The ICO: an honest appraisal
The ICO’s excellent reputation may be under threat as it contends with difficult enforcement, legal threats and tight budgets – as well as the pain of Brexit. What is the true state of play at the UK’s data regulator?
As news broke in the first working week of the year that the UK Information Commissioner’s Office (ICO) had agreed delays to its two big-ticket investigations into British Airways and Marriott, data protection circles were rife with speculation about the reasons for the delays – and whether they were a sign the ICO was going through a difficult period. To try to better understand the reality of the ICO’s position, GDR looked through public announcements, documents provided through freedom of information requests, details of the enforcer’s finances, and carried out interviews with lawyers, privacy activists and current and former ICO officials.
Any suggestion that the ICO is on the back foot deserves contextualisation. The regulator is respected by other authorities, and is considered forward-thinking in terms of its approach and its technical capabilities. The authority and its chief, Elizabeth Denham, often win reams of positive press in large part because of their willingness to tackle – or at least publicly denounce – the data practices of some of the world’s largest technology companies.
On a more practical level, senior lawyers who have worked with the regulator say good things. Peter Waters, chief privacy officer and head of legal in Europe at data centre giant Equinix, told GDR late last year that staff at the regulator were “very available” when the company was going through the binding corporate rules approval process. And private practice lawyers speaking to GDR often recall high levels of professionalism – with one describing the ICO’s good reputation as “well-deserved”.
With that in mind, the regulator is clearly struggling in other areas.
The regulator’s landmark enforcement actions are proving to be a thorn in its side. It was forced to announce its notices of intention to fine British Airways and Marriott – both in the space of two days – because the companies are publicly listed and so were required to share that information with investors. The announcements gathered huge levels of attention because of the steep penalties: the ICO said it planned to fine BA £183 million (€217 million) and Marriott £99 million (€117 million), both for historic data breaches. Should those penalties be issued, they would be the two highest GDPR penalties to date.
With that attention came inevitable pressure, which built as the statutory six-month deadline approached. A mere matter of days before the fines were due, it emerged that the regulator had agreed a three-month delay with both companies – though that information only became public because ICO officials told journalists and lawyers in response to queries.
That the investigations into BA and Marriott make up two-thirds of the ICO’s GDPR fines at the time of writing – the other being a £275,000 fine against small pharmacy Doorstep Dispensaree – raises questions about whether the ICO is struggling with the GDPR.
For David Smith, former deputy commissioner at the ICO and now a consultant at Allen & Overy, the size of the BA and Marriott fines is “surprising”.
“They’ve clearly gone through a process – probably a sophisticated one – to work out the fine. But [when Smith worked at the ICO], the final question was always, ‘does this feel right?’, given all the circumstances. The BA and Marriott penalties didn’t feel right – they felt over the top, from the limited amount we knew in the public domain at least. And it’s been so long since the intentions to fine were announced, you have to wonder what’s happening.”
And such delays are unusual, Smith says. During his tenure at the ICO, from 2010 to 2015, there were “a considerable number of penalties imposed. I’d hesitate to say we never had an extension, but if we did it was extremely rare”.
Some say that the delays are merely indicative of a maturing data protection enforcement landscape. Debevoise & Plimpton partner Jane Shvets argues they are a sign that companies are taking the enforcement regime increasingly seriously – with “very meaningful fines” available to regulators – and as such will fight penalties with greater vigour. “Companies in the past may have accepted the penalties but now they don’t, particularly given the threat of follow-on litigation,” Shvets says.
“I think it’s a sign of this area of the law growing up in a sense, and the fines becoming more significant. I don’t see it as something negative necessarily.”
Smith says the ICO is doubtless being particularly cautious given the likelihood of an appeal if it levies such large fines – and is likely to be ensuring the decision is as robust as possible in case it is challenged in court. But, he says, this should not necessarily have a bearing on the timescale, and does not explain away the delays. “The larger amounts change the seriousness of it, but not necessarily the process,” he says.
The regulator also suffered a setback shortly after the GDPR came into force, when it was forced to narrow the scope of the notice it had served against political consultancy AggregateIQ (AIQ), after the company said the ICO lacked jurisdiction and accused the regulator of unlawfully trying to retroactively apply its GDPR powers. It is noteworthy, though, that AIQ was still required to delete data belonging to UK citizens. And the ICO told GDR that UK data protection law gives it the option to vary enforcement notices – which is what it did in AIQ’s case.
The regulator’s work on Cambridge Analytica has proved less than perfect in other areas, too. When it applied for a warrant against Cambridge Analytica parent company SCL Elections in 2018, an English judge was forced to deny the regulator’s request on the grounds that it had made the application in the wrong court. The procedural error delayed access to documents at a crucial juncture.
