I have just stumbled upon the Information Commissioner’s Office’s page that informs the British public on the monetary penalties that the ICO has handed down over the last 1 ½ odd years: 26 penalties of about £ 120,000 on average. Not that that kills any of the public authorities and private companies involved (and nor should it). But it shows that where the ICO believes that a breach is serious enough to warrant a monetary penalty the penalties are not only symbolic but designed to at least sting a bit.
This led me to look up how the German DP Authorities go about the arduous task of getting their subjects back on the straight and narrow. Given that in Germany data protection and privacy enforcement is for the most part state business and Germany boasts 16 federal states, it’s actually quite a task. It has always been my (hopefully educated) guess that in terms of monetary penalties the Germany authorities were rather more reluctant to act heavy handedly. Well, here we go with some official numbers that cover 2011, 2010 and/or 2009.
- Baden-Württemberg (2010 and 2011): The official report makes mention of two penalties, amounts unknown.
- Bayern: No information.
- Berlin: 11 penalty notices of EUR 22,705 (aggregate).
- Brandenburg (2010 and 2011): The official report mentions “several penalties following grave breaches”, with actual penalty amounts unknown.
- Bremen: The official report indicates 9 cases, with penalties of between EUR 800 and EUR 5,000.
- Hamburg: The official report lists 13 cases, with penalties of EUR 222,700 (aggregate). One case sticks out at EUR 200,000, the others top out at EUR 7,000.
- Hessen: No official information.
- Mecklenburg: No official information.
- Niedersachsen (2009 and 2010): The official report indicates 35 cases, with penalties of mostly between EUR 250 to EUR 800, topping out at EUR 3,000.
- Nordrhein-Westfalen (2009 and 2010): The official report does not show how many penalties were handed down. One case, however, ended with a penalty of EUR 120,000, and another at EUR 36,000.
- Rheinland-Pfalz: Apparently, there was only one case, penalty amount unknown.
- Saarland: No official information.
- Sachsen (4/2009 to 3/2011): The official report mentions 47 cases. 11 of those cases ended in EUR 6,810 of aggregate penalties, the remainder is unknown.
- Sachsen-Anhalt (6/209 – 9/2011): No official Information.
- Schleswig-Holstein: The official report contains no specific information on the subject.
- Thüringen: No official information.
Thus, compared to the situation in Great Britain it seems (on the basis of not entirely complete data, of course) that the overall number of penalties is greater, but that the penalty amounts are much, much smaller. The actual risk for companies and public authorities therefore appears considerably less significant when committing data protection and privacy breaches. In addition, there is no public pillory that mentions the names of the offenders. Compliance issues aside, of course.
A second rather interesting conclusion that one may draw from comparing the penalty cases is that in Germany a large amount of the penalties were handed down for not properly complying with the data protection authorities requests for information (1.) and rather deliberate data protection offenses (2.), whereas the cases mentioned on the CIO information page seem to mostly relate to data security “accidents”, however severe they were.