ICO enforcement: two years after the GDPR

On Tuesday, the Information Commissioner Elizabeth Denham will appear in front of the DCMS Committee for a hearing, where she will be questioned about her office’s role in protecting personal data against targeted online advertising, and the use of personal data for tackling the coronavirus pandemic. Open Rights Group is glad to see that Parliament is finally stepping in, as we repeatedly suggested during the course of the past year.

We voiced a number of concerns concerning their response to Coronavirus, their disappointing handling of our adtech complaint, and their enforcement strategy at large. For these reasons, we analysed and took stock of ICO enforcement actions. Our aim is to shed a light on the results that ICO approach has achieved so far, as well as to assess the adequacy of this action in light of the challenges we are facing.

Our analysis

Since the entry into force of the GDPR, in May 2018, the ICO took 53 actions in the form of 35 penalty notices, 15 enforcement notices and 3 prosecutions. The overwhelming majority of their attention was directed against data processing for direct marketing purposes (34 notices) and data security shortcomings (8 notices) — all together, they represent roughly the 80% of the actions taken by the ICO.

For the avoidance of doubt, not every action listed under “data marketing” necessarily deals with nuisance calls or unsolicited texts. This is the case for ICO investigations in political parties, adtech, and data brokerage, which are including complex data processing such as profiling and micro-targeting. However, even in the context of micro-targeting for political advertisement, ICO only issued GDPR fines and enforcement notices against unsolicited communications. In their adtech investigation, they avoided taking action regardless of ascertained breaches of the law.

This leaves ICO action on data brokerage activities: while it is true that they recently issued an enforcement notice against Experian, this comes after an unusually long investigation and Experian’s stubborn refusal to commit to satisfactory changes of their illegal practices. On top of that, other data brokerage firms implemented changes while refusing to admit any wrongdoing, leaving little doubts about their intention to resume “business as usual” as soon as conditions allow it, and casting doubts on the dissuasiveness of ICO action.

Our opinion

The ICO has always been transparent about nuisance calls and data security breaches being among their priorities, and we do understand the reasons for that: these are elementary and straightforward breaches of the law that occur often and are easily identified by citizens, they are annoying, and they are cause of well-known societal concerns — such as spam or identity theft.

However, new and no less concerning threats have been emerging and taking hold during the course of the years. Widespread corporate surveillance and profiling drives the collection of huge amount of information regarding our daily activities and preferences, with virtually no transparency or opportunity for redress. This data is then affecting our ability to obtain credit, find job offers and housing adverts, grant or deny us access to government benefits, monitor our compliance with the law, or otherwise influencing our lives.

We also need to think about what fines are for, and what Enforcement Notices are for. While Enforcement Notices can shape an industry’s understanding of the law, on their own they are also a low-risk event for the company that receives them, both reputationally and monetarily, compared to a fine. Enforcement Notices can just mark a step in a long process of dispute between the regulator and the company that receives it, without a clear end.

However, GDPR introduced fines of up to 4% of global turnover in order to create a financial and reputational disincentive for non-compliance. Fining powers are present as part of a suite of enforcement tools, but are playing a low role outside of the most headline and egregious failures, such as data breaches and spam operations. If fining powers are present as an incentive for compliance, but are rarely used against companies beyond the most obvious issues, we should question whether that is going to be an effective strategy.

What’s ahead of us

These issues may be difficult to navigate for the man in the street, and indeed this is why authorities and institutions are expected to step in, and ensure that technological progress does not undermine our rights and lifestyle. However, ICO track record has been poor in this regard, and we saw before how they failed to provide much needed answers in the aftermath of the A-level fiasco, in the field of micro-targeting for political purposes, and against data brokers’ widespread malpractice.

Open Rights Group will keep voicing their concerns about ICO unsuccessful approach to data protection compliance, and we are indeed bringing the ICO to court over their failure to handle our adtech complaint up to standards.

Stay tuned for more updates or join us, and help us protect your rights in the digital age.