This blog explores figures from the Information Commissioner’s Office (ICO) on its privacy and data protection enforcement in 2023-24 which not only remain concerningly low but are also troublingly inconsistent.
The General Data Protection Regulation (GDPR) and now the UK GDPR requires that the ICO issue “effective, proportionate and dissuasive” fines in respect of infringements of general data protection (art. 83(1)). Recital 148 further states that “penalties including fines should be imposed for any infringement” save only that “[i]n a case of minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine”. Moreover, binding Court of Justice Grand Chamber case law emphasises that complaints must be handled “with all due diligence” (at [109]) and, based on such handling (or otherwise), action taken “ensuring that the GDPR is fully enforced with all due diligence” (at [112]). Although the regulatory provisions on data protection in law enforcement and the Privacy and Electronic Communication Regulations (PECR) are less exacting, there is still an expectation that the ICO will effectively monitor and enforce the law and thereby ensure the “strong enforcement” promised both in a general (Recital 7) and a law enforcement (Recital 4) context.
There has long been a widespread and well-founded concern that, despite being one of the best resourced privacy and data protection regulators in Europe with around 1,000 members of staff (p. 136), the ICO has consistently failed to enforce the law in accordance with these requirements and expectations. Instead, the ICO has established a self-styled purpose (directed at controllers as much as data subjects) to “empower you through information”. This is (to say the least) a curious overarching strapline for a regulator whose primary task is to protect personal data.
Be that as it may, at the very least, it might be thought that the ICO would ensure the public availability of clear and transparent information on what its enforcement track-record actually is. This is particularly the case given that the ICO is also the UK’s Freedom of Information (FOI) authority, responsible for policing both the proactive and reactive transparency obligations of all public authorities.
Unfortunately, an examination of the ICO’s 2023-24 Annual Report alongside other published data indicates that this has also been lacking. Although the exact facts remain murky (even after several FOI requests to ICO), it is clear that the enforcement (including complaints-handling) data in this Annual Report (covering the period 1 April 2023 to 31 March 2024) is patchy and somewhat inaccurate.
Looking first at complaints/concerns, page 31 of the Annual Report indicated that the ICO had “finished” 35,332 of these in data protection but page 32 then set out entirely nonsensical figures indicating that “informal action” had apparently been taken in all of these cases but that in further a 39,721 cases “no further action” had been taken (aside from advice). Whilst this was clearly a clerical error, it was even more concerning that (in contrast to the, albeit very minimal, information set out in some previous Annual Reports) no clear information was provided on the subject matter of these complaints or on how many of them were upheld. Unless willing to wade through voluminous datasets, members of the public were left in the dark about these important details.
As regards PECR complaints/concerns, it was equally concerning that the relevant table (at p. 43) relabelled the previously reported “PECR concerns” figures for 2021/22 and 2022/23 as in fact limited to “telesales calls and texts” and apparently revealed that some 22,890 and 20,331 concerns undisclosed in previous Annual Reports had actually been lodged with the ICO concerning “emails” in 2021/22 and 2022/23 respectively.
Turning to concrete enforcement, page 41 stated that in the area of data protection the ICO had delivered “ten enforcement notices” (up from one in 2022-3), “three penalty notices totalling £13,057,500” (up from two in 2022-23) and “five prosecutions and five cautions” for “unlawful obtaining” of personal data (none having been mentioned in the 2022-23 Annual Report).
These figures are extraordinarily low. Tens of thousands of valid complaints concerning organisations are lodged with ICO each year and many must concern something other than “minor infringement”. But it is plain that the overwhelming majority of such complaints do not result in enforcement action. Meanwhile, regarding PECR, the Report stated that 26 monetary penalty notices totalling £2,590,000 and 26 enforcement notices had been issued. This is also very low.
Given the apparent discrepancies with previous years, further investigation was clearly warranted. There was no systematic information on ICO prosecutions and cautions on the ICO website. Following a FOI request further information was forthcoming. This stated that just 2 cautions and 4 prosecutions were secured during this year (see Figure 1 to right), directly contradicting the information in the Annual Report. In sum, either the Annual Report itself or the ICO FOI response was incorrect on this crucial issue of enforcement through criminal sanction.
Meanwhile, the ICO’s FOI response refused to provide details on civil regulatory enforcement under either data protection or PECR on the basis that this was all detailed in the Enforcement Action section of the ICO website. However, this database apparently disclosed much lower enforcement figures than in the Annual Report: only 24 enforcement notice actions (only 2 concerning data protection and 1 entirely irrelevant as it related to FOI) and only 23 monetary penalties (only 2 concerning data protection) (see Figures 2 and 3 below and similarly in the Open Rights Group’s ICO Alternative Annual Report).
