Call for 'two strikes' data breach rule

European Union justice ministers are being urged to consider a “two strikes and out” rule for data breaches, giving firms a chance to tighten up their security before facing heavy financial penalties.
The Irish Presidency of the European Council published a paper on the protection of citizens’ personal data that will be discussed at Justice and Home Affairs Council in Dublin later this week.
It asks European justice ministers to consider whether sanctions, such as fines, “should be optional or at least conditional upon a prior warning or reprimand”.
But European digital rights group EDRi has criticised the plan, claiming, it would not protect citizens’ fundamental rights. In a statement, it said: “Warnings would have to be issued first, after citizens’ fundamental rights were abused, giving companies and state authorities carte blanche to breach our rights until – at the earliest – the data protection authority twice found a company to be in breach of the law. In other words, do what you want, the worst that can happen is that you will receive a warning.”
EDRi cited the case of an Irish Data Protection Commissioner’s investigation into the Irish police force’s Pulse database as an example of what can go wrong under such a plan, claiming “companies can do whatever they want with personal data, without fear of sanction.”
Police were accused of running background checks on people their family members were involved with and checking the accident history of cars they were thinking of buying. One police officer was found to have accessed personal data of her ex-boyfriend.
But the Irish Data Protection Commissioner’s office strongly denied these allegations. “In the past year alone, this office has successfully taken 195 criminal prosecutions against 11 data controllers. If stronger action is warranted against any organisation, it is taken,” said a spokeswoman.
Any “two strikes” rule would be welcomed by the online giants. Late last year, Facebook warned Brussels chiefs that they will face a lengthy legal battle if they pressed ahead with plans to fine business 2% of global turnover for data protection law breaches.
There were also claims the proposed legislation, contained in the draft General Data Protection Regulation, could also put off businesses from trading in the EU altogether.
“The high level of potential sanctions for breaches of the regulation risks turning relations between companies and regulators into a combative one and may undermine the incentive of Internet companies to invest in the EU,” Facebook said at the time.