There is little doubt that the past 15 years have proved the most challenging for the Information Commissioner’s Office since it was established as the Data Protection Registrar back in 1984, with Eric Howe at the helm.
Since 2010 there have been three distinct Information Commissioners – Christopher Graham, Elizabeth Denham, and John Edwards – each grappling with evolving technology, seismic legislative changes like GDPR, and persistent criticism of their enforcement approach.
Christopher Graham, who succeeded Richard Thomas in 2009, began his tenure just as the Internet turned mainstream, with a focus on improving the efficiency of the regulator and enforcing information rights by encompassing both data protection and Freedom of Information (FOI).
Facing a significant backlog of cases, his early efforts streamlined processes, drastically reducing the number of complex FOI cases pending for over a year.
Graham’s ICO was characterised by its use of the powers available at the time. A notable development in 2010 was the introduction of monetary penalties, allowing the ICO to fine organisations up to £500,000 for serious breaches of the Data Protection Act. This period saw action against construction companies for an unlawful blacklisting database and the first fines for a marketing company responsible for millions of spam texts.
However, Graham often faced criticism from privacy campaigners and MPs for being a “toothless tiger”, primarily due to the relatively low cap on fines and a perception of being slow to act on major data scandals. The phone-hacking scandal, which predated much of Graham’s term but saw investigations continue, highlighted the ICO’s challenges in tackling systemic issues within powerful organisations.
Not long after Elizabeth Denham assumed office in 2016, the Brexit vote was cast , creating a unique challenge in implementing GDPR, the EU regulation that came into force in May 2018.
Denham was instrumental in ensuring the UK’s data adequacy status post-Brexit, a critical achievement for British business.
Her tenure was defined by the transition to GDPR and the Data Protection Act 2018, which vastly increased the ICO’s fining powers to up to 4% of an organisation’s global annual turnover or €20m (whichever was greater). Denham actively encouraged businesses to view data protection as a boardroom issue, not just a compliance exercise.
However, critics often accused her of chasing headlines, none more so than with the controversial rulings against British Airways and the Marriott hotel chain following data breaches.
The BA case dated back to September 2018, when the airline “self-reported” a cyber attack, triggering an ICO probe. The incident in part involved user traffic to the BA website being diverted to a fraudulent site and the ICO’s investigation found a variety of information was compromised by poor security arrangements, including log in, payment card, and travel booking details as well as name and address information.
The regulator then issued a “notice of intent” on July 8 2019 to fine the airline £183m; a day later it issued another notice of intent to fine Marriott International £99m for a cyber incident which exposed 339 million customer records globally, of which over 30 million were in the EU and 7 million in the UK.
By October 2020, BA had secured a reduction of nearly 90% to £20m, while Marriott had hammered down its penalty to £18.4m. Both companies then agreed to pay the fines “on tick”.
However, the most significant case was the Facebook and Cambridge Analytica “scandal”, which triggered a wide-ranging and hugely costly investigation into the use of data analytics for political purposes based on the revelations of a key whistleblower.
The ICO first launched its investigation in May 2017, following claims that Cambridge Analytica and SCL had influenced the Brexit vote.
The inquiry was ramped up in March 2018 when further claims were made that Cambridge Analytica had employed clandestine methods to harvest the data of 50 million Facebook users to influence voters.
At the height of the scandal, Denham famously said “data crimes are real crimes”. In the end, however, all of the ICO’s investigations – which cost over £2.5m – the night-time raids on business premises, the conspiracy theories and the media hype came to very little.
Facebook was fined just £500,000 – the maximum under the Data Protection Act 1998 legislation which was in place at the time of the breach – while a sister company of Cambridge Analytica, SCL Elections, was also fined £15,000 plus costs for failing to respond to an enforcement notice related to a data subject access request.
Facebook eventually agreed to pay the penalty but only after a bizarre settlement in which it made no admission of liability. Leave EU and Eldon Insurance (now Somerset Bridge) were fined a total of £120,000.
Meanwhile, the issue also threw the spotlight on the UK data broking industry, with Bounty UK slapped with a £400,000 fine for illegally sharing personal information, and Emma’s Diary hit for £140,000 for a serious breach of the first principle of the Data Protection Act 1998.
The ICO’s also claimed to have found how major players Experian, Equifax and TransUnion were trading, enriching and enhancing people’s personal data without their knowledge.
This processing resulted in products which were used by commercial organisations, political parties or charities to find new customers, identify the people most likely to be able to afford goods and services, and build profiles about people, the regulator said.
Under pressure from the ICO, Equifax and TransUnion changed their practices but Experian stuck to its guns and, in 2020, it was issued with an enforcement notice, compelling the company to make changes within nine months – and delete all “unlawful data”.
The ICO threatened further action for breaching GDPR, including a potential fine of up to £20m or 4% of the organisation’s total annual worldwide turnover of $5.2bn, a whopping £208m.
The case was still live when John Edwards took up the commissioner role in January 2022 and in early 2023 Experian successfully appealed the decision. At the time, Experian UK&I managing director Jose Luiz Rossi said the move represented “a welcome development for the consumers, small businesses and charities across the UK that rely on the services provided by Experian”.
Even the DMA waded in, saying: “The Tribunal ruling reaffirms key principles for the use of legitimate interests for direct marketing, particularly that any balancing test must take into account the economic benefits and the benefits to the individual of receiving the relevant offers.
“The DMA agrees fully with the Tribunal’s judgment that receiving more relevant offers are unlikely to cause any distress or harm and are more likely to create benefits.”
So, Edwards was forced to take it on the chin, and soon unveiled his strategic vision, outlined in the ICO25 plan, emphasising “outcomes, not outputs” and a proportionate, risk-based approach to regulation.
Edwards has made a conscious decision to be selective, focusing discretionary capacity on key causes such as protecting children’s privacy online, tackling nuisance marketing, and ensuring responsible use of AI.
He has specifically adopted a new approach for the public sector, prioritising reprimands and engagement over fines, arguing that fines often penalise the public purse rather than driving meaningful change.
And while there have been significant fines, such as the £12.7m penalty for TikTok over children’s data breaches, critics continue to express concern that the reluctance to fine public bodies reduces accountability and that the overall enforcement stance is softer than Denham’s, potentially undermining the ICO’s authority and public trust.
While the fining powers have increased dramatically, some believe persistent claims of inaction reflect the ongoing tension between a regulator’s need for proportionality and the public’s expectation of robust enforcement in an ever-more data-centric world.
Under the Data (Use & Access) Act, the ICO will be replaced by the Information Commission, with a chair, chief executive and a board in line with other UK regulators.
Whether this new era will see the critics silenced by a new get tough approach remains to be seen, but the ICO’s performance will no doubt remain a subject of intense debate in the years ahead, highlighting the complex challenge of balancing innovation with the fundamental right to privacy.
Related stories
Decision Marketing at 15: The march of the robot army
Decision Marketing at 15: The ‘Big Bang’ for retail media
Decision Marketing at 15: Why data now rules the world
Decision Marketing at 15: Direct mail the great survivor
Decision Marketing at 15: How data sparked a revolution
Be the first to comment on "Decision Marketing at 15: Puppy or vicious watchdog?"