ICO enforcement – it's not about the money, is it?

The UK's data protection regulator is the Information Commissioner whose office is known to be among the better resourced national privacy regulators, and also one of the more pragmatic with a focus on a risk-based approach.  In fact, since the application of the GDPR, there have been two Information Commissioners: Elizabeth Denham, and the current incumbent, John Edwards, who took over the role in January 2022.  Has the change, not to mention the change from the GDPR to the UK GDPR, resulted in a new enforcement strategy?

What are the ICO's enforcement powers?

Like EU regulators, the ICO has a wide range of enforcement powers under various pieces of privacy legislation including the UK GDPR, PECR and the Data Protection Act 2018 (the focus of this article), as well as in relation to statutory codes (like the Children's Code).Everyone knows about the potential for huge fines to be imposed under penalty notices, but the enforcement arsenal also includes a wide range of civil powers including powers of investigation and inspection, potentially resulting in reprimands, and enforcement notices, as well as criminal prosecutions in some cases.

Financial penalties

Much of the ICO's enforcement activity to date has focused on unlawful marketing.  Over 90% of fines issued by the ICO have been in relation to breaches of PECR rather than of the (UK) GDPR. In 2021, for example, PECR fines of £3,268,000 were imposed on 33 organisations.

There have, however, also been some high profile GDPR fines.  Most notably, towards the end of 2020, when British Airways was fined £20m and Marriott Hotels was fined £18.4m.  Both fines related to data breaches.  These remain the largest fines imposed to date under the GDPR by the ICO and in both instances, the ICO was critical of significant failings to implement appropriate security measures to protect the data.  Interestingly, in both cases the eventual fines were significantly smaller than those initially proposed by the ICO (£183m for BA and £99.2m for Marriott).

One of the reasons for the significant drop in the fines was the Covid pandemic.  Both BA and Marriott were disproportionately impacted by pandemic, which the ICO considered in accordance with an overall policy (and a statutory obligation) to allow some leeway during that period.  However, the ICO also took into account the fact that both businesses had acted promptly on discovering the respective breaches, had cooperated with the ICO, and had already taken significant steps to improve their cybersecurity and data protection practices.

These fines are indicative of the ICO's approach and in line with the 2018 guidance issued by the ICO on its enforcement strategy, in a number of ways:

• The ICO will impose significant penalties where breaches are considered to be particularly egregious. This can be as much to do with the degree to which the organisation has failed to take legal requirements into account, as with the nature of the data and the nature of the infraction.
• Size and financial resources of the organisation are relevant to the amount of the fine.
• Cooperation with the ICO and demonstrating real change can significantly reduce the amount of those penalties.

More recently, in 2022, Clearview AI was fined £7.5m for unlawfully scraping personal data to use in its image recognition database, and Easylife Ltd, was fined £1.35m for using personal data to profile medical conditions and target individuals with health related products without consent.  These fines are clearly aligned with the ICO's strategy to focus on particular issues which include AI and advertising.

Going forwards – a new approach?

In 2022, the ICO consulted on its:

• Regulatory Action Policy
• Statutory Guidance on Regulatory Action and
• Statutory Guidance on PECR powers.

The consultation closed in March 2022 but final versions have not yet been published. The focus in the draft documents emphasises being flexible and responsive, as well as transparent.

In November 2022, the ICO published its ICO25 strategic plan and its regulatory approach, setting out priorities and policy for the next three years.  It is clear that the ICO will be focusing particularly on safeguarding the vulnerable.  For the period until October 2023, it will focus its investigation and project work on the following issues:

• children's privacy – including through enforcement of the Children's Code
• the impact of technology on vulnerable groups, in particular, AI-driven discrimination, the use of biometric technologies, online tracking, and the use of CCTV
• issues that may aggravate or be aggravated by the cost of living crisis, including the use of intelligence databases by the financial industry, algorithms used within the benefits system, the use of targeted advertising of gambling, and predatory marketing and data-enabled scams and frauds.

This gives us a good idea of the kinds of data processing that the ICO will be scrutinising this year.

Further insight into the way in which the ICO will be enforcing came in a speech John Edwards made at the National Association of Data Protection Officers annual conference, also in November 2022, which pulled out some of the main aspects of the revised enforcement strategy, particularly in relation to public bodies (as announced in June 2022).  The speech was given against the backdrop of the ICO handing down a penalty to the Department for Education of £500,000 which would, under previous policy, have been £10m.

