ICO blames limited resources as GDPR action dries up

The Information Commissioner’s Office has been accused of losing its appetite for issuing fines after it blamed “limited resources” for dropping its investigation into EasyJet’s 2019 mass data breach – one the biggest ever cyber attacks.

The dropping of the case, which saw the personal details of 9 million customers compromised and the credit card details of just over 2,200 stolen, was in fact first revealed in a Freedom of Information request in December 2021.

At the time, the FOI response showed that EasyJet was one of scores of organisations which had been given reprimands rather than fines, with other high profile brands including TSB, Asda, Morrisons, Zoom and Bupa.

My1Login chief executive Mike Newman said: “When the EasyJet breach was first announced over three years ago, it was widely regarded as one of the world’s biggest cyberattacks. Over nine million people had their personal data compromised, which put them at serious risk of phishing, financial fraud and identity theft. It is therefore deeply concerning that the ICO has dropped its investigation into the attack, and it could send out a very wrong message to other organisations.

“Given the scale of the attack, and the fact that British Airways was hit with a £20m fine for a much smaller breach, the industry was expecting the ICO to come back on EasyJet with its full force, but evidently this is not the case.”

And, while the ICO continues its ongoing fight against nuisance calls and texts under the Privacy & Electronic Communications Regulations, its lack of action under UK GDPR is concerning many data protection experts.

According to the GDPR Enforcement Tracker, published by CMS, the ICO has issued 13 fines since GDPR came into force five years ago, including UK GDPR post-Brexit; although the penalty against Clearview was recently thrown out. Over the past 12 months, the ICO has issued just one penalty, against TikTok.

This compares with 2,101 fines issued across the EU since May 2018, led by Spain on 777, Italy on 323, Germany 173 and Romania on 171.

Mishcon de Reya senior data protection specialist Jon Baines said: “The ICO seems to have lost its appetite for issuing fines in the last year or so. In many cases [fines] have been replaced by ‘reprimands’, which amount to little more than a slight rap on the knuckles.”

One industry insider added: “Quite how the ICO can claim it has limited resources is beyond me. It is the biggest data protection regulator in Europe, with a budget of £75.7m and 944 permanent staff, yet appears to have gone soft on enforcing anything other than PECR.

“Given this lack of action, it does make you wonder what is going to happen once the new ‘business friendly’ Data Protection & Digital Information Act comes into force. Will the ‘watchdog’ be a snarling Rottweiler or a playful puppy?”

Back in 2021, privacy organisation the Open Rights Group first warned that the ICO could be a ministerial stooge and reduce privacy protections rather than a regulator who will enforce the law, when the Government started advertising for a successor to Elizabeth Denham, although she had her critics, too.

At the time, 29 MPs and peers, including Chris Bryant, Dame Margaret Hodge, Caroline Lucas, and Baroness Jones of Moulsecoomb and Diane Abbott signed an open letter in response to a recruitment ad posted by the Department for Digital, Media, Culture & Sport.

It stated: “We are writing as MPs concerned about the appointment process for the incoming ICO, which we believe may compromise their independence, as it appears to ask for a candidate whose regulatory thinking matches that of the Government, rather than one who possesses the skills necessary to regulate.”

Former New Zealand privacy chief John Edwards took up the role in January 2022.

In its defence, an ICO spokesperson said: “All data breaches reported to us are important, given the human impact at the heart of each incident.

“The ICO regulates the whole UK economy and so we have to continuously review and make difficult choices about which issues we take forward. It is our duty to ensure we use our powers to have the maximum possible positive impact for the public and provide regulatory certainty to organisations.

“Having carefully considered this particular case, the Commissioner decided that pursuing enforcement action would not be the best use of our limited resources at this time.”

“We are currently transforming how we prioritise and deliver activity across our wide range of regulatory responsibilities to enable timely and transparent results as we prepare for the forthcoming Data Protection & Digital Information Bill.”