The European Data Protection Supervisor (EDPS) on Monday adopted a new get-tough policy on supervision and enforcement of data protection rules in the European Union.
To date, the EDPS, Peter Hustinx, has adopted a soft approach, issuing recommendations and encouraging rather than enforcing compliance. But after five years of this approach, the new policy paper emphasizes accountability and promises a "more robust approach to enforcement."
In cases of non-compliance, the EDPS can: order data to be corrected, blocked or deleted; impose a temporary or permanent ban on processing; or refer the matter to the European Parliament, the Council, the Commission or the European Court of Justice. The appropriate measures will be decided on a case-by-case basis. However, deliberate unauthorized disclosure of personal data would most likely end up in a referral -- in certain circumstances even to the Court of Justice -- along with the subsequent bad publicity.
Cases of denial of access, where it is reasonable to suppose that significant information is held, would probably result in an order for access to be granted. Collecting and retaining sensitive personal information for significantly longer than necessary or for unspecified purposes would almost certainly lead to an order to delete the information.
Situations where Hustinx has said he is unlikely to take action include accidental non-compliance that is acknowledged and followed by prompt, effective remedial action.
"Holding the EU institutions accountable for ensuring compliance with data protection obligations, and for demonstrating such compliance, is a crucial first step in fostering data protection in practice," Hustinx said. "However, this must be backed up by a framework for dealing with those institutions and bodies that continue to fail to meet the required standards and demonstrate poor compliance records."