Bringing sticks to a gunfight: how the ICO fails to enforce the law

As you may be aware of, we are taking the Information Commissioner’s Office to Court over their failure to enforce the law against digital advertising and real time bidding. This is yet another failure in our regulator’s track record, and we believe it underpins some more fundamental issues with their approach to regulation.

For this reason, we decided to participate to the ICO consultation on their draft Statutory Guidance — which outlines how the ICO intend to exercise their powers under the UK Data Protection Act. Although limited in scope, this guidance is interesting in that it sheds a light on their internal reasoning and approach to regulation.

In case you are interested, the consultation closes on November 12 at 5pm.

ICO’s carrot and stick approach: why it doesn’t work

The ICO sees their approach as a combination of carrot and stick: seeking to educate and promote voluntary compliance comes first, while enforcement follows only if and when necessary. Although this may look like a sensible approach, practice taught us a different story.

For instance, Google and the Interactive Advertising Bureau enthusiastically engaged with the ICO during their investigation into adtech and real time bidding. However, this contrasts with the reality of an industry which is intensifying their efforts to abuse our personal data, in stark defiance of the law. In a similar fashion, the ICO recently issued enforcement notices to Experian and some other credit rating agencies, following many years of investigations and broken promises by the data brokerage sector. Nevertheless, there is no indication that their prolonged non-compliance will result in any adverse consequences — other than for the enforcement of rules they should have respected in the first place.

Can you see the pattern? The ICO’s soft approach to regulatory enforcement is becoming a comfortable avenue for organisations which seek to buy time, and delay or avoid enforcement against their illegal practices. This approach is proving to be particularly convenient, as organisations do not face any consequences for failing to stick to their promises.

ICO is going backwards

We appreciate ICO educative efforts, but we believe these must be supported by the threat of heftier sanctions for those organisations which, even after this process, are still found in breach of the law. Unfortunately, the ICO seem to think otherwise.

For instance, in their current Statutory Guidance, “the intentional character of the failure or the extent of negligence” is listed among the criteria to determine the amount of monetary penalties. In the new (draft) Statutory Guidance, however, the ICO took a step back, and “intentional or negligent acts” is only mentioned as a reason that could justify issuing a penalty notice.

We do not find this to be appropriate, and we advised the ICO to reflect these conducts as aggravating factors which may lead to stronger enforcement — such as reduced timescales for complying with the law, and heftier monetary penalties for failing to do so.

Furthermore, and while this may be a consultation about a very specific aspect of their regulatory policy, we believe the ICO should take this as an opportunity to self reflect on their whole approach. Data protection laws are not optional, and organisations had plenty of time to adapt to a legal framework which was approved in 2016. Accordingly, education and persuasions should only be considered when they are useful to uphold data subjects’ rights, rather than at their expenses.

What’s next

Unfortunately, changing ICO entrenched and dysfunctional approach may take more than our recommendations.

Want to help us? Feel free to support our judicial review against the ICO or join us, and help us fighting for a regulator that upholds and enforce our rights efficiently in the digital age.