The UK Supervisory Authority (the ICO) has had a headline-busting month. On July 9, 2019, the ICO announced its intention to fine Marriott International more than £99 million under the GDPR (General Data Protection Regulation) for a data breach which took place last year,[1] a figure that would have been record breaking had the ICO not announced its intention to fine British Airways £183 million 24 hours earlier.[2] While it is clear that both of these hefty penalties relate to deficiencies in security practices, the actions that paved the way for such draconian fines are yet to be made public (see “Massive GDPR Fine Proposed by UK ICO Confirms Trend of Increased Focus on EU Data Breaches.”)
One thing is clear: the ICO is determined to make its mark on the international privacy stage. This intention is confirmed by its 2018-2019 Annual Report, published on July 9, 2019, covering the period up to March 31, 2019 (the report).[3] Elizabeth Denham, the current UK information commissioner, highlights the ICO’s recent activities and aggressive enforcement in the report, describing the “unprecedented” nature of the year, and underscoring the record-breaking total of monetary penalties generated. This blog post provides a number of the report’s key findings, the trends it highlights, and what it bodes for the future.
Lacking in Resources?
The report details the ICO’s busy year and emphasizes its growth, thereby dispelling any concerns that it lacks the resources to carry out its duties in full. In fact, the ICO increased funding via the mandatory data protection fee, allowing for an increase in its workforce from 505 to more than 700. Anticipating that its workload will only continue to grow, the ICO aims to have 825 employees in 2020.
The sizeable workforce allowed the ICO to tackle numerous projects over the course of the year. In addition to dealing with the large number of data subject complaints (which doubled year-over-year to approximately 42,000), and handling 13,840 data breach notifications (approximately four times the number received in the previous year), the ICO is actively:
- Drafting statutory codes. It intends to present to the UK’s parliament four new statutory codes, including the Direct Marketing Code, the Data Sharing Code, and the Age Appropriate Design Code (setting out how data protection by design should be embedded to provide children the special protection set out in the GDPR).
- Enforcing the Network and Information Systems (NIS) Regulations 2018. These regulations became effective in May 2018, and the ICO has jurisdiction over relevant digital service providers.
- Delivering 2017’s international strategy. The ICO has been forging strong global connections and working relationships, including via strong participation in the EU Data Protection Board and chairing both the International Conference of Data Protection and Privacy Commissioners and the International Conference of Freedom of Information. This will continue to be a strong focus through 2019-2020.
- Facilitating innovation. In March 2019, the ICO opened its privacy sandbox for applications, the first of its kind among supervisory authorities. The ICO has been actively furthering its digital understanding and footprint, including working on guidance on AI, producing its technology strategy, and introducing a wide range of new technology roles.
Record-Breaking Fines
The report highlights the record-breaking year in terms of monetary penalties. Through the end of March 2019, the ICO issued 22 fines totaling over £3 million, a notable amount given that the actions were under the pre-GDPR regime which capped fines at £500,000 (compared to the 4 percent of global annual turnover under GDPR). The ICO is clear that some of these fines would have been higher had the breaches taken place under GDPR.
The report provides interesting statistics on data breach cases. Out of the approximately 12,000 cases closed by the ICO in the period, 82 percent required no further action by the ICO, and only 0.05 percent resulted in a monetary penalty. However, the ICO cautioned that it “will respond swiftly and effectively to breaches, focusing on those involving highly sensitive information, adversely effecting [sic] large groups of individuals, or those impacting vulnerable individuals”. Its most significant powers will be targeted at those suspected of repeated or willful misconduct, or serious failures.
Brexit and Beyond
The ICO is vocal in its hope that continued cooperation with international groups will ensure that UK data protection law is a benchmark for high global standards, allowing it to continue to play a role in the global digital economy and to influence privacy regulation. The ICO emphasizes that this will be even more important given Brexit, and is confident that strong regulatory co-operation will continue, whatever the outcome. It is also optimistic that this will lay the groundwork for international trade deals post-Brexit.
This theme sheds light on both the tone of the report and the flurry of recent ICO activity. If the UK can be a stalwart of the new regime while styling itself as a digital and privacy trailblazer, the ICO can hope, post-Brexit, to retain a level of influence and a place with the other supervisory authorities at the negotiating table.
[1] See the statement from the UK SA.
[2] See the statement from the UK SA.
[3] See the Annual Report here.