Is the ICO going soft on fines?

Insight

16.11.2022

Recent policy announcements and action by the Information Commissioner’s Office (“ICO”) have shown a relaxation in its approach to fines against public sector organisations for breaches of data protection law and regulations. We explore below whether we are likely to see a similar approach taken with private sector organisations, particularly as the UK enters a recession. The answer from recent ICO enforcement action appears to be that there will be no relaxation in fines for private sector organisations, in spite of economic headwinds.

Public sector organisations: a change in policy

In June 2022, the ICO issued an open letter to the public sector indicating a change in direction when issuing fines to public sector organisations. Underpinning the policy (which will run for two years) is a commitment to reduce the level of fines to the public sector. The ICO’s reasoning is that large fines are not as effective as a deterrent in the public sector in the same way that they are in the private sector where they hit profits and shareholders. At the same time, the fines are paid from the public purse, diminishing the funding available to public sector organisations to perform their core functions. Hence, those who are impacted by a breach are, so the ICO says, hit twice. At the same time, the ICO has received assurances from the public sector of a greater focus on compliance.

That is the theory. We wait to see whether compliance outcomes in the public sector improve through to the Summer of 2024.

The implementation of the ICO’s new policy

The theory is already being applied in practice. In November 2022, the Department for Education (“DfE”) was issued with a reprimand for sharing the data of up to 28 million children with a private sector organisation which then used that data for age verification of individuals visiting gambling sites. It is difficult to think of a more serious breach given the nature and volume of the data concerned. The ICO indicated that had it not had its new policy in place it would have fined the DfE over £10 million.

The policy is even being applied retrospectively. Also in November 2022, the ICO announced that it had settled a dispute with the Cabinet Office over the release into the public domain of the personal addresses of those listed in the 2020 New Year’s Honours List. The Cabinet Office was appealing against the fine of £500,000 and as part of the settlement the ICO reduced it tenfold to only £50,000, partly recognising the current economic pressures that public bodies are facing (and which would appear to imminently be getting worse).

The private sector position: the TikTok fine

There is no sign that the ICO will take a more relaxed approach with the private sector. In September 2022 the ICO issued a Notice of Intention to fine TikTok £27 million for alleged failures to protect the data of children using the TikTok platform. The alleged failings included a lack of parental consent, a lack of transparency in relation to what was being done with the data, and a lack of any basis for processing special category data. Contrast this with the leniency shown to the DfE.

Will a recession make a difference?

Given that the ICO recognised in the Cabinet Office settlement the current economic pressures that the public sector is facing, will similar allowances be made for the private sector? Again, the answer seems to be “no”. In October 2022, the ICO issued Interserve, a group of construction companies, with a fine for £4.4 million. This was for failings in relation to a cyber-attack which impacted the data of 113,000 current and former employees. In its Regulatory Action Policy (“RAP”) the ICO has a discretion to reduce fines based on the ability of an organisation to pay the fine. Interserve failed to convince the ICO that it was unable to pay the fine.

Warning signs for the future

As the recession takes hold, so spending on the renewal of IT infrastructure, compliance and data security is likely to come under increasing pressure. This is in the teeth of expanding ransomware attacks. Couple this with a tightening insurance market, where organisations are increasingly choosing not to take out cover due to increased premiums and excesses and reduced cover, and we seem to be heading into very choppy waters. Whilst organisations might feel heartened by the declining risk of litigation post-breach (see our latest article on this here), there are no signs that the ICO will be more lenient on sanctions for the private sector or that the potential reputational damage of breaches will diminish. Those involved in compliance in the private sector are likely to need to fight harder for investment and resources to avoid the attention of the ICO.

If you require further information about anything covered in this blog, please contact Ian De Freitas, Athalie Matthews or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.