Categories
Elizabeth Denham

Going Unnoticed

 

Last week, I came across an interview with Elizabeth Denham on a Canadian website called The Walrus that was published in April. There are some interesting nuggets – Denham seems to out herself as a Remainer in the third paragraph (a tad awkward given that she has only enforced on the other side) and also it turns out that the Commissioner has framed pictures of herself taking on Facebook in her office. More important is the comparison she draws between her Canadian jobs and her current role: “That’s why I like being where I am now,” she says, settling herself at a boardroom table. “To actually see people prosecuted.”

Denham probably wasn’t thinking of the run of legitimate but low-key prosecutions of nosy admin staff and practice managers which her office has carried out in recent months, which means she was up to her old tricks of inaccurately using the language of crime and prosecution to describe powers that are civil (or more properly, administrative). Since GDPR came in, she’s even less likely to prosecute than before, given that she no longer has the power to do so for an ignored enforcement or information notice. I don’t know whether she genuinely doesn’t understand how her powers work or is just using the wrong words because she thinks it makes for a better quote.

Publicity certainly plays a far greater part in the ICO’s enforcement approach than it should. A few months back, I made an FOI request to the ICO asking about a variety of enforcement issues and the information I received was fascinating. The response was late (because of course it was), but it was very thorough and detailed, and what it reveals is significant.

ICO enforcement breaks down into two main types. Enforcement notices are used where the ICO wants to stop unlawful practices or otherwise put things right. Monetary penalties are a punishment for serious breaches. Occasionally, they are used together, but often the bruised organisation is willing to go along with whatever the ICO wants, or has already put things right, so an enforcement notice is superfluous. The ICO is obliged to serve a notice of intent (NOI) in advance of a final penalty notice, giving the controller the opportunity to make representations. There is no equivalent requirement for preliminary enforcement notices, but in virtually every case, the ICO serves a preliminary notice anyway, also allowing for representations.

According to my FOI response, in 2017, the ICO issued 8 preliminary enforcement notices (PENs), but only 4 were followed up by a final enforcement notice; in 2018, 5 PENs were issued, and only 3 resulted in a final notice. The ratio of NOIs to final penalties is much closer; in 2017, there were 19 NOIs, and only one was not followed up with a penalty. In 2018, 21 NOIs were issued, 20 of which resulted in a penalty. Nevertheless, the PEN / NOI stage is clearly meaningful. In multiple cases, whatever the controller said stopped the intended enforcement in its tracks. In the light of many GDPR ‘experts’ confusion about when fines are real or proposed, the fact that not every NOI results in a fine is worth noting.

The response shows the risks of neglecting to issue a PEN. In July 2018, the ICO issued Aggregate IQ (AKA AIQ) with the first GDPR enforcement notice (indeed, it was the first GDPR enforcement action altogether). My FOI reveals that it was one of only a few cases where a preliminary notice was not issued. The AIQ EN was unenforceable, ordering them to cease processing any personal data about any UK or EU “citizens” obtained from UK political organisations “or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”. AIQ was forbidden from ever holding personal data about any EU citizen for any advertising purpose, even if that purpose was entirely lawful, and despite the fact that the GDPR applies to residents, not citizens. AIQ appealed, but before that appeal could be heard, the ICO capitulated and replaced the notice with one that required AIQ to delete a specific dataset, and only after the conclusion of an investigation in Canada. It cannot be a coincidence that this badly written notice was published as part of the launch of the ICO’s first report into Data Analytics. It seems that ICO rushed it, ignoring the normal procedure, so that the Commissioner had things to announce.

The ICO confirmed to me that it hasn’t served a penalty without an NOI, which is as it should be, but the importance of the NOI stage is underlined by another case announced with the first AIQ EN. The ICO issued a £500,000 penalty against Facebook, except that what was announced in July 2018 was the NOI, rather than the final penalty. Between July and October, the ICO would have received representations from Facebook, and as a result, the story in the final penalty was changed. The NOI claims that a million UK Facebook users’ data was passed to Cambridge Analytica and SCL among others for political purposes, but the final notice acknowledges that the ICO has no evidence that any UK users data was used for campaigning. As an aside, this means that ICO has no evidence Cambridge Analytica used Facebook data in the Brexit referendum. The final notice is based on a hypothetical yarn about the risk of a US visitor’s data being processed while passing through the UK, and an assertion that even though UK Facebook users’ data wasn’t abused for political purposes (the risk did not “eventuate“), it could have been, so there. I’ve spent years emphasising that the incident isn’t the same as a breach, but going for the maximum penalty on something that didn’t happen, having said previously that it did, is perhaps the wrong time to listen to me.

If you haven’t read the final Facebook notice, you really should. ICO’s argument is that UK users data could have been abused for political purposes even though it wasn’t, and the mere possibility would cause people substantial distress. I find this hard to swallow. I suspect ICO felt they had effectively announced the £500,000 penalty; most journalists reported the NOI as such. Despite Facebook’s representations pulling the rug out from under the NOI, I guess that the ICO couldn’t back down. There had to be a £500,000 penalty, so they worked backwards from there. The Commissioner now faces an appeal on a thin premise, as well as accusations from Facebook that Denham was biased when making her decision.

