Categories
DP Regulation

The Gamekeeper’s Fear of the Penalty

 

Amongst the hype over the end of negotiations over the new EU Data Protection Regulation, one theme kept emerging again and again: Big Penalties. It’s understandable that people might want to focus on it. The UK goes from a maximum possible penalty of £500,000 to one of just under £15,000,000 (at today’s Euro conversion rate) or even 4% of a private enterprise’s annual worldwide turnover. Only a fool would say that it wasn’t worth talking about. It’s much more interesting than the bit about Codes of Practice, and it’s easier to explain than the section about certification bodies.

It would be equally foolish to assume, however, that penalties on this scale will rain down from Wilmslow like thunderbolts from Zeus. At the same time as many were talking up the future, the Information Commissioner issued two monetary penalties under the current regime, one under Data Protection (£250 for the Bloomsbury Patient Network) and one under the Privacy and Electronic Communications Regulations (£30,000 for the Daily Telegraph). The £250 penalty is the lowest the ICO has ever issued for anything, while the PECR one is the lowest for a breach of the marketing rules, notwithstanding that the Daily Telegraph is probably the richest PECR target at which the ICO has taken aim.

You could argue that the embarrassment caused to the Telegraph carries an added sting (the ICO has never before taken enforcement action against a newspaper). It’s equally likely that the oligarchs who own the paper will consider £30,000 (£24,000 if they pay up in 35 days) to be a price worth paying if it had the desired effect on the outcome of a very close election. They’ll probably do it again.

In any case, the Bloomsbury Patient Network CMP is much worse. The Regulation calls for monetary penalties to be effective, proportionate and dissuasive, and yet everybody at the ICO thought that a £250 penalty, split between three people, was action worth taking and promoting. The Commissioner himself, Christopher Graham told the DMA in March 2015 that the ICO was not a ‘traffic warden‘, but if the Bloomsbury Three pay up on time, the £66.67 penalty they each face is no worse than a parking ticket you didn’t pay in the first fortnight.

The ICO’s press release claims that the penalty would have been much higher if the data controller had not been an ‘unincorporated association’, but this is irrelevant. The ICO issued a £440,000 PECR penalty against two individuals (Chris Niebel and Gary McNeish) in 2012, while the Claims Management Regulator recently issued a whopping £850,000 penalty against Zahier Hussain for cold calling and similar dodgy practices. The approach on PECR and marketing is positively steely. The problem clearly lies in Data Protection enforcement, and that is what the Regulation is concerned with.

The size and resources of the offending data controller are a secondary consideration; the test is whether the penalty will cause undue financial hardship. The ICO could bankrupt someone or kill their business if they deserved it. The Bloomsbury Patient Network’s handling of the most sensitive personal data was sloppy and incompetent, and had already led to breaches of confidentiality before the incident that gave rise to the penalty. Enforcement action at a serious level was clearly justified. Even if the level of the penalty was high enough to deter well-meaning amateurs from processing incredibly sensitive data, this would be a good thing. If you’re not capable of handling data about a person’s HIV status with an appropriate level of security, you have absolutely no business doing so at all, no matter good your intentions are. Donate to the Terence Higgins Trust by all means, but do not touch anyone’s data. If the ICO lacks the guts to issue a serious penalty, it would be better to do nothing at all and keep quiet, rather than display their gutlessness to the world.

Whoever made this decision cannot have considered what message it would send to organisations large and small who already think of Data Protection as pettifogging red tape, low on the agenda. Is there an organisation anywhere in the country that would consider the slim chance of being fined £66.67 to be a deterrent against anything. A fine is a punishment (it has to cause pain to those who pay it) and it is a lesson to others (it has to look painful to the wider world). The Bloomsbury Patient Network CMP is neither.

Despite the increased expectations raised by the GDPR, the ICO is actually losing its appetite for DP enforcement, with 13 Data Protection CMPs in 2013, but only 6 in 2014 and 7 in 2015. Meanwhile, there have been 24 unenforceable DP undertakings in 2015 alone, including one against Google which you’re welcome to explain the point of, and another (Flybe) which revealed endemic procedural and training problems in the airline which are more significant than the moronic cock-ups that went on at the Bloomsbury Patient Network. Wilmslow is so inert that two different organisations have told me this year that ICO staff asked them to go through the motions of self-reporting incidents that ICO already knew about, because the only way the enforcement wheels could possibly begin to turn was if an incident was self-reported. ICO staff actually knowing that something had happened wasn’t enough. It’s these same timid people who will be wielding the new powers in 2018.

