When will the ICO use the maximum GDPR fines available?

With Facebook fined a paltry pre-GDPR sum, and the ICO traditionally reluctant to use its powers to the full, is there a danger that organisations will take data security less seriously?

Facebook has been fined £500,000 for its part in the Cambridge Analytica scandal, where an app used its platform to harvest the data of 87 million individuals, which was subsequently used to attempt to influence the 2016 US presidential election, and the UK's Brexit referendum.

The internet quickly erupted with a slew of jokes and memes concerning the futility of handing out a penalty of that size to the social media giant.

For reference, Facebook made £500,000 every five and half minutes in the first quarter of 2018.

Are we right to scorn the Information Commissioner's Office, the UK's data protection regulator for the size of the fine?

In this case the £500,000 represents both the largest fine it has ever handed out, and the maximum allowable under the Data Protection Act, since the larger fines allowed by the EU's General Data Protection Regulation (GDPR) weren't in force at the time of the scandal.

However, the ICO has proven itself persistently reluctant to hand out fines of any sort, rarely venturing anywhere near the upper end of the scale.

Crime and Punishment

'If he who breaks the law is not punished, he who obeys it is cheated. This, and this alone, is why lawbreakers ought to be punished: to authenticate as good, and to encourage as useful, law-abiding behavior,' wrote psychiatrist Thomas Szasz in his 1973 book Punishment.

But is punishment, in this case of the financial sort, always useful? That's one of the persistent questions facing the UK's data protection regulator, the Information Commissioner's Office (ICO).

The ICO now has powers to fine organisations up to four per cent of global turnover of the parent company (up to £17 million) under GDPR. Will it start handing out more severe penalties given the latest rash of data breaches?

There has been a raft of scaremongering from various sources over the new fines, with some suggesting that the ICO will look to make examples of some of the early transgressors of the GDPR.

Looking at the regulator's history, that seems unlikely.

It first received its original powers to fine in April 2010, but eighteen months later it had still issued only six penalties, with a combined total around £450,000.

The scarcity of fines could lead observers to conclude that no one is breaking the rules, but the sad truth is that organisations are continuing to leak confidential data as often as ever, due to a mixture of negligence, incompetence, under-investment and plain bad luck.

So will the ICO use this opportunity to start flexing its muscles, to force organisations to take security and privacy more seriously?

Information Commissioner Elizabeth Denham suggests not.

"It's true we'll have the power to impose fines much bigger than the £500,000 limit the DPA allows us. It's also true that companies are fearful of the maximum £17 million or four per cent of turnover allowed under the new law.

"But it's scaremongering to suggest that we'll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

"The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.

When will the ICO use the maximum GDPR fines available?

With Facebook fined a paltry pre-GDPR sum, and the ICO traditionally reluctant to use its powers to the full, is there a danger that organisations will take data security less seriously?

"Issuing fines has always been and will continue to be, a last resort. Last year (2016/2017) we concluded 17,300 cases. I can tell you that 16 of them resulted in fines for the organisations concerned.

"Predictions of massive fines under the GDPR that simply scale up penalties we've issued under the Data Protection Act are nonsense.

"Don't get me wrong, the UK fought for increased powers when the GDPR was being drawn up. Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world.

"But we intend to use those powers proportionately and judiciously. And while fines may be the sledgehammer in our toolbox, we have access to lots of other tools that are well-suited to the task at hand and just as effective."

And in February 2018 she gave a speech in which she again espoused the virtue of working with organisations, rather than fining them.

"The ICO is a risk-based, proportionate regulator. Yes the GDPR gives me greater sanctions and tools for those that flout the law - those that play fast and loose with the personal data that's been entrusted to them.

"But there is a carrot as well as a stick. And I have always preferred the carrot.

"At the ICO we love an e-word. Yes enforcement is in there - but it comes after education, engagement and empowerment.

"We want organisations to get this right. Because if I am to achieve my aim of improving public confidence in the way their personal data is handled then I have to take defensive action. Prevention is better than cure."

This will be music to the ears of business and technology leaders who fear the prospect of millions of pounds worth of fines coming their way.

Speaking to Computing in 2011, Paul Brocklehurst, then CIO of Surrey County Council which had just been on the receiving end of a £120,000 fine, described the penalty as unhelpful.

"Training and education is the best way to prevent data breaches," said Brocklehurst. "And we could have funded more of both if we hadn't been fined. We take data protection incredibly seriously and the fine hasn't really helped."

Though it is always going to be a tall order to find a firm which professes to enjoy being fined.

Will the ICO ever hand out larger fines?

So what are the scenarios, if any, in which the ICO would be inclined to use its powers to the full?

Deputy Commissioner James Dipple-Johnstone recently laid out some scenarios in which larger fines could appear, speaking about the regulator's Regulatory Action Policy as it went out for consultation earlier this year.

"We'll respond swiftly and focus on those cases involving highly sensitive information, lots of people or vulnerable people.

"We'll be effective, proportionate, dissuasive and consistent. We'll target our most significant powers on repeated, wilful or serious failures to take proper steps to protect personal data and delivery information rights. Our formal regulatory action will serve as an important deterrent where it needs to.