Had the NOI not been published (like virtually every other NOI for the past ten years), the pressure of headlines would have been absent. Facebook have already made the not unreasonable point in the Tribunal that as the final penalty has a different premise than the NOI, the process is unfair. Without a public NOI, Facebook could have put this to the ICO behind closed doors, and an amended NOI could have been issued with no loss of face. If Facebook’s representations were sufficiently robust, the case could have been dropped altogether, as happened in other cases in both 2017 and 2018. For the sake of a few days’ headlines, Denham would not be facing the possibility of a career-defining humiliation at the hands of Facebook of all people, maybe even having to pay their costs. It’s not like there aren’t a dozen legitimate cases to be made against Facebook’s handling of personal data, but this is the hill the ICO has chosen to die on. Maybe I’m wrong and Facebook will lose their appeal, but imagine if they win and this farrago helps them to get there.

The other revelation in my FOI response is an area of enforcement that the ICO does not want to publicise at all. In 2016, the ICO issued a penalty on an unnamed historical society, and in 2017, another was served on an unnamed barrister. I know this because the ICO published the details, publicly confirming the nature of the breach, amount of the penalty as well as the type of organisation. One might argue that they set a precedent in doing so. What I didn’t know until this FOI request is that there have been a further 3 secret monetary penalties, 1 in 2017 and 2 in 2018. The details have not been published, and the ICO refused to give me any information about them now.

The exemptions set out the ICO’s concerns. They claim that it might be possible for me to identify individual data subjects, even though both the barrister and historical society breaches involved very limited numbers of people but were still published. They also claim that disclosure will prejudice their ability to enforce Data Protection law, using this justification:

“We are relying on this exemption to withhold information from you where the disclosure of that information is held for an ongoing regulatory process (so, we are yet to complete our regulatory process and our intentions could still be affected by the actions of a data controller) or the information is held in relation to sensitive matters and its disclosure would adversely affect relationships which we need to maintain with the organisations involved. It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely, or at a later date, if it is inappropriate to do so. Disclosure of the withheld information at this time would therefore be likely to prejudice our ability to effectively carry out our regulatory function”

The ICO routinely releases the names of data controllers she has served monetary penalties and enforcement notices on without any fears about the damage to their relationship. Just last week, she was expressing how “deeply concerned” she is about the use of facial recognition by the private sector, despite being at the very beginning of her enquiries into one such company. And if maintaining working relationships at the expense of transparency is such a vital principle, how can they justify the publication of the Facebook NOI for no more lofty reason than to sex up the release of the analytics report? They say “It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely”, and yet the Facebook NOI was published prematurely despite the fact that it was a dud. What will that have done to the ICO’s relationship with a controller as influential and significant as Facebook? What incentive do FB have to work with Wilmslow in a constructive and collaborative way now? And if identifying the subjects is an issue, what is to stop the ICO from saying ‘we fined X organisation £100,000’ but refusing to say why, or alternatively, describing the incident but anonymising the controller?

It doesn’t make sense to publicise enforcement when it’s not finished, and it doesn’t make sense to keep it secret when it’s done. Every controller that has been named and shamed by the ICO should be demanding to know why these penalties have been kept secret, while Facebook have every right to demand that the Commissioner account for the perverse and ill-judged way in which she took action against them. Meanwhile, we should all ask why the information rights regulator is in such a mess.

And one final question: did she bring the framed pictures with her or did we pay to get them done?

Categories
Elizabeth Denham

Taking the piss

 

On page 74 of the Information Commissioner’s newly published Annual Report, you can find the welcome news that the ICO reduced the amount of water in flushing toilets and the timings of auto flushing in urinals. Sadly, the expansion of the organisation’s footprint in Wilmslow, due to swelling numbers of staff, has led to an increase in overall emissions (insert your own joke). There is an abundance of other information about other environmental issues, including paper consumption and car journeys,

Strangely, if you look for information about one of the landmark events of UK Data Protection in 2019 – 2020, there is no sign. In December 2019, the Information Commissioner issued its first ever penalty under the General Data Protection Regulation against a company called Doorstep Dispensaree. Several pages of the report are taken up illustrating “The Year in Summary”, and the only thing mentioned for December is the launch of a consultation about AI. It’s not that the ICO had so many things to report on; one of the highlights for June 2019 was “The Information Commissioner makes a speech at a G20 side event in Tokyo“. Odd that an event which is very much the ‘only invited to the evening do’ of international speaking gigs makes the cut, but the first and so far only UK GDPR fine does not.

There are several reasons for this, I believe, all of which go to the heart of what is wrong with Elizabeth Denham’s disastrous term as Commissioner. The first is Denham’s vanity, mistaking public appearances and headlines for actual achievements. Allied to her Kim Jong Un tendencies is the prioritisation of international work and pet projects over the basics of regulation. Finally, there is a fundamental dishonesty at play – it should be deeply embarrassing for Denham that she hasn’t made a serious attempt to enforce the GDPR in two years. Because it is evidence of this failure, Doorstep Dispensaree (a solid and encouragingly detailed enforcement case that should have been the ICO’s bread and butter during this period) is written out of the story. It didn’t happen.

