The two approaches are not opposite. Accountability is the right approach we request, and it doesn't mean that you should simply respect the law. We are asking now more, and let me speak for a second as a member of the judiciary, as I am.
Being in front of a court case where we may discuss to what extent the controller has been proactive, I would consider in a better way the case where he made mistakes but has been very operational. The question is not to have an emphasis on every kind of even minor mistake. I would like to see the big picture, but I would welcome the approach they recommended to you. We need a dissuasive approach.
Let me say that we are now bombarded from everywhere in the world, and if I am in Silicon Valley or in Africa or in South America, the first question is the same everywhere. What about fines?
We know that they are very serious.
I would now advise the legislators to clarify the interlink between administrative fines and penal law. This is another area. We have to clarify the so-called non bis in idem principle, so are we going to apply fines in all countries with regard to the same controller? In adopting the criteria to decide if a fine is to be applied, we have to consider the remedies considered by the subject, which is then he has been fair and dynamic in approaching a security breach, informing people after a violation, reducing the kinds of damages. All in all, data protection costs a lot, and every effort is to be considered when taking a decision.
So this is why I talk and I would defend this approach, a system where fines are to be applied where necessary, but not necessarily in every case. I'm not a lover of the Spanish approach. We call it tot capita, tot sententiae. If there is even a minor breach, there is no appeal, and unavoidably, the sanction is to be applied.
Let's look to the picture because otherwise we risk having fines considered as a budget line, and this leads also to an amount of fines because we need to graduate, we need to consider the position of small and medium enterprises, and we need to carefully consider the criteria in terms of the seriousness of the breach, the implications of a larger-scale approach. We cannot treat every breach in a single way. So we need a very dynamic approach where we use the carrot and the stick.