Alongside its difficulties with GDPR enforcement, the regulator is suffering a nasty hangover from the old regime. Commissioner Elizabeth Denham has made a point of taking the battle publicly to Facebook and Mark Zuckerberg – a strategy that has grabbed plenty of headlines – but has had less success on the enforcement frontline.
In response to a Washington Post op-ed by Mark Zuckerberg, in which the Facebook boss extolled the benefits of stricter privacy regulation, Denham issued a statement saying the company should reconsider its appeal against a £500,000 ICO fine. The fine – the largest the regulator could levy under pre-GDPR rules – was for Facebook’s involvement in the Cambridge Analytica scandal.
Denham said at the time that the penalty was about “pretty basic data protection: notice and transparency and control and the release of users’ profile information without their knowledge and consent” – but she ultimately could not make it stick. The regulator settled with Facebook six months later, with the social media giant coughing up £500,000 but admitting no liability.
Lawyers told GDR that the settlement was likely to have benefits for Facebook. Debevoise’s Shvets said at the time that “making no admission of liability means that [Facebook] would not be constrained in its arguments in other regulatory actions or follow-on litigation”.
The ICO’s decision “implies that Facebook would need consent from the Facebook friends of Facebook apps’ users to harvest those friends’ data. Based on the public statements of its representatives, Facebook objected to this view, arguing that this could have broad implications not only for its business but for how individuals share data online”, Shvets told GDR. “To the extent the issue of how far the consent requirement goes is tested in future cases – and I suspect it will be – Facebook may be less constrained in making arguments that advocate for its position [as a result of the settlement].”
The decision to settle ultimately means the ICO could not force Facebook to admit failings on what it described as “pretty basic” data protection issues, in turn opening the door for Zuckerberg’s lawyers to argue the company had done nothing wrong in litigation and other enforcement down the line.
However, those on the ground once again argue that the ICO’s decision-making might be the sign of a maturing regulator. Though the settlement “wasn’t a victory for the ICO”, Shvets says, “generally I think the pattern of settlements is something we’ll see more of – I think again it’s a sign of maturity.”
“Companies are going to want the certainty of settlements. I think that the ICO, just like white-collar regulators, is being reasonable and pragmatic about their resources. It’s generally a sign of a healthy regime.”
The ICO has also been forced to admit procedural errors in some of its enforcement work. Late last year, 11KBW barrister Christopher Knight, acting on behalf of the ICO in a London tribunal hearing against Eldon Insurance and Leave EU, was forced to admit a series of procedural errors – in particular the revelation that no internal documents existed explaining any decision-making process prior to releasing notifications against the two organisations, as reported by the Insurance Post.
The “absence of decision-making documents in reference to notices [against Eldon Insurance] cannot be held up as a model of good governance and record-keeping,” Knight said at the time.
It’s not just the enforcers having a difficult time – the watchdog’s accountants seem to be struggling, too. In a summary of its financial situation released in October 2019, it said that it expected a deficit of £229,000 for the year – largely because it had not received as much money as anticipated from the data protection fee it imposes on most UK businesses. The fee ranges from £40 to £2,900 depending on the size of the organisation, but for most it is between £40 and £60, and according to ICO records, it hoped to squeeze £46.5 million from that source.
But it has struggled to bring in that income. English court records show the ICO in regular disputes in an attempt to force companies to hand over the cash – successfully on the whole, but with occasional blunders: the First-Tier Tribunal, which hears appeals against ICO decisions, allowed a company to pay a £40 rather than £400 fine for non-payment of the data protection fee because of a typo on the ICO’s monetary penalty notice.
The regulator’s latest accounting records show that it has now brought in that money – but the regulator had to exact a “more ambitious fee income recovery/collection programme” to mitigate the earlier shortfall. In total, between 1 July and 30 September 2019, the ICO issued 340 fines to organisations that had not paid the data protection fee.
The authority’s legal budget also faced “considerable pressure”, the ICO said in October, when it forecast an overspend of £673,000 in the “legal and professional” category. The ICO said then that the extra expenditure was a result of the increased demands it faced. In its defence, it is not alone in that claim, with other European data regulators saying throughout 2019 that they had not been given sufficient funds to deal with the GDPR. Irish data protection commissioner Helen Dixon, for instance, said in October that she was “disappointed” in the funding increase she had been given by the Irish government. European Data Protection Board figures analysed by GDR also show that a majority of European data protection authorities say that they do not have the required resources.
