On 22 November 2022, the UK Information Commissioner, John Edwards, emphasised the new approach to regulatory and enforcement action by the Information Commissioner's Office (ICO) in his keynote speech at the National Association of Data Protection Officers annual conference.
The Information Commissioner discussed his views on regulating for outcomes; the various regulatory tools at the ICO’s disposal; and the ways in which and the circumstances in which such tools should be deployed. He also noted that the ICO is modifying its attitude towards regulatory action in respect of public sector organisations, citing the ICO’s recent reprimand to the Department for Education as an example and dismissing the idea that such an approach was a sign of weakness or the ICO “going easy” on government.
Mr Edwards explained that, in his opinion, enforcement does not necessarily equate to fines, noting that Article 58(2) of the GDPR details the ICO’s “corrective powers”, which include not only fines, but also a whole range of other enforcement tools, including warnings, reprimands, compliance orders, limitation orders, erasure of data and suspension of data flows. He emphasised the fact that enforcement action can take a variety of different forms.
The fact that the ICO should be regulating for outcomes rather than outputs was discussed, with Mr Edwards stressing that, in his view, the number or level of fines should not be used as a yardstick by which to judge the ICO’s results or success. He explained that achieving preferential outcomes and publicising these may have a more significant impact on UK citizens’ rights than monetary penalties might achieve.
Regarding the shift in approach towards public authorities, and using the example of the reduction from £500,000 to £50,000 of the fine issued to the Cabinet Office in respect of its data breach affecting the 2019 New Year’s Honours list, Mr Edwards observed that imposing monetary penalties on public authorities can, in effect, penalise the victims of UK GDPR non-compliance by reducing the monies available to public authorities to deliver their services, which is of little social benefit in times of economic crisis.. Furthermore, Mr Edwards noted that, in central Government, fines create a “money-go-round” and are ineffective in delivering the ICO’s desired outcomes. The Information Commissioner observed that there is little evidence that fines alone deliver improved outcomes for individuals’ rights or result in better data protection compliance by public authorities.
It was made clear that, going forward, the ICO will focus on approaches that will have the most significant impact on encouraging compliance, rather than always opting for the most “headline-grabbing action”. Monetary penalties will remain an important regulatory tool which will be utilised, when appropriate, in cases where breaches have harmed or could harm individuals the most, or where organisations have profited from non-compliance (e.g. the monetary penalties recently levied against Easylife in respect of nuisance calls and profiling of customers involving sensitive health-related issues).
Another key change highlighted was that from January 2022 all reprimands issued by the ICO will be published, unless there is a good reason not to do this.
This change in approach is motivated both by the understanding that by educating others the ICO can drive behavioural change in compliance and the requirement for better accountability, as there is a need for the public and individuals impacted by breaches or infringements to be informed when responsible organisations are held to account. The hope is that this will lead to consequential changes in business or operational practices.
The change in approach is also driven by the need to inform the rest of the economy about infringements of applicable data protection laws and what action is taken. When monetary penalties are considered in respect of public authorities, but reprimands are issued instead, the ICO will confirm the amount of the proposed fine to put any organisations who might be considering lower levels of compliance in the interests of saving money on notice of the likely level of monetary penalties that could be imposed.
The counterbalance to the ICO’s new strategy for organisations is greater certainty regarding the nature and extent of their data protection obligations, with increasing emphasis on the need to provide a predictable and well-publicised approach to enforcement for both organisations and the public. The Information Commissioner believes that such certainty encourages flexibility and increased innovation for organisations and highlighted a number of areas where the ICO is assisting with innovation.
In closing, the Information Commissioner commented briefly on the ICO’s freedom of information (FOI) responsibilities and various proposed changes, including a consultation outlining how the ICO is planning to prioritise and fast-track FOI and Environmental Information Regulations appeals in the future. He also mentioned the ICO’s new three-year strategy (ICO25) and the need to raise awareness about the ICO and its work.
It will be interesting to see what impact the ICO’s new approach to regulatory and enforcement action (which appears to be being adopted to differing extents by various European regulators also) has in practice on driving data protection compliance across both the public and private sectors. It is possible that the different approach taken in respect of the public sector as compared to the private sector may be seen to result in a somewhat inconsistent application of data protection enforcement principles, notwithstanding that this approach is based on a practical, proportionate, risk based and outcomes-focused approach that takes into account some genuine issues regarding data protection enforcement in respect of public sector organisations. Hopefully, however, the new strategic approach to regulatory action will encourage genuine, positive behavioural changes in data protection compliance by all UK based organisations.
Those acting as data controllers should note the possibility, however, that increasingly a number of different enforcement measures other than fines may be imposed upon them regarding data protection-related breaches and infringements.
Such measures may have significant implications for their businesses, albeit in a different way to monetary penalties. While fines may hit annual or quarterly revenue figures, orders to stop processing, erase certain data, or to stop transferring data may have far-reaching implications for the business model.
Public reprimands may also potentially expose data controllers to significant reputational risks. Organisations which are subject to investigations by the ICO would also be well advised to begin considering potential outcomes other than fines and planning for change, rather than waiting for such investigations to conclude, as any corrective order imposed will come with a (relatively short) timeframe for implementation, following which further enforcement action, likely a fine, may follow.
I want to lay out for you my thinking on regulating for outcomes, the range of regulatory tools available to me, and how and when we should use those different tools. In other words, I’m going to talk about my regulatory, and enforcement philosophy. We’re changing our approach to how we deal with public sector – you might have seen our recent reprimand to the Department for Education, which is an example of this changed approach. Under the old rules, this could have been a £10m fine. Some commentators have suggested this might be a sign of weakness, or us ‘going easy’ on government. It's not.