Admittedly, there will be a new Commissioner, and it’s possible that the Government will pick a fearsome enforcement fiend to go after Data Protection like a dog in a sausage factory. You’ll forgive me if I don’t hold my breath. Nevertheless, something in Wilmslow has to change, because the General Data Protection Regulation represents a clear rebuke to the ICO’s DP enforcement approach.

Most obviously, in the long list of tasks in Article 52 that each Data Protection Authority must carry out, the first is very powerful: they must “monitor and enforce” (my emphasis) the application of the Regulation. Someone recently said that in certain circumstances, some organisations require a ‘regulatory nudge’, but the Regulation is much more emphatic than that. The ICO’s preference for hand-holding, nuzzling and persuading stakeholders (especially those where former ICO colleagues have gone to work) is a world away from an enforcement-led approach.

The huge increase of penalties throws down the gauntlet, especially when the ICO has rarely approached the current, comparatively low UK maximum. But the ICO should also pay close attention to the detail of Article 79 of the Regulation, where the new penalties are laid out. Of the 59 ICO monetary penalties, 57 have been for breaches of the 7th principle (security). The Regulation has two levels of penalty, the lower with a maximum of €10,000,000 (or 2% of annual turnover), and the higher with a maximum of €20,000,000 (or 4% of annual turnover). Breaches of Article 30, a very close analogue to Principle 7, is in the lower tier.

Admittedly, the higher penalty applies to all of the principles in Article 5 (which in a somewhat circular fashion includes security), but it explicitly covers “conditions for consent“, “data subject rights” and infringements involving transfers to third countries, areas untouched by the ICO’s DP penalty regime. The Regulation envisages monetary penalties at the higher level for processing without a condition, inaccuracy, poor retention, subject access as well as new rights like the right to be forgotten or the right to object. The ICO has issued a solitary penalty on fairness, and just one on accuracy – it has never fined on subject access, despite that being the largest single cause of data subject complaints.

The Regulation bites hard on the use of consent and legitimate interest, and misuse of data when relying on them would again carry the higher penalty. Most organisations that rely on consent or legitimate interest are outside the public sector, who rely more on legal obligations and powers. Indeed, the Regulation even allows for the public sector to be excluded from monetary penalties altogether if a member state wishes it. Nevertheless, since they got the power to issue them, only 24% of the ICO’s civil monetary penalties have been served on organisations outside the public sector (2 for charities and 12 for private sector).

I doubt the ICO is ready for what the Regulation demands, and what data subjects will naturally expect from such a deliberate attempt to shape the enforcement of privacy rights. The penalties are too low. The dwindling amount of DP enforcement is based almost exclusively on self-reported security breaches. While the Regulation might feed a few private sector cases onto the conveyor belt by way of mandatory reporting of security breaches, it will do nothing for the ICO’s ability to identify suitable cases for anything else. Few ICO CMPs spring from data subject complaints, and anyone who has ever tried to alert Wilmslow to an ongoing breach when they are not directly affected knows how painful a process that can be. The ICO has not enforced on most of the principles.

It’s been my habit whenever talking about the Regulation to people I’m working for to emphasise the period we’re about to enter. There are two years before the Regulation comes into force; two years to get ready, to look at practice and procedure, two years to tighten up. The need to adapt to the future goes double for the Information Commissioner’s Office. Instead of canoodling with stakeholders and issuing wishy-washy guidance, wringing its hands and promising to be an ‘enabler’, the ICO should take a long hard look in the mirror. Its job is to enforce the law; everything else is an optional extra. It’s wise to assume that the wish for total DP harmonisation will probably be a pipe dream; it’s equally obvious that the Regulation will allow for much easier comparisons between EU member states, and the ICO’s lightest of light touches will be found wanting.

Categories
DP Regulation

Things To Come

 

The imminent arrival of the #GDPR, as many have already noted, has resulted in a huge amount of speculation, prediction and scaremongering. Stories of massive fines, a torrent of crippling class action lawsuits, 75000 DPO jobs and the emergence of a new volcano in the fields outside Wilmslow* have all captured our attention. Nevertheless, just when I thought I had heard everything, Lawrence Serewicz proved me wrong.

Mr Serewicz issued, with the certainty of an Old Testament prophet, this astounding claim:

Quick #gdpr prediction. By May 2019 the ICO will have issued more, in terms of number of and amount of, “fines” than in the previous years of the MPN era *combined*.

