In comments first reported by The Independent, Graham said that there is a “weakness” in the sanctions available to the courts, mainly because the Government has failed to ensure law changes that would see custodial sentences and heavy fines for the most severe breaches of data protection law.
The Data Protection Act stipulates an unlimited fine for a criminal offence and a £500,000 fine for a civil breach, although these fines are often substantially lower in practise.
In his address to MPs at the House of Commons' House of Affairs Select Committee earlier this week, Graham cited one example where a company, which had “blagged” the home addresses of members of public, had been fined just £4,000. The Information Commissioner said that this “embarrassingly small” fine had come after a four-year investigation costing in the region of £200,000.
“The penalty doesn't fit the crime,” said Graham, whose comments come weeks after an EY report found that half of businesses (48 percent) thought online customer activity – such as previous purchases, ad clicks and browsing activity – was the most valuable source of customer insight.
The ICO also confirmed this week that it has started action against four out of 10 British firms where it has found “significant” documentary evidence of potential breaches of the Data Protection Act.
On learning the news, 451Research analyst Javvad Malik told SCMagazineUK.com that while it could be argued that the current laws are weak and slow to change, he said that there are also blurred lines about what is personal data.
“There is a lack of clarity around what is personal data and what would constitute the fact that it has been illegally obtained. We've seen definitions change and open to interpretation over time," he said.
"For example, when Google collected the Wi-Fi SSID's were they breaking any laws? This is something where people have different opinions. Gathering a single SSID maybe isn't so bad – but when aggregated with thousands – it begins to look a bit scary so then people want legislation around collecting publicly available data on SSID's. This kind of reactionary legislation ends up hurting the common citizen more than ‘criminals'.”
Malik also said that bigger fines are not necessarily a ‘clear cut black and white issue' and instead believes that a greater transparency is needed on how companies secure personal data.
“I think what would help go a long way is greater transparency by companies disclosing how they secure information, what they use it for and when they will remove it,” said Malik. “At the moment companies either do not provide that information or it's buried on page 50 of a 100 page terms and conditions list.”
“Also bearing in mind it's not just a single place which may contain all the information – criminals may aggregate information from different sources. Information is akin to chemical elements in that regard; on its own a piece of information may be inert; but combined with another bit of information and it becomes dangerous.”
BH Consulting founder and analyst Brian Honan told SCMagazineUK.com that he agreed with the ICO, and urged for greater law enforcement to get the message across.
“I would agree with the ICO,” he said. “People's personal data is not a commodity that can be bought and sold. It is their personal data which has been entrusted to third parties who should ensure it is protected properly. Companies should not see these data as a resource that they can use without the knowledge or permission on the people involved.
”The remedy is for more enforcement of the law so that a message is sent to companies that this behaviour is not acceptable. This should be also reinforced by education and awareness of companies' obligations under the DPA.”