EU data protection tsar set to get tough

The European data protection supervisor (EDPS) is to take a more robust approach to enforcement with EU institutions, especially for serious, deliberate or repeated non-compliance with laws, according to a new policy paper.

The document was published today to provide greater transparency on the framework within which the EDPS, Peter Hustinx, monitors, measures and ensures data protection compliance in the EU's various institutions and bodies.

The document places a strong emphasis on accountability, requiring EU bodies to put in place appropriate measures to ensure compliance with data protection laws.

However, after five years of taking a non-punitive approach with those who have erred, Hustinx is now changing his approach to take enforcement action if necessary.

Such actions include warning the body in question; ordering a rectification, blocking, erasure or destruction of all data processed in breach of the rules; imposing a temporary or definitive ban on processing; or referring the matter to the European Parliament, Commission, Court of Justice or the Council.

"Holding the EU institutions accountable for ensuring compliance with data protection obligations, and for demonstrating such compliance, is a crucial first step in fostering data protection in practice,” he said.

“However, this must be backed up by a framework for dealing with those institutions and bodies that continue to fail to meet the required standards and demonstrate poor compliance records."

The move comes as the UK’s data protection watchdog the Information Commissioner’s Office last month issued its first punitive fines to organisations in breach of the Data Protection Act.