In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.
Infringements of direct marketing rules have accounted for the majority of the ICO enforcement actions since the entry into force of the Privacy and Electronic Communications Regulations (originating from the EU e-privacy Directive). However, traditionally the ICO fines for such infringements have been relatively low compared to fines imposed by other data protection authorities, such as the Italian Garante or the Spanish AEPD, which have measured in the millions of euros. However, according to the new ICO, John Edwards, there is an intention to raise fines for these types of infringements.
As for the infringements of the UK General Data Protection Regulation (GDPR), the ICO does not shy away from issuing big fines. The ICO imposed a fine of £20m and £18.4m, in both cases for a failure to put in place appropriate technical and organisational security measures around secure personal data in 2020. The new ICO does refer to big fines in his talks about the ICO plans, but promises to use them with “surgical and targeted application” so that they “serve a broader purpose of bringing certainty to an issue or a sector.”
The ICO started off Q2 of 2022 with a £7.6m monetary penalty and an enforcement notice against Clearview AI Inc. for creating a database of individuals’ images by data scraping from the internet without their knowledge, including from social media sites. The company also used biometric data for facial recognition, and was ordered to cease activities relating to the processing of personal data of UK residents and to delete any such data held. The fine is lower than £17m fine that the ICO originally intended to impose on Clearview in November 2021. The details of the enforcement action have not yet been published and there may be useful lessons to extract from it. The significance of this penalty lies in the fact that Clearview AI Inc. is a US-based company that processes the personal data of UK residents to create its database. This penalty demonstrates the willingness of the ICO to impose penalties against companies to whom the UK GDPR applies extraterritorially.
There were 56 enforcement actions taken by the ICO last year and we may see a lot more this year. While the ICO’s focus in 2020 and 2021 has been to support organisations through COVID-19 and take a pragmatic approach to enforcement, the new ICO has now promised to act with speed when it comes to enforcement. According to John Edwards, the ICO may finally take advantage of no longer being burdened by the requirement to consult with other EU data protection authorities as part of the EU centralized methods of enforcement following the UK’s exit from the EU.
Organisations processing personal data should, therefore, take stock of the ICO’s enforcement actions in Q1 as well as the ICO’s areas of focus. This includes ensuring:
- There is a lawful basis for collecting personal data and such data is used in a fair and transparent way;
- Application of higher data protection standards to special categories of data;
- Awareness of, and compliance with, direct marketing rules;
- Application of appropriate technical and organisational security measures to protect personal data;
- Facilitation of data subject rights; and
- Staying on top of the ICO’s guidelines on compliance with the data protection and direct marketing rules.