. This infringement of rights can have a profound effect on the victims of data protection violations,” says FRA Director Morten Kjaerum. “It is now time to give power to the data protection authorities to help counter these violations so victims can receive adequate redress.”
“In the European Union data protection is a fundamental right. We must make sure that this right is protected and that citizens can enforce it,” said European Commission Vice-President Viviane Reding, the EU’s Justice Commissioner. “As the report from the EU Fundamental Rights Agency shows, today, many citizens don’t know where to go to if their data has been misused. This is not good enough. The Commission’s data protection reform proposals will make life easier: there will be a one stop shop for citizens meaning you can always address your local data protection supervisor. Citizens will no longer need to take a plane to complain – no matter where the company that is processing their data is based in the European Union. I call on ministers to follow the European Parliament’s lead to swiftly enact the data protection reform that will improve citizens’ rights.”
Interviews with victims have shown that most victims of violations turn to data protection authorities. They often do this to ensure similar violations do not reoccur rather than to seek financial compensation. Only in exceptional cases do they go through courts. Court procedures were viewed as being too complicated, costly and time consuming. The lack of legal assistance and of data protection specialists as well as under resourced data protection authorities and intermediary organisations were also identified as concerns. In addition, information about data protection procedures and remedies was found to be lacking.
The report shows that across EU Member States data protection authorities can issue orders to rectify violations and impose sanctions ranging from warnings and fines to the revocation of licenses. However, the size and duration of these sanctions can vary significantly from country to country. In almost all Member States, criminal sanctions can also be imposed, in the form of a fine or imprisonment but again there are large national differences in the duration of sentence and size of the fine.
Web-based activities, direct marketing, or video surveillance with closed-circuit television cameras accounted for most data protection violations. Government bodies, law enforcement, and financial and health institutions are most often responsible for these violations. As a result victims most frequently experience, insecurity, damage to reputations or emotional distress.
The proposed reform of EU data protection rules should help to alleviate such problems. Based on the report findings FRA suggests:
- Raising public awareness of complaint mechanisms, including the existence and role of national data protection authorities;
- Data protection training for legal professionals so they can offer more informed advice;
- Strengthening the independence of data protection authorities;
- Providing adequate resources and empowerment to data protection authorities to remedy violations;
- Funding civil society organisations and independent bodies to help victims seek redress;
- Streamlining rules on the burden of proof, particularly for online cases, to make it simpler for individuals to bring cases before a court or supervisory authority.
The report contains an overview of the legal framework and the procedures people can use in cases of data protection violations. It also gives examples of actual experiences of victims and those dealing with data protection violations in order to identify areas for improvement in accessing data protection remedies.
In order to help better explain data protection issues, FRA will publish tomorrow a handbook on European data protection case law. The handbook, developed together with the Council of Europe, is aimed at legal professionals and non-governmental organisations who are not specialists in data protection.