UK ICO updates approach to data protection regulation during coronavirus pandemic

As well as committing to support organisations, particularly those at the frontline in providing healthcare and other vital services, through fast tracked advice and guidance the ICO indicated that, in handling the public’s complaints, it would take into account the impact of the crisis on the organisations complained about. The ICO also signalled some easing up in the use of its regulatory and enforcement tools, including monetary penalties. Now, some six months on, and after a few tweaks on the way, the ICO has updated its regulatory approach. As the Information Commissioner, Elizabeth Denham says in her open letter to organisations the updated approach is, “…another step towards returning to our approach before Covid 19…”. It therefore represents some modest tightening of the screw so far as data protection enforcement is concerned, making clear that whilst the ICO will continue to lend a sympathetic ear to those who still face genuine and justifiable difficulties because of the pandemic this cannot be relied on as more general excuse for non-compliance.

Some Welcome Confirmation

It is fair to say that the ICO’s  updated approach represents an adjustment rather than a radical change of direction even though it does convey some significant messages for businesses about a limited tightening of the ICO’s regulatory screws. The updated approach, and Elizabeth Denham’s covering letter, develop some key elements of the approach first set out in April whilst, at the same time, providing businesses with welcome confirmation that the thrust of these elements will be continuing, at least for the time being. The elements in question include;

• Prioritising practical advice that supports businesses through the pandemic and recovery period on issues like working from home, collecting customer details for contact tracing and testing staff for coronavirus.
• Focussing advice and support firmly on enabling innovation to happen. “The days when data protection regulation was seen as a blocker to innovative business have long passed.”
• Recognising that although fines and penalties may grab headlines working alongside organisations, helping them to comply with the law, is the most effective way of reducing mistakes and misuse of people’s data.
• Focussing investigations and enforcement on the most serious risks and greatest threats to the public.
• In deciding whether to take regulatory action considering whether an organisation’s non-compliance results from the pandemic and being prepared to give organisations longer than usual to rectify any breaches that predate the pandemic where the pandemic has impacted on their ability to do so.
• Before issuing fines considering the economic impact and affordability which, in current circumstances, is likely to continue to mean the level of fines will be reduced.
• Taking a strong regulatory approach against any organisation breaching data protection laws with the aim of taking advantage of the  crisis.

Some Tightening of the Screws

Those areas where some tightening of the ICO’s regulatory screws is apparent include:

• Signifying that the ICO’s broad  commitment to flexibility in its approach to its regulatory functions may not apply equally across the board and is directed particularly at those engaged in tackling the pandemic or supporting vulnerable people.
• Explaining that the ICO’s  expectation is now that the majority of organisations will be able to deal with complaints they receive from members of the public and that those with a backlog have robust recovery plans in place.
• Removing the acknowledgement that the pandemic may impact on the ability of organisations to report data breaches within 72 hrs. The updated approach says simply that, “This should be within 72 hours of the organisation first becoming aware of the breach.”
• Recommencing some investigations that were initially paused at the start of the pandemic, albeit still prioritising those that involve the greatest risk of harm to the public.
•  Undertaking some risk based audit work on an offsite basis.
•  Recommencing formal regulatory action in connection with outstanding information request backlogs held by organisations that pre-date the pandemic. Although most likely to impact on public authorities with Freedom of Information request backlogs this could also cover any businesses with backlogs of data subject access requests.
•  Removing the statement that the ICO may not enforce against organisations who fail to pay or renew their data protection fee due to economic reasons linked to the pandemic.
•  Keeping under review the pause in the ICO’s adtech and real time bidding investigation work with a commitment to publish a separate update on adtech and real time bidding in due course.

Some Other Observations

In her open letter, Elizabeth Denham not only confirmed that the ICO will not be changing its pragmatic approach to supporting organisations to protect people’s information rights during the coronavirus pandemic. She went on to say that this has been the ICO’s approach throughout her time as Information Commissioner and will continue when her five year term comes to an end in July 2021. When Elizabeth was appointed in 2016 it was for a fixed term of five years. The transitional provisions in  the Data Protection Act 2018 have opened up the possibility that her term could be extended for a further two years (to make seven years in total) but she appears to be signalling that she will indeed leave the ICO in July next year. If so, we can expect recruitment for a successor to start within the next month or two. We can but hope that Elizabeth Denham’s confidence in saying that the ICO’s pragmatic approach and commitment to supporting organisations in protecting information rights will continue once her term of office ends does not turn out to be misplaced.

Although the ICO’s updated regulatory approach refers to monetary penalties it doesn’t go very far in explaining why there appears to have been so little action on imposing fines since the GDPR came into force nearly two and a half years ago. Apart from a continuing flurry of penalties for breaches of the Privacy and Electronic Communications Regulations, resulting from the sending of unsolicited marketing messages, and the huge, but yet to be finalised penalties against British Airways and Marriott, there has only been one fine - that imposed on Doorstep Dispensaree. The updated regulatory approach refers to the restarting of some investigations that had been paused, so there might be a backlog of cases in the pipeline. It also refers to considering economic impact and affordability before issuing  fines, so some cases might have been dropped that, in different times, would have attracted a fine. However, these can only be partial explanations at best given that the pandemic has only been with us for a fraction of the time that has passed since the GDPR came into force. Tellingly, EU data protection authorities, for the most part, don’t seem to have felt themselves similarly constrained given the steady flow of fines now being published on the European Data Protection Board’s website.

Could the answer to the absence of fines lie in legal shortcomings? The Data Protection Act obliges the Commissioner to issue statutory guidance on, amongst other matters, monetary penalty notices, explaining when it will be appropriate to issue a penalty notice and how the amount of penalties will be calculated. Shortly after publishing her updated regulatory approach, the Commissioner launched a public consultation on a draft of such statutory guidance, covering a range of regulatory functions that includes the imposition of monetary penalties. There is no obvious explanation provided as to why this draft guidance is being issued now, with only a passing reference to the draft being an “updated version” of the ICO’s existing statutory guidance. Perhaps the guidance is being revised because of Brexit. Certainly some changes are likely to be needed, such as removal of references to the GDPR’s consistency mechanism. However, all that the ICO has stated explicitly in this connection is that the final guidance will be published “after the UK has left the EU”  (presumably here the ICO actually means after the end of the transition period given that the UK has already left the EU.)  Or perhaps it could be that the existing statutory guidance, which is contained within the ICO’s Regulatory Action Policy and is arguably thin, at least in so far as providing guidance on how the amount of any penalty will be calculated, has been found wanting. Could this have been in light of the close examination the guidance will undoubtedly have come under following the multi-million pound fines proposed for British Airways and Marriot? Given these proposed fines it seems unlikely that the ICO has lost its appetite for fining those guilty of the most serious breaches of their GDPR obligations, so perhaps the problem is more a lack of the necessary statutory guidance to meet the requirements of Section 160 of the Data Protection Act 2018. Regardless of the reasons, whether related to the pandemic or otherwise, some explanation from the ICO, as to why so few post GDPR fines have been imposed, particularly given the fanfare that there was around the threat of fines when the GDPR first came into force, is becoming increasingly overdue.