After several FOI reviews and further probing of the data, the cause of some of these apparent inconsistencies has become clearer. Firstly, it is apparent that on 23 February 2024 the ICO issued materially identical enforcement notices not only to Serco Leisure but also to eight “associated” entities which were seen as joint controllers of the biometric monitoring at issue. This was substantively a single enforcement, was correctly treated as such in the ICO’s own database and was complemented during 2023-24 by only one other data protection enforcement notice (against the Home Office in relation to its GPS tracking of unauthorised migrants). It was, therefore, rather misleading to state that “ten enforcement notices (2022/23: one)” were issued in data protection during 2023-24 without making clear that all but one of these enforcement notices were addressed to the same joint controllers and concerned the same data processing issues.
Turning to data protection fines, the ICO has now disclosed that a £7,500 fine for a data security breach by the YMCA had been issued within the 2023-24 period (on 6 March 2024) but had been misfiled in the database by reference to the date when it was later published (which, being 30 April 2024, was outside the 2023-24 period). Aside from the TikTok fine of £12.7m for alleged violations in the handling of children’s personal data, a single data security fine of £350k against the Ministry of Defence was the only other ICO financial penalty in data protection issued during the entire year, across all sectors. The stark contrast between these figures and the requirements established by Article 83(1) and Recital 148 of the UK GDPR is self-evident.
As regards PECR enforcement, it is now clear that incorrect information was set out in the ICO’s Annual Report and that its enforcement database was incomplete. Information about several monetary penalties and enforcement notices have now been added to the ICO database (approximately a year late, without a monetary amount in one case and in circumstances where the strict criteria for avoiding proactive disclosure are manifestly inapplicable). (As with the other PECR enforcements, these all involve unauthorised calls, emails or texts and so avoided ensuring that the online tracking business models which give rise to grave privacy and confidentiality concerns are brought into line with PECR.)
The ICO’s current position is that the ICO’s Enforcement Database for 2023-24 is now complete and that its Annual Report has overstated the number of PECR enforcements but only slightly. An attempt has also been made to address these inaccuracies (as well as the incorrect table on data protection complaints) on the ICO website. However, as things stand, the divergence appears more substantial with only 2 new enforcement notices and 3 monetary penalties added to the database so far (see Figures 4 and 5 below), thereby indicating that more notices may either still be absent from the database or have been wrongly included within the Annual Report. Furthermore, there are also apparent inconsistencies regarding data protection prosecutions and cautions as well as inconsistencies in previous reports regarding the number of PECR-related complaints/concerns (see above).
The Annual Report is statutory document which must be presented to Parliament and is subject to strict Accounting Officer certification as regards all its material particulars and not just finances (see p. 88). Given this, once the correct information is made manifest, the Report itself should be rectified.
Beyond this (and notwithstanding the considerable amount of well-motivated and qualified people and accomplished work at ICO), both the very low enforcement figures and the inconsistent figures for enforcement and complaints handling highlight the profound need for much stronger independent oversight of the ICO’s delivery on data protection and privacy rights. Various suggestions (by myself and others) have been made including enabling substantive (Information) Tribunal scrutiny of the ICO’s handling of data protection complaints with a public interest rationale and ensuring that the Equality and Human Rights Commission conduct a periodic holistic review of the ICO’s enforcement track-record from a human rights standpoint. It is vital that amendments to the Data (Use and Access) Bill currently before Parliament are proposed and carried to ensure such oversight going forward.
David Erdos is Professor of Law and the Open Society and Co-Director of the Centre for Intellectual Property and Information Law in the Faculty of Law and WYNG Fellow at Trinity Hall, University of Cambridge. He is also an associate member of Matrix Chambers.
Figure 2- All Enforcement Notices (24) disclosed as of 9 October 2024
Figure 3 – All Monetary Penalties Disclosed (23) as of 9 October 2024
Figure 4 – All Enforcement Notices Disclosed (26) as of 5 December 2024
Figure 5 – All Monetary Penalties Disclosed (26) as of 5 December 2024
Thank you for your erudite and concise assessment of the ICO failings. Personal experience, and that of several colleagues, is that the ICO is a willing gatekeeper and gaslighter when it comes to information associated with child sex exploitation ( CSE ) and holding senior politicians and civil servants to account. The ICO is itself embroiled with court actions for contempt of court, and failing to enforce that very law that the ICO was created to uphold. There appears to be a policy, especially by the ICO CRIT ( Criminal Investigation Team ), to protect those at the top of government at the time when information about CSE was being suppressed, in so doing preventing the tens of thousands of victims and survivors a potential pathway to closure. The ICO is biased in favour of the Home Office, Police Forces, Public Authorities, and political organisations, even to the extent of continuing to support these institutions when it was proved that each had repeatedly lied about CSE information that by law must be disclosed.