In the UK, the Information Commissioner’s Office (‘ICO’) is the regulator responsible for enforcing laws relating to privacy and information rights. The ICO is empowered to investigate and to bring enforcement action against organisations, and individuals, for breaches of those laws namely the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (‘PECR’).
PwC has compiled a database of the nature, volume and size of ICO enforcement activity and will be providing quarterly articles summarising key trends and developments. In publishing these trends we’d like to repeat the UK Information Commissioner, John Edwards’ own words: “Fines are only one of a number of enforcement tools available to us. We need to be regulating for outcomes, not outputs. The number or quantum of fines is not the measure of our success or failure, nor of our impact. Getting better outcomes, and sharing those stories with the wider economy, can have a much greater effect on the lives and rights of the people of the UK than a fine might. That’s my regulatory philosophy, and I’m sticking to it.”
If you’d like to find out more about PwC’s Data Protection team and how they can support your business in complying with UK Privacy Laws please contact Fedelma Good or Orla Middlemiss, whose details can be found at the bottom of this article.
Key enforcement trends January 2023 – March 2023
- It has been one of the quietest quarters for ‘traditional’ enforcement action (i.e. Monetary Penalty Notices, Enforcement Notices and prosecutions) since the GDPR came into force. The ICO has taken action in only 4 cases, one of which was a Monetary Penalty Notice for the sum of £200,000 against a company that made over 1.75 million direct marketing calls in breach of PECR.
- This may be explained by the ICO’s new focus on Reprimands as a form of non-punitive enforcement action. The ICO began publishing Reprimands on its website for the first time in December 2022 and has issued six in the first quarter of 2023. Reprimands are a formal letter that state that an organisation has not complied with the legislation, and are often accompanied by recommended actions for the organisation to take. They are designed to act as deterrents but do not legally compel an organisation to take the recommended actions. The vast majority of Reprimands issued so far have been against public bodies reflecting the ICO’s revised approach to public sector enforcement that the Commissioner announced in June 2022, which will see the ICO ‘reduce the impact of fines on the public sector’.
- Experian’s appeal against the ICO Enforcement Notice in relation to its processing of personal data for direct marketing business was partially upheld. Whilst the ICO’s finding that Experian had not complied with the legislation as it had failed to provide sufficient privacy information to over 5 million data subjects was upheld, the First-tier Tribunal[1] allowed Experian’s appeal on several other grounds, including rejecting the ICO’s view that the use of credit reference data for direct marketing purposes was unfair. The ICO is currently considering whether to appeal the Tribunal’s judgement.
- The ICO is keeping in-step with its counterparts in the EU in its approach to enforcement against big tech. After issuing a notice of intent in September 2022, the ICO has issued TikTok with a fine for the sum of £12.7 million for a series of breaches of the GDPR, including failing to use children’s personal data lawfully. This follows a series of enforcement actions being taken by European regulators against TikTok and other tech firms such as Meta. (NB: Whilst the fine was confirmed in April 2023, the details are included in our Q1 blog given the public interest in the decision.)
Enforcement action
You can read PwC’s first article, which focuses on wider trends across the period since the General Data Protection Regulation (‘GDPR’) came into force, here.
Associate
Data Protection Legal – PwC UK
[1] The First-tier Tribunal (General Regulatory Chamber) is an independent body that hears appeals against notices served by the ICO. Organisations have 28 days after an ICO decision to file an appeal with the Tribunal, and its decisions are binding on the parties.