"We will take proportionate action and exercise our discretion as to when, how and to what extent enforcement action is needed.

"We will look at each case on its own merits. We'll look at the features and context of each case. And, this is important, we will focus on areas of greatest risk to people - potential or actual harm.

"We will reserve our strongest sanctions for breaches that present a high intrusion into people's privacy, a repeated failure to meet rights or wilful acts to harm citizens.

"The more serious, high impact, deliberate, wilful or repeated breaches can expect the most robust response."

When will the ICO use the maximum GDPR fines available?

With Facebook fined a paltry pre-GDPR sum, and the ICO traditionally reluctant to use its powers to the full, is there a danger that organisations will take data security less seriously?

And here again is Elizabeth Denham, speaking in April: "Hefty fines will be reserved for those organisations that persistently, deliberately or negligently flout the law."

So it seems a single transgression is unlikely to incur the full wrath of Denham and her crew, perhaps unless it involves especially vulnerable people, or especially sensitive data.

What does the GDPR say about fines?

The GDPR itself outlines the elements which should be considered by regulators when deciding whether to fine and how much, in Article 83(2). These elements include the impact of the infringement, the number of data subjects affected, the damage suffered by them, and the types of personal data affected by the infringement.

The behaviour (current or past) of the infringing organisation will also be taken into account.

"When taking into account past conduct the ICO will look into adherence to approved codes of conduct, whether there have been any relevant past breaches, and how the controller or processor has previously reacted to any action by a supervisory authority," wrote Fred Allen, associate at law firm Kinsgley Napley.

"When examining conduct which led to the infringement the ICO will look into whether the infringement was negligent or deliberate, the purpose of the processing that led to the infringement, and the degree of responsibility of the controller or processor. It will also consider whether and to what extent the controller notified them of the infringement, any action taken by the controller to mitigate damage to data subjects, and the degree of co-operation with the ICO.

"Organisations or individuals with comprehensive plans and policies in place to prevent infringements and to deal with any infringements that occur will benefit when it comes to the ICO's assessment of the level of corrective measures. Those that deal openly, efficiently and constructively with the ICO are very unlikely to face the maximum fines."

The deterrent of the larger fines brought by GDPR is certainly useful, with the £500,000 maximum penalty under the DPA making a mockery of the law where larger enterprises are concerned. It's unlikely that Facebook or its shareholders are palpitating at the thought of losing five and half minutes worth of revenue for its part in what was certainly a lucrative if shady business practise.

When will the ICO use the maximum GDPR fines available?

With Facebook fined a paltry pre-GDPR sum, and the ICO traditionally reluctant to use its powers to the full, is there a danger that organisations will take data security less seriously?

What is the law worth without enforcement?

But not everyone is comforted by the prospect of a restrained regulator.

Alexander Hanff, Co-Founder & CEO of data protection training provider and pressure group Think Privacy AB, says that a persistent light touch encourages organisations to take the law less seriously.

"The situation with ICO and enforcement is an old one and has been problematic for just as long. One of the issues with taking a light handed approach with enforcement is that it leads organisations to become complacent and does not incentivise organisations to take a strong stance on data ethics and compliance.

"Indeed, I see this almost daily with organisations asking what the ‘risk' of an enforcement penalty is and they evaluate whether this risk is significant enough for them to comply; and I know I am not the only professional who sees this.

"Also, in my campaigning over the years I have personally been frustrated by ICO failing to take robust (or any) enforcement action over serious compliance breaches (including criminal breaches of RIPA).

"This undermines the fundamental rights of data subjects and one could even argue that this light handed approach has a direct consequence of diminishing those rights. This in turn leads data subjects to question the independence and efficacy of ICO; and ICO have often been seen as being captured by the very industries they are supposed to regulate."

"One cannot help but wonder if we would have scandals such as Cambridge Analytica had ICO been much more robust in their enforcement of the DPA and PECR [Privacy and Electronic Communications Regulation], instead of repeatedly failing to take any action against offending corporations.

"They failed to hold Phorm to task for their criminal violations of PECR; they failed to take Google to task for their criminal violations of PECR (the Streetview WiFi scandal) and they reversed their own advice on the changes to PECR in 2012 on cookies after Google asked DCMS to bring ICO in line. At the time, ICO (who are supposed to be independent of Government) were consulting DCMS internal legal counsel on how PECR should be interpreted and enforced - a clear breach of their legal status.

"Is it any wonder then, that we have such widespread and pervasive data protection and privacy compliance issues?

"So yes it is a problem but sadly it is unlikely to change any time soon."

The ICO should not be scared of the prospect of enforcing larger fines, or perhaps of relaxing its requirement that there be persistent or wilful behaviour.

After all, suggesting that organisations need to break the law several times before they're punished is dangerous - like giving organisations at least one free pass.

The purpose of punishing organisations who misbehave is in part so that those who remain within the law aren't out-competed unfairly, and to incentivise others to keep to the straight and narrow.

However, one last quote we should keep in mind, this time from Friedrich Nietzsche in his philosphical novel 'Thus Spoke Zarathustra': 'Distrust everyone in whom the impulse to punish is powerful!'