While robustly defending the ICO's enforcement record, the ICO said: "there is nothing in the law or in contemporary regulatory theory that says enforcement must equal fines.  Enforcement happens across a spectrum….it's a series of graduated responses to non-compliance".  Looking at the DfE decision, the ICO highlighted the recently adopted change of approach to public authorities.  He said there was little benefit to fining public authorities, especially given the constraints on their funding.  In addition, given they had often resolved the issues which had led to the ICO's investigation by the time the investigation concluded, there would be no value in issuing an enforcement notice.  The ICO said "we need to be regulating for outcomes not outputs". In a January 2023 statement to the House of Lords Public Services Committee, the ICO also said that public bodies would not be penalised for sharing personal data to protect children from harm.

A further revision of enforcement policy was announced in early 2023.  On 20 January 2023, the ICO said it had decided to stop enforcing failures to file personal data breach reports under Regulation 5A of PECR which requires a communications service provider to notify the ICO within 24 hours of becoming aware of a data breach.  The ICO's decision was based on the fact that the incidents tend to be caused by human error, involving one individual, are quickly resolved and result in risk remediation measures being swiftly implemented.  Following feedback, the ICO has updated its statement which now says that it will use its discretion not to take enforcement action provided breaches are still reported within 72 hours.  The ICO will continue to take enforcement action in relation to the underlying breaches reported where warranted, and continues to expect breaches likely to adversely affect the personal data or privacy of subscribers or users to be reported within 24 hours.

This does not mean that the ICO will be abandoning monetary penalties, either in the private or public sector, far from it.  In the November speech he said: "Monetary penalties remain an important regulatory tool and we will use them in the instances where they are truly needed – for the breaches which cause or have the potential to cause the most harm to people, or where a business has benefited from its non-compliance".  However, the ICO said lessons must be learned by the economy to improve data privacy practices as a result of its regulatory action, and the public must be able to see that organisations which breach the rules are held to account.  As a result, the ICO announced that, going forward, all reprimands issued to organisations would be published on its website unless there is a good reason not to do so.

Will things change with the UK's planned new data protection regime?

One potential factor which may cause a shift in emphasis arises in relation to the UK's incoming data protection legislation, the Data Protection and Digital Information Bill.

The reforms to the ICO were some of the more controversial changes originally proposed by the government when consulting on the new law. In particular, concerns were raised that the reforms would undermine the ICO's independence. When the Bill was published in June 2022, it looked to introduce new duties on the ICO (to have regard to competition, growth and innovation) as well as a new governance structure, but did not go as far as the consultation proposals. Although plans are for the Secretary of State to be given the power to issue a statement of strategic priorities to the ICO (even though most respondents to the consultation disagreed with this), the ICO's primary objectives and duties will supersede these strategic priorities and they will not be legally binding. Despite this watering down, it is possible that when it is finalised, the new law will influence the direction of the ICO's enforcement activities although there are no plans to reduce the amount of maximum penalties.  This remains an area of uncertainty, particularly as the Bill has currently stalled and may yet change.

If, however, going forwards, the ICO's use of financial penalties appears to be less frequent than those of other regulators, particularly EU regulators, or it appears less than independent from the government, it could impact the way the ICO is viewed as a regulator.  For some, it might be an indicator that the UK has slipped below EU GDPR standards, potentially impacting adequacy arrangements in extreme situations.  For others, it might be a sign that the ICO is a more business friendly regulator than those of its neighbouring countries, not least because it is not subject to the cooperation and consistency mechanism under the EU GDPR. 

Keep calm and carry on

So what does the ICO's current approach to enforcement mean for organisations?  Naming and shaming can be a powerful tool but, for many businesses, it's the financial penalties which really focus the mind.  Memories can be short.  Reputational damage is real and should not be underestimated, but it is not necessarily fatal, or even seriously wounding – it very much depends on the nature of the organisation and the nature of the issue. Arguably, however, the same is true of financial penalties as the recent Meta fines demonstrate. This, however, is something the ICO will understand and it would be unwise to consider the ICO's emphasis on its full enforcement arsenal, as an indication that it does not take enforcement, including the issuing of financial penalties as seriously as ever.  The central tenants of the ICO's enforcement policy remain  accountability, transparency, certainty and predictability. We can expect a continuation of the pragmatic risk-based approach, with financial penalties used as part of the overall enforcement strategy when appropriate.