Speculation has begun to grow in some quarters that the Information Commissioner’s Office (ICO) has given up on protecting individual privacy rights during coronavirus.
It began with the ICO’s own blogs and guidance via its website about its regulatory approach during the pandemic, leading to a perception of an amnesty; it grew anecdotally, as response times dropped and data protection complaints went unanswered; then in April and May we learned that fines in major breach investigations were being delayed further, alongside official confirmation that the ICO’s high-profile AdTech investigation was to be deferred.
This led the Open Rights Group (ORG) to seek clarification from the regulator, and influential tech magazine Wired to publish an article last month asking the same question posed by this article: has the ICO given up? This piece seeks to look at the truth behind the headlines, based on what can be objectively verified and also observations from our practical experience.
Where have the recent rumours come from?
The recent Wired piece placed heavy reliance on excerpts from a letter allegedly sent by an ICO case worker in response to a complaint, which included the following statements: “the coronavirus pandemic is putting unprecedented pressure on all organisations and a great many are either suspending activity or having to prioritise resources…. We have therefore decided not to take forward any complaints that require organisations to take action or respond to enquiries from us until the situation improves.” [emphasis added]
Is this too good to be true for organisations? Well, assuming the extract is accurate, we lack any real context for this complaint: ICO case workers do vary considerably in experience and approach, and the wording seems too loose to set a general precedent. But it is important to look at what current stated policy, and the lived experience of practitioners, actually looks like.
What has the ICO actually said?
The ICO first put out a Q&A in March, which opened with the reassuring line: “During the pandemic, we are worried that our data protection practices might not meet our usual standard or our response to information rights requests will be longer. Will the ICO take regulatory action against us?” To this, the answer was a straight “no”. The ICO acknowledged that diverted resources and new priorities would see changed approaches and understandable delays in dealing with subject access requests, for example; so while it could not change the law, or statutory deadlines, it would not be reaching for its enforcement powers in such cases.
A further more detailed document on its regulatory approach during Coronavirus nuanced the position somewhat, but also confirmed that it may advise individuals who referred concerns to wait longer than usual and “bear with” organisations; or that it might “resolve the complaint without contacting an organisation”, which suggests again no action taken. It also confirmed that it would consider “the economic and resource impact” of any new guidance, delaying as necessary unless the matter posed a high or urgent risk to the public.
What is the day-to-day enforcement looking like?
There was certainly a perception of slower response times even before lockdown, drifting out to three months according to one case worker we spoke to. Then the pandemic struck, and many of our clients have experienced long silences: not simply organisations waiting to get the dreaded ICO letter, but complainants too.
The evidence from our own clients suggests that the ICO is still contacting data controllers about concerns – with a slight recent uptick in activity – but overall our experience does support suggestions of a slowdown during lockdown.
Existing low-level investigations saw long delays from February through to May before being finally resolved without specific action taken; new complaints went unacknowledged, or eventually resulted in requests for further information three or four months in. So what does this mean for regulation?
The ICO’s usual “peace time” policy is to look into every concern, even comparatively minor ones (with no great or likely risk to individual rights and freedoms). Sometimes this does stretch its resources, especially when acting as a go-between in the middle of a relatively petty but factually complex dispute. Typically the ICO may be drawn in where a concern about use of personal data is – as so often the case – a hook on which to hang some wider claim or complaint between the parties, where the regulator may have no jurisdiction.
Frankly then, with more than one in four staff still furloughed in many sectors, it is a matter of common sense that the ICO would not prioritise minor cases and individual grievances. It has instead focused on messaging about data security in remote working, and organisations not taking advantage of the circumstances to breach rights for private gain.
What about its major cases and investigations?
The ICO announced in April it had “stood down [all its] audit work, recognising the economic impact on organisations…” – and of course noting its own difficulties in getting investigators on-site. It is hardly surprising that this would have impacted some of the bigger cases.
The more political issues are perhaps the most interesting: the much-vaunted investigation into website uses of targeted advertising and real-time bidding, now deferred; or the long-delayed BA / Marriott data breach fines (with rumours that they will be much reduced). On the face of it these are the sorts of major issues that the ICO said it would be concentrating on, and no further on-site audit work ought to be required to progress them.
However, one has to acknowledge that the economic goalposts have moved: both for under siege sectors such as travel and hospitality, and for a publishing industry long struggling with digital revenue models. Even before COVID-19, the ICO was already having to face down some quite significant sector lobbying. It would be problematic messaging now for a regulator sponsored by DCMS to hand out mega fines at a time when cashflow has dried up; or to push forward new AdTech guidance that made it harder by orders of magnitude for publishers to monetise their websites and customer base. Both could even directly impact job losses.
So has the ICO downed tools?
Absolutely not. In fact the ICO has been quite active during lockdown, but its focus has been on specific issues of guidance, help and advice related to coronavirus.
It has a dedicated coronavirus hub on its website; it has hammered home messaging about data security and best practice in working from home and video conferencing; it has released specific guidance on returning to work, including workplace testing and surveillance (on the back of its comparatively recent specialist DPIA designed for such purposes); and it has issued clear warnings to COVID-19 scammers. At the same time it has reminded organisations that data breaches still need to be reported in 72 hours, although it has promised an “empathetic and proportionate” approach where appropriate.
In truth, ICO messaging to commercial organisations has been mixed: a blend of “stay alert” and “carry on complying”, softened by a forgiving approach to deadlines and enforcement. But sectors like healthcare and local government / state schools have received more direct reassurance (e.g. recent tweets from @ICOnews telling them, in so many words, not to worry about subject access deadlines). In other words, enforcement will be proportionate, focused, and targeted according to risk and resources – as it should ever be, with effective regulation.
Where does this leave us?
On balance this does seem to be a fair and necessary position for the regulator to take.
None of which means compliance is less important. Individuals are still exercising data subject rights; we have Brexit and major CJEU decisions on international transfers (with Schrems II due on 16 July); we have the risk of individual and group claims arising from data breaches and GDPR contraventions, especially if easy and effective recourse is not being offered by the regulator. Moreover, just because the ICO has a significant backlog does not mean that it will not – in due course – get around to looking back over its casebook and progressing the complaints that really matter.
Above all, the benefits of data protection compliance – and the risks of non-compliance – have never been limited to the role of the regulator. Aside from the powers of courts and the direct rights of individuals, it is fundamentally a commercial issue for organisations: now as much as ever. Do we properly understand the data in our organisation? How can we use it lawfully to best advantage to help rebuild our business? If we are selling or taking emergency investment, how can we ensure our business CRM would pass due diligence? Do we retain the trust of our customers or stakeholders? How would we cope with the financial and reputational consequences of a data breach at this time?
At a time of widespread remote working and increased use of health data by organisations, it is natural that organisations would prioritise cashflow, jobs, even survival – but the GDPR risks are still there, sitting quietly under the major practical challenges we are all facing. They need to be factored into every risk assessment because, if they are ignored, then the ICO may be the least of an organisation’s worries.
If you require further information about anything covered in this briefing, please contact Owen O'Rorke, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, June 2020