Most of the report is a soup of meaningless buzzphrases, presumably designed to disguise the hollow nature of what is being described. There have been “deep dive sessions” with the “most significant Digital Economy Stakeholders“, an “Innovation Listening Tour” and an “Innovation Hub”, which the ICO hopes to open up to “innovative organisations” like “catapults” and “incubators“. I think all of this that they’ve had lots of meetings; the outcomes are impossible to identify beyond wonderful “engagement“, a word which appears 22 times (‘penalty‘ appears 4 times).

It is possible to identify a couple of interesting themes. One is the ICO’s determination to support capitalism and The Man. One of the main strategic goals is “enabling innovation and economic growth“, while another is increasing trust and confidence in the way personal data is used. These are not regulatory outcomes, they are economic goals. Actual enforcement of the law is demoted to the fifth out of six goals. The ICO has established a team of people to work on the economic growth agenda, led by a Head of Economic Analysis seconded from an organisation that Wilmslow has decided we don’t need to know the name of.

The other obvious strand is both depressing and familiar, especially to an ICO refugee of such ancient vintage as myself. The joke in the ICO when I was there (2001 – 2002, fact fans) was that it didn’t matter that we never took action because “thinking is doing”, a phrase attributed to Francis Aldhouse, the Deputy Commissioner at the time. Thinking is Doing paralysed the ICO for years, but the spell was broken first by the impossibility of ignoring the cycle of security breaches begun by HMRC’s lost discs, and then by Chris Graham. For all his flaws, Graham revolutionised the ICO by allowing his staff to demolish the shameful FOI backlog and embrace the penalty powers that the lost discs fiasco gifted to Wilmslow.

Thinking is Doing is back. Doorstep Dispensaree (a thing that happened) doesn’t warrant a mention, but the BA and Marriott penalties (things that did not happen) are mentioned approvingly because they “received a large amount of media attention

One of the case studies in the Annual Report covers the ICO’s investigation into Ad Tech. After a flurry of meetings, press releases and agreeable dinners at Cibo, the ICO was supposedly poised to rewrite the internet, but instead, the Executive Director of Shiny Things Simon McDougall promised that whatever they did, ICO would not to spoil the ad industry’s Christmas. Then, when Covid-19 gave him cover, he dropped the whole thing like a stone. McDougall is paid between £115,000 and £120,000 per year, and his contract has been renewed until July 2021, for reasons I cannot begin to understand.

The closer that the report gets to reality rather than Denham’s preoccupations with politics and online harms, the harder it gets to spare her blushes. The report cites 236 instances of “regulatory action“, but it’s really hard to work out what this means. Of that total, just 15 are fines, 7 are enforcement notices, and 8 are assessment notices (i.e. mandatory audits). There are 8 prosecutions and 4 cautions. 54 of the “regulatory actions” are in fact information notices, which do not represent action at all.

An Information Notice is an investigatory tool which might led to action, and might not; in itself, it’s just demanding information. What are the other 139 “regulatory actions“, and why doesn’t the Commissioner what to admit what they are? Has there been a blizzard of warnings and reprimands that are being kept secret? Or, as the inclusion of information notices denotes, is the maths necessary to create the 236 more akin to gymnastics?

The report boasts of ICO intervention in a number of court cases, and happily sets out their successful involvement in the Elgizouli case. It’s a sign of how thin-skinned Denham’s ICO has become that they can’t bring themselves to admit that in the other two cases they cite (the challenges to South Wales Police’s use of facial recognition and the DPA’s immigration exemption), they backed the losing side.

In the end, the figures don’t lie. The toilet flush numbers are encouraging, but other information is less reassuring. The ICO set itself a target of resolving (i.e. closing) 80% of complaints within 12 weeks. Despite receiving less complaints than in the previous year, gaining 100 staff and receiving a massive boost in funding, they managed only 74%. 84 cases are more than a year old. Despite 46% of complaints received being about subject access, the ICO took no enforcement action against subject access infringements in the period.

Perhaps most damning of all, the total number of fines issued in the period (£2,409,000) was less than half what it was in 2018 – 2019 (£5,436,000). There are people who praise the ICO for their guidance and conference appearances, but this is like measuring the police for their road safety demonstrations in schools. The ICO isn’t a “proportionate and practical regulator” – it’s far from where it should be, achieving nothing but emissions of hot air.

Denham’s foreword has an almost valedictory tone. There’s a strong effort to defend the ICO’s determination to spend time on anything as long as it isn’t related to the UK, but the final thought is about how Denham thinks she has achieved her objective of transforming the ICO into “an information rights regulator that is helpful, authoritative, tech-savvy, practical and firm“. While what she’s actually done is hollowed out a passable regulator and turned it into an ineffective, politically biased think-tank, the only positive thing I can take away from this annual report is the hope that if Denham thinks it’s mission accomplished, she will move on to pastures new. Hopefully her successor will have some experience at putting out fires.