Numbers uncovered by GDR through freedom of information requests show an unusual spending pattern, too. The 18-month-long beta phase of its Sandbox project – a scheme through which the ICO supports companies trying new and unusual projects – will cost more than half of what the regulator spent on its high-priority investigations in 2019. Similarly, correspondence between the ICO and European adtech trade body the Interactive Advertising Bureau (IAB) shows that after months of disagreement over the legality of the IAB’s transparency and consent framework, ICO officials spent £405 on dinner for the two groups at a local Italian restaurant.
Failure to deal with adtech
The online advertising industry is regarded as one of the most important battlegrounds in the world of data protection – given the often intrusive methods companies use to track web users’ data, the vast and granular level of data collection and the complexity of the ecosystem. The real-time bidding auction system at the heart of the internet economy has spawned multiple coordinated GDPR complaints, in which complainants argue that the mechanism effectively constitutes the largest data breach in history.
The ICO has said some adtech players’ behaviour is problematic and may be in breach of data protection law – most notably the industry’s reliance on the GDPR’s “legitimate interest” legal basis for processing data, which it says it does not think is valid. It has also raised questions about how adtech companies collect sensitive data, which requires consent. The ICO says valid consent is likely impossible to achieve as, under the GDPR, it must be informed and specific – a difficult bar to meet when hundreds of actors process data for the service of a single ad.
So far, the ICO has taken the approach of working with the industry, rather than enforcing against it. But these efforts appear to have borne little fruit: GDR found through a freedom of information request that the regulator had spent months in talks with the IAB, insisting on several occasions that the trade body’s transparency and consent framework would do little to assuage its concerns about adtech, only for the IAB to go ahead with the framework anyway.
The regulator has, since then, upped the ante – but only through a series of blog posts by its innovation and technology chief, Simon McDougall, in which he has used increasingly stern language to suggest that industry players who do not fall in line with its recommendations may eventually end up facing the ICO’s wrath. For some, McDougall’s announcements have been the straw that broke the camel’s back; on the same day as his most recent post, Open Rights Group director Jim Killock threatened to take legal action against the ICO for its failure to act against adtech players.
Allen & Overy’s Smith argues the key issue here is pragmatism. “Privacy advocates are one of the pressure points on the ICO – it’ll face pressure from advocates, politicians, the public, the media and from the business community. It has to steer a steady, sensible and pragmatic approach through all that. They won’t satisfy everyone all the time.”
And threats of legal action made against the ICO come with the territory, Smith says. “It’s a public body, it’s subject to judicial review if it isn’t doing its job properly. But its job isn’t to enforce every time there’s a breach – that just isn’t possible.”
Smith’s emphasis on pragmatism is mirrored by ICO officials. McDougall tells GDR that the ICO “stand[s] ready to deal with the problems but it is a hugely complex area. As a pragmatic regulator, we have a duty to build a thorough and robust case for any regulatory action we may decide to take, and all of this takes time”.
“We are using the intelligence gathered throughout last year to develop an appropriate regulatory response and we continue to investigate real-time bidding. It may be necessary to take formal regulatory action and we will continue to progress our work on that basis,” he says.
A new place in the world?
As it battles with its own demons, the ICO is also subject to forces outside its control. The Brexit process, which appears to be finally reaching a conclusion, has many implications for data transfers, with questions about an adequacy decision for the UK still up in the air – doubts made more concrete by a lack of support for UK adequacy from European data protection authorities. But it will also mark an inevitable decline in the UK’s power on the data protection world stage. For all its problems, the ICO is a well-established and well-respected data protection authority, considered to have been a key player on the European Data Protection Board (EDPB). But with the Brexit ball rolling, it has already lost its spot on the board and if it is allowed back into the fold, it is likely to only be on as a non-voting member.
Allen & Overy consultant Smith argues that a diminished role in European data protection may well be replaced with an enhanced position on the international stage. And in response to GDR queries, an ICO spokesperson pointed to its membership of the Global Privacy Assembly, which consists of 130 data protection authorities from around the world – saying that it is “all about international convergence and connectivity”.
However, the reality is that being out of the EU and out of the EDPB also means the ICO will no longer be part of the one-stop shop mechanism, the scheme through which companies benefit from having to deal with just one European data regulator in the country of their main European establishment. Post-Brexit, the ICO will not be able to refer cases elsewhere in the EU as it previously would have, likely adding to its workload – it will also lose access to the EU’s information sharing systems, cited by regulators as an important tool in their investigations.
The effects of Brexit, combined with a rocky couple of years for the regulator, might mean that the ICO’s power is set to wane just as data issues ascend in the public consciousness. What that means for the businesses that fall under its jurisdiction remains to be seen.