This might be the wildest prediction anyone has made since the GDPR first dropped from the sky (sidenote: feel free to link me to dafter ones). By my quick and dirty calculation, this would mean GDPR fines in excess of £9million and more than 100 fines between May 2018 and May 2019. This isn’t going to happen. Even in a parallel universe where we had a Commissioner who liked taking action, they couldn’t fire out 100 fines in one year. It is inconceivable.

It is probably fair to say that Mr Serewicz and I do not have a relationship marked by mutual respect or affection, but for once, he has inspired me. The idea of predicting what the first year of GDPR will involve is a brilliant one, and I have decided to have a go.

Below are 12 predictions about the first 12 months of GDPR in the UK. For every one that I get wrong, I will donate £20 to the charity Mind. And here’s where you can join in. Look down the list, and see if you disagree. If you spot a prediction that you think will not come true, let me know – in the comments here, on Twitter, via LinkedIn, or via email. If you are right and I am wrong, I will publicly admit that this was the case on this blog. I will celebrate your perspicacity. But if I am right, and you are wrong, you will donate £20 to a charity of your choosing. You don’t have to do anything else and I will not make fun of you. Nobody makes any money except good causes, but imagine me having to grovel and highlight your superior knowledge in print. If three people say I’m going to get one wrong and I don’t, each one makes their donation, but however many people bet against me, if I am wrong, I just pay one £20 per prediction. I will still praise those who get it right.

I will not be a smart-arse about general comments and reactions on social networking sites – if you want to join in, contact me directly and say you want to take up the charity challenge on one of these predictions.

PREDICTION 1

The total amount of GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 will be less than the total of all DP CMPs up to today’s date.

Yes, this is half of Mr Serewicz’s prediction. Guess what prediction 2 is?

PREDICTION 2

The total amount of GDPR fines (not including PECR and legacy DPA fines)  issued between May 2018 and May 2019 will be less than the total number of all DP CMPs up to today’s date.

PREDICTION 3

There will be less GDPR fines (not including PECR and legacy DPA fines) between May 2018 and May 2019 than between May 2017 and May 2018.

That’s right – I predict the number of fines will decrease in GDPR’s first year of operation.

PREDICTION 4

There will not be a €20 million or UK equivalent fine before the end of May 2019.

I intend no weasel get-outs here – we all know what I mean here. There will not be a maximum possible fine in any circumstances.

PREDICTION 5

There will not be a 4% of annual turnover before the end of May 2019.

As above.

PREDICTION 6

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a €10 million or UK equivalent fine before the end of May 2019.

PREDICTION 7

Thinking about the lower level of penalty i.e. under Art 83(4), there will not be a 2% of annual turnover or UK equivalent fine before the end of May 2019.

PREDICTION 8

No UK public authority will be fined more than £1 million before the end of May 2019.

PREDICTION 9

No UK company will be fined more than £2 million before the end of May 2019.

I want to be wrong on this one as there will be deserving breaches. I don’t think I will be.

PREDICTION 10

No charity will be fined more than £50,000 before the end of May 2019, unless for a security breach.

PREDICTION 11

No GDPR class action case will have been concluded with a total damages payout of more than £1million before the end of May 2019.

PREDICTION 12

Five of the companies registered on Companies House today with ‘GDPR’ in their name, or a company name whose initials spell ‘G D P R’ will no longer be offering Data Protection services in May 2019.

BONUS ROUND

These ones just for fun as they cannot be measured

  • the number of people describing themselves as ‘Certified GDPR Practitioners’ on LinkedIn will be half what it is now
  • nobody will change their profile to say ‘Certified GDPR Practitioner’ on LinkedIn during May 2019
  • the ICO will still be asking for more staff
  • we will all wonder what all the fuss was about

AND FINALLY: do you have a prediction in the style of those above? If you do, let me know what it is. If I get at least five predictions (and a maximum of 10, I’m not made of money), next month, I will write another blog made of reader suggestions. If this comes off, I will say whether I agree with them or not, and if I disagree with them, it’s another £20 to Mind from me for every one that I get wrong. But contributors must promise that if they get it wrong, they will pay the £20.

This will go wrong in one of two ways. It will capture people’s imagination, and I have given myself a shedload of admin. Or nobody will care, and nobody will join in. But we’ve all read a pile of predictions since all this GDPR nonsense started. Let’s have a bit of fun, and raise a little bit of money for charities at the same time.

 

* In 2017, anything is possible.