The UK's data protection authority has begun disclosing the cases of firms that violated the General Data Protection Regulation (GDPR) but were not penalized.
The Information Commissioner's Office (ICO) feels the move increases transparency and demonstrates the regulator's pragmatic approach to GDPR enforcement.
The director of investigations for the ICO stated in December that the organization would begin publishing all reprimands beginning in January 2022, with the exception of situations involving national security and ongoing legal proceedings. Information Commissioner John Edwards stated at the November conference of the National Association of Data Protection Officers that he desired "a predictable approach to enforcement" where "regulating for outcomes, not outputs" is the primary driver.
"The number or quantum of fines is not the measure of our success or failure, nor of our impact," he stated.
"Every regulatory action must be a lesson learned by the rest of the economy and play a role in behavior change," Edwards stated. “… By publicizing and explaining our enforcement action(s), organizations won’t be able to rely on the ‘I didn’t know any better’ defense. Our approach to enforcement should not be a surprise, either to other organizations or to the public. Certainty breeds trust. "
The majority of recent reprimands involve public-sector groups, which Edwards stated he was hesitant to sanction since it creates a "money-go-round" of public funds traveling between the Treasury and government agencies.
Virgin Media was reprimanded in September for failing to properly deal with subject access requests quickly enough between July 2021 and April 2022. The ICO suggested that the company hire extra personnel to ensure compliance with future access requests.
Other companies that received reprimands included Allied Health Professionals, which was accused of making patient data available to other health providers without patients' consent; Direct Clothing, where an online customer was allegedly defrauded after a hacker exploited a website vulnerability; and LGBTQ+ dating app Grindr, which allegedly failed to notify users that their personal information could be used by third parties for targeted advertising.
Law experts had conflicting opinions regarding the ICO's strategy.
Emily Carter, information law partner at Kingsley Napley, stated that publicizing reprimands "provides organizations with valuable insight into the areas of focus and concern for the ICO and the circumstances in which formal action will be taken."
"The regulator’s action “is likely to encourage greater data protection compliance," she said.
In two ways, according to Eddie Powell, a partner at the legal firm Fladgate, such disclosure will enhance organizations' GDPR compliance.
- The greater the number of published ICO findings about breaches, the simpler it will be for businesses to determine what they can and cannot do within the ambit of the law.
- The "naming and shaming" impact of publicizing reprimands should encourage businesses to dedicate adequate resources to compliance in order to avoid unfavorable publicity.
Powell also cautioned that the ICO may consider issuing reprimands as a means of "uickly deal with complaints on a rough and ready basis."
Becky White, a senior data protection attorney at the legal firm Harper James, has stated that the ICO's approach is "unfair." In contrast to monetary penalty notices and enforcement notices, the U.K. GDPR and the U.K. Data Protection Act 2018 do not specify how the regulator should investigate the circumstances underlying the issuance of a reprimand or whether an organization may file an appeal.
"This could leave organizations in the undesirable position of having information regarding their alleged noncompliance made publicly available but without an obvious route to challenge it or make representations to the ICO," said White. "It could also place them—potentially unfairly—on the backfoot during the litigation process, where claimants could use the reprimand as a foundation on which to start a claim for compensation."
Abigail Healy, a consultant at Quillon Law, doubts that reprimands will have the desired deterrence effect.
She stated, "Many breaches are fact specific, whether to the organization, individuals involved, or technological processes. Unless third parties actively dive into the detail of a particular reprimand, it is difficult to see how lessons will be learned at first blush."
Healey cautioned that firms may be less motivated to self-report if there is a chance that the potential GDPR violation and compliance failures may be published in the future. Instead of letting corporations figure out what they may be doing correctly or incorrectly, she believes the ICO "would be far better issuing general guidance on trends or developments arising out of the reprimands that need bringing to the attention of other organizations."
By fLEXI tEAM