It’s become something of a trope that the UK’s data protection regulator is a soft touch when it comes to enforcement.
Critics point to its reticence to wield the stick against the private sector while at the same time giving government departments a second, third or fourth bite of the carrot for their (sometimes significant) breaches of data protection laws. Indeed, the ICO has signaled its intention to consider a range of enforcement actions against the government in order to avoid the money from any penalties simply bouncing between Treasury departments.
Clearly there’s more nuance to the question of whether the ICO could or should be a regulatory Rottweiler. And although I’m not one for hyperbole, I’ll make an exception for a development that, in its own quiet way, shows the ICO to have taken one of the more aggressive stances of any European regulator this year.
What am I talking about? Well, the ICO recently published a number of large data sets containing detailed information about the personal data breaches and data subject complaints reported to it, and the civil investigations it conducts, since Q4 of 2021. Thousands upon thousands of rows of data. I’m no mind reader, but I already know what you’re thinking: does this information include the name of the reporting or reported organisation?
And the answer is yes, it very much does. The data sets cover the organisation’s name and sector, the applicable legislation and the nature of the issues involved, the date of completion and the outcome.
Given the significance of this development, it’s surprising that the ICO has (1) chosen to release it with limited fanfare, and (2) buried the data sets on its website (here). Indeed, it seems to have flown almost entirely under the radar. Understanding whether their breach or complaint will be publicised by European regulators is one of — if not the — main concern that organisations have when working through an incident, and the answer has usually been no. That is particularly the understanding or assumption where the breach or complaint is closed without regulatory enforcement.
Now, at least in the UK, the era of relative anonymity looks to be over. It remains to be seen whether organisations will choose not to report breaches that they consider to be low risk in order to avoid being included on future data sets. That could be the case even though the ICO spends less than five hours investigating and closing each complaint that it receives.
Businesses don’t have that option in respect of data subjects' complaints, which may be sent directly to the regulator. And while the UK’s class action system is in its infancy, claimant firms may start to adopt U.S.-style practices of scanning the ICO’s databases in order to identify repeat offender or prospective cases.
So perhaps it’s a case of be careful what you wish for: a regulator that issues big fines to an unlucky few but keeps the rest under wraps, or one that takes a light touch approach to enforcement while putting the many in the spotlight.
We publish information about matters with the full range of outcomes, including those where, following our consideration, it was unlikely that the legislation we oversee had been contravened. This is because, whether or not there is any further action for an organisation to take, we know the public are legitimately interested in how many concerns and incidents are reported to us.