Gross negligence of Data Protection can be prosecuted under Computer Criminality acts by the respective Data Protection Office. There is precedent for this in the UK. However this is not laid out in the European directives but usually in the local implementations of the directives.