The UK Information Commissioner Office (ICO) has launched a major consultation on three draft documents related to its regulatory approach: an overarching Regulatory Action Policy, Statutory Guidance on Data Protection Act 2018 Action and Statutory Guidance related to its Privacy and Electronic Communication Regulations (PECR) Powers. These documents would replace the ICO’s Regulatory Action Policy produced in 2018 which sat under its 2017-2021 Strategic Plan (but has yet to be updated).
Although not made explicit, adoption of the new PECR guidance would also supersede (as regards PECR) ICO guidance on the issuing of monetary penalties under the Data Protection Act (DPA) 1998 which was last updated in 2015. Members of the public have until 24 March 2022 to submit their responses. The ICO previously consulted on a stand-alone version of its Statutory Guidance on Data Protection Act 2018 Action in the autumn of 2020. It is now stated that final versions of all three documents should be expected by the end of the year and that “the Statutory Guidance documents must also be ratified by the Secretary of State … before being laid to Parliament”.
This last statement raises some complexities which merit further analysis. Under Section 161 of the DPA 2018, the first version of Section 160 guidance about how the Information Commissioner intends to exercise their principal DPA 2018 powers must be submitted to (although not ratified by) the Secretary of State who must then lay it before Parliament for approval under the negative resolution procedure. Nevertheless, the 2018 Regulatory Action Policy already set out Statutory Guidance here (pp. 15-29) and stated that this had been issued to fulfil the “statutory obligation” under Section 160 of the DPA 2018 (p. 5). The issuing of replacement guidance would not therefore appear liable to re-trigger these special procedures. Meanwhile, the apparently strange reference to the DPA 1998 in relation to PECR is correct since under paragraph 58 of Schedule 20 of the DPA 2018 the DPA 1998 anomalously continues to remain applicable as regards pure PECR enforcement actions (notwithstanding proposals in Data: A New Direction (p. 81) to replace this with DPA 2018 provisions). Meanwhile, Section 55C of the DPA 1998 provides that any guidance here including any replacement must be approved by the Secretary of State but not Parliament (although it must still be laid before the latter).
The new drafts are generally significantly more extensive than the existing documentation (the only exception being the PECR Statutory Guidance which (in the area of PECR) will replace wider guidance which also dealt with processing governed by the DPA 1998 itself). In sum, the 29 pages of the existing Regulatory Action Policy would be replaced by a new Policy of approximately 45 pages alongside 38 pages of additional Statutory Guidance. Many aspects of the guidance have been expanded. However, comparing the general sections of the current and proposed Regulatory Action Policy what stands out is that the latter includes much greater coverage of the wider legal obligations of the ICO including to take into account the desirability of promoting economic growth (under the Derogation Act 2015), to support and engage with those subject to regulation (under the Regulators’ Code) and to act in the best interests of children (as per the Children Acts 1989 and 2004). There is also significantly more on the ICO’s international engagements, something which might be considered somewhat ironic given that the Office has now lost membership of what is unquestionably the most important transnational body within information rights regulation, namely, the European Data Protection Board. Turning to compare the current and draft Statutory Guidance on the DPA 2018, the most significant proposal (pp. 28-31) is to introduce a starting range for assessing UK GDPR penalties calculated by reference to a controller’s annual global turnover (or in the case of non-commercial actors, equivalent finances). These would range from 0-0.5% of turnover for infringements of a low-level of seriousness concerning those parts of the UK GDPR where the final cap (as regards undertakings) is 2% of turnover and rise to 3-4% for infringements of a very high-level of seriousness as regards those provisions where the maximum is 4% of turnover. The final level of any fine would additionally take into account a wide range of (other) aggravating and mitigating factors, ability to pay and any economic impact. Similarly to the existing DPA 1998 Statutory Guidance, Statutory Guidance on monetary penalties under PECR (which in any case are capped at £500K) would remain purely grounded in a wide factors-based approach.
It is more difficult to discern whether this draft guidance would signal movement in the ICO’s basic regulatory stance which has (in)famously come to focus on a predominant use of soft advisory/persuasive tools allied to a highly selective and discretionary resort to move formal enforcement action. The draft Regulatory Action Policy’s new focus on ensuring economic growth and its statement (p. 14) that proportionality and effectiveness must be adhered to (only) when actively undertaking enforcement action (rather than as currently as regards all regulatory action (p. 5)) could point to an even more light-touch approach. On the other hand, the new Policy does not repeat the current mantra that “[w]e will adopt a selective approach to the action we take” (p. 10) and the draft Statutory Guidance on UK GDPR Penalty Notices also does not state as currently that “[i]n the majority of cases we will reserve our powers for the most serious cases, representing the most severe breaches of information rights obligations” (p. 24). These omissions would be compatible with the adoption of a more comprehensive and rigorous approach to enforcement. As currently drafted, however, there would appear to be no clearly discernible centre of gravity to the relevant changes.
What is clear is that there is growing disquiet amongst information rights campaigners as to the ICO’s basic approach to enforcement. This has been fuelled by growing concerns about serious and systematic infringement of data rights especially online (which to a significant extent have been backed up by ICO itself), the ICO’s extremely limited track-record in undertaking formal action to address this and the fact that the UK GDPR and case law appear to set out much more robust expectations. Indeed, turning to the latter, Recital 148 of the UK GDPR even states that “penalties including administrative fines should be imposed for any infringement of this Regulation”, caveating this only with a rider that “[i]n the case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine”. Judgments such as Google Spain (2014), Schrems I (2015) and Schrems II (2020) have similarly emphasized the need for a comprehensive use of enforcement powers. In contrast, the Open Rights Group found in January 2021 that since the entry into force of the GDPR in May 2018 the number of ICO GDPR and PECR penalty notices issued other than in relation to the area of direct marketing was just four (and the grand total was merely 15) and the number of enforcement (i.e. injunctive) notices was 12 (with a grand total there of only 35). Albeit with little effect to date, this organisation (in cooperation with others including MPs) has repeatedly argued that the ICO is failing to “do its job and enforce the law” and needs to correct that.
If nothing else then the lengthy period of the current consultation, coinciding as it does with the start of term of the new Information Commissioner John Edwards, may indicate a renewed willingness on the part of the ICO to engage with sceptical voices here. The Open Rights Group and other bodies representing the interests of data subjects should, therefore, ensure that they fully engage in this important exercise.
Dr David Erdos is Co-Director of the Centre for Intellectual Property and Information Law and WYNG Fellow in Law at Trinity Hall, University of Cambridge