The ICO Must Toughen Up

As the House of Lords finally begins scrutiny of the UK data protection reform, Open Rights Group urges peers to support amendments that would strengthen the independence and effectiveness of the UK data protection authority, and bolster the public’s right of seeking a remedy against an infringement of their rights.

The ICO has a long track record of weak enforcement and missed opportunities. With the Data Protection and Digital Information Bill, the Government has not to articulated proposals to address existing issues, but rather has presented proposals that would allow Ministers to interfere with the objective and impartial functioning of the watchdog that should oversee them. This lack of independence would lead to the UK loosing its adequacy status under EU law, an outcome that would cost UK businesses 1.2 billion pounds in legal fees alone and spell troubles for the UK digital economy.

Artificial intelligence and digital technologies now bear the risk of amplifying and reproducing harmful and discriminatory outcomes at scale. Data protection constitutes a first line of defence against data abuses and unfair assumptions that can have a life-changing impact. Undermining the effectiveness of an already weak regulator threatens our economy and our rights, endangers important cooperation initiatives with the European Union, and sets the stage for incidents and scandals that have elsewhere lead to an entire Government resigning.

THE ICO IS NOT A FRIEND, BUT A REGULATOR

The ICO’s enforcement strategy is falling short of what is required by a regulator. Research from the centre for Cambridge Centre for Intellectual Property and Information Law found that the ICO issued merely four fines in a year and generally enforced the law to a “very limited extent” even against serious breaches of data protection. Reports by Open Rights Group and Open Democracy also revealed how the ICO is failing to hold the Government to account for egregious breaches of the law, such as deploying public health programmes unlawfully or systematically stonewalling Freedom of Information requests.

If this track record is far from exemplary, under the new Commissioner John Edwards, the ICO has shifted direction further away from punitive action. The ICO’s new strategy says little about regulatory enforcement but explains that it “can save UK businesses more than £100m”. Likewise, with its revised approach to public sector enforcement the ICO pledged to use “the Commissioner’s discretion to reduce the impact of fines on the public sector”. The results can be seen in the ICO’s “action we’ve taken” page, which lists little regulatory action being taken by the ICO—except regarding nuisance calls, spam and data breaches—but now lists a very large number of “reprimands”, being a strongly worded letter of regret lacking any legal effect.

DPDI BILL: A “MEAT PUPPET” REGULATOR

The ICO is a watchdog with the task to oversee the Government. However, the DPDI Bill would abolish the ICO and replace it with a new Information Commission, whose members would be appointed by the Government themselves. The Bill would also empower the Secretary of State to issue instructions and recommendations to the ICO, thus interfering with its objective and impartial functioning.

The Bill would change the statutory objective of the new Information Commission by providing a list of vague and contradictory objectives—none of which are related to information rights—and expand the discretion of the new Commission in accepting of dismissing complaints lodged by members of the public.

Lodging complaints with the ICO would become more difficult, as victims will be required to contact and negotiate with the offender before escalating their complaint to the Commission. Even if a complaint were investigated, members of the public who are victim of an abuse of their personal data would routinely have to wait 20 months for their complaints to be dealt with under the new DPDI Bill rules.

AMENDMENTS THAT COULD FIX THIS

As we outlined at the beginning of this blog, the ICO needs to toughen up, but the DPDI Bill does not bring any manner of solution: we don’t need a new Information Commission that is even less independent, less accountable and less effective.

To fix this, Open Rights Group has worked hard with Members of the House of Lords to table amendments that would address the deep and systemic issues of the ICO, in particular by:

• Codifying a clear statutory objective for the new Information Commission, namely to enforce the law and investigate complaints.

• Removing powers that would allow Ministers to meddle and interfere with the objective and impartial functioning of the Commission, and ensure the new Commission is appointed by Parliament rather than Government, in line with recommendations from the Brown Report.

• Protect the new Commission from regulatory capture by introducing a three-years stay period that prohibits its members to go and work for the industries they were regulating.

• Introducing an effective redress mechanism for complainants if the Commission fails to investigate their complaint properly, and enabling public interest organisations to make collective complaints on data issues.

THE DPDI BILL NEEDS A RADICAL OVERHAUL

The independence and effective functioning of the UK data protection authority is of pivotal importance, but the DPDI Bill misses the target and would worsen rather than address existing concerns around the ICO.

This may sound familiar for those who have followed the Bill since its inception: since the beginning, the Government run a lopsided consultation process, only to later ignore widespread criticism and ambush the Commons to prevent Members of Parliament from scrutinising the Bill. The result is a proposal that not only harms UK residents, but could result in the revocation of the UK adequacy decision. This would cost over £1.2bn to UK businesses in administrative costs alone, and would risk undermining important cooperation initiatives between the EU and the UK such as data sharing for research (Horizon), law enforcement (Prüm) or immigration control purposes (Frontex).

We urge the House of Lords to fill up the gap left by our Government’s failures to uphold due process in their policymaking, and to introduce the radical changes the DPDI Bill needs to protect the public from ever-growing digital threats.