Fresh evidence has emerged as to why privacy groups have such a beef against the UK’s Information Commissioner’s Office and the Irish Data Protection Commission, with a new analysis of GDPR penalties showing that only the Isle of Man, Malta, and Croatia have issued fewer fines.
In the second instalment of a study of data provided by the CMS.Law GDPR Enforcement Tracker, Decision Marketing can reveal that, out of the 29 EU states which have implemented GDPR, the UK and Ireland languish at the wrong end of the table when it comes to how many enforcements they have made.
Spain’s data protection authority (DPA) is way out in front on 143 fines, followed by Romania (43), Hungary (32), Italy (31) and Germany (27) but the ICO with three and Irish DPC with just two are in the same league as Estonia, Lithuania, Latvia and Iceland – countries with DPAs that operate on a fraction of the budgets which the UK and Irish regulators command.
Even with today’s £18.4m Marriott fine and the recent £20m penalty slapped on British Airways, the ICO is still behind Germany (€61.6m), Italy (€57.5m) and France (€51.3m) which have been far more punitive. The Irish DPC’s two fines total just €115,000, placing it at 24th in the table.
Both regulators will no doubt claim GDPR is not all about enforcement, but the figures would appear to strengthen the hand of privacy campaigners fighting against the adtech industry, who have long called for tougher action.
The original complaint – filed with the ICO and the Irish DPC – on behalf of Brave, the Open Rights Group and University College London, was lodged in September 2018, aimed at triggering an EU-wide GDPR investigation into the practice of realtime bidding.
Since then the complainants have ramped up the fight by claiming Google’s Authorised Buyers system leaks personal data about millions of visitors to thousands of advertisers 24/7 – without consent; threatened to push for a judicial review of the ICO after accusing it of failing to act; and have accused Google of operating an internal data “free-for-all” which it is alleged allows the firm to unlawfully share customer data across all of its divisions.
Meanwhile, they have slated the ICO for stalling its investigation until next year at least, due to the coronavirus pandemic and even claimed that both regulators’ failure to act was making abuse even more widespread and consumers’ highly personal data was up for grabs tens of billions of times a day.
The figures are even more damning for the UK as the Government has claimed the ICO is “capable of handling complex cases and imposing tough sanctions where necessary”, as part of its efforts to secure a post-Brexit adequacy agreement to ensure the frictionless transfer of personal data between Britain and EU states after December 31.
In a recent letter from the Irish Council for Civil Liberties (ICCL) to the European Commission, the privacy body urged the EU not to grant the UK an adequacy deal.
It stated: “The ICO may be the biggest and most expensive supervisory authority to operate, but it is not configured to monitor and enforce data protection in the digital age. Indeed, only 1% of its staff is devoted to this purpose.”
The letter concluded: “The UK lacks an effective independent supervisory authority that is capable of enforcing compliance with data protection law and vindicating data subjects’ rights. As a consequence, the personal data of data subjects in the Union do not at present have an adequate level of protection in the UK.
“Therefore, we suggest to you that the inescapable conclusion is that the UK must be unable to benefit from an adequacy decision at the present time.”
Decision Marketing publishing editor Charlie McKelvey said: “The numbers don’t lie; the ICO and the Irish DPC are among the worst GDPR enforcers and these figures seem to play into the hands of their critics.
“Of course, investigations can take years to conclude, but given the size of their operating budgets, there will be many who will be asking what exactly we are all paying for.”
Marriott hammers down GDPR fine from £99m to £18m
Deceptive data processing sparks biggest GDPR fines
BA ‘humiliates’ ICO by slashing £183m fine to £20m
Germans issue 27th GDPR fine as H&M is hit for €35m
EU told to block UK data deal due to ICO’s dismal record
Google hit for €50m as French issue first GDPR fine
Adtech breach widens, two years after first complaints
Group seeks €10bn pay-out over adtech GDPR breach
Privacy groups hit out at fresh delay to adtech probe
‘Chicken’ ICO kicks adtech investigation into long grass
ICO ‘cosies up’ to industry in bid to tackle adtech issue
$273bn behavioural ad industry ‘is in breach of GDPR’