What has been the ICO’s approach to fines since GDPR implementation?

A lot of the publicity regarding the introduction of the EU General Data Protection Regulation (GDPR) ahead of its implementation concentrated on the increased fines that could be levied by the Information Commissioner’s Office (ICO) for breaches post 25 May 2018. There was a general expectation that the ICO would herald the dawn of the world of GDPR by immediately using its new powers. When the expected flurry of fines did not happen, many regarded all the media stories surrounding the fines as being a new millennium bug. However, in June, BA was fined £183 million, and the following day, Marriot was fined £99 million — two very significant penalties successfully levied by the ICO under the new regime.

Marriott and BA GDPR fines highlight importance of security by design

Opinion: Marriott and BA GDPR fines highlight the importance of security by design, as ICO vents its wrath on travel industry. Read here

The experience of the past year or so of GDPR has revealed some useful insights into the approach that is being taken to levying fines since implementation. It is useful to reflect on the context the GDPR is operated in here, to put the fine powers in context:

1. The 1998 Data Protection Act gave the ICO the power to fine — fining is not a new power. The ICO never implemented the maximum fine of £500,000 under the 1998 Act.

2. The GDPR fines only apply to post 25 May 2018 breaches. The enforcement action taken by the ICO in 2018, by definition, applies to 1998 Act breaches, and not GDPR breaches. There was always going to be time lag between 25 May 2018 and the increased fines.

3. The ICO does not keep the fines. Its role as a regulator is to use enforcement action and fines as a last resort. Therefore, looking at the fines in isolation risks giving a distorted picture – a more balanced view of how the ICO operates is to look at the enforcement action.

4. We do not yet know how the 1998 Act fines “translate” into GDPR fines.

So, what can we determine so far with regard to how the GDPR is being enforced by the regulators? There are signs of disparity at the national level within in the EU, although there is also a willingness shown to issue very large fines where mandated. However, the much-advertised rule of 4% of global turnover has not been embraced by regulators yet.

Of the 206,326 cases reported under the GDPR across the 31 countries in the European Economic Area (EEA), the national Data Protection Agencies have only resolved 52% of them. From May 2018 to February 2019, the European regulators between them issued fines totalling €56 million. However, €50 million within this comprises the fine issued to Google by CNIL — the French regulator. The average fine issued in the EU is €66 million.

Facebook shrugs off $5billion fine, but it has bigger challenges ahead

Facebook is to be fined $5billion, but on news of the fine shares rose. It has got bigger problems ahead. Read here

In determining the overall approach to fines that is being taken, it is perhaps too early to be certain. However, the Dutch regulator has provided useful guidance for firms by breaking down breaches into four categories to which a default fine applies. These are, in order of increasing severity:

I. applies to relatively simple or clerical violations — this carries a fine of €100,000;

II. refers to when a company does not fulfil specific GDPR requirements regarding data processing — fined at € 310,000;

III. refer to a company’s refusal to be transparent, such as failing to notify users and regulators — fined at €525,000; and

IV. the unlawful processing of special categories of data — fined at €725,000.Too early to conclude, but..

We are seeing the regulators using their power to fine, but at the moment, only as a last resort. We are probably a long way away from a maximum fine of 4% of global turnover being issued. The Dutch approach is compelling, and we may expect other regulators, including the ICO, to use this approach.

However, the ICO is consistently taking a hard line on companies that conduct, or allow others to conduct, unsolicited marketing campaigns. When well-resourced companies (Facebook/Cambridge Analytica, BA, or Marriot) do not prevent third parties obtaining personal data, fines are being levied.

If organisations understand what personal data they process, have systems that manage and protect that data, and work with the ICO when issues arise, it seems unlikely that fines would be imposed.

Written by Alexander Egerton, partner, Seddons LLP

Editor's Choice

Editor's Choice consists of the best articles written by third parties and selected by our editors. You can contact us at timothy.adler at stubbenedge.com