The Information Commissioner’s Office annual report has exposed a chronic hit-rate when it comes to regulatory action, despite operating costs of over £54m – including nearly £40m on staff – with just 0.71% of the investigations it conducted last year resulting in a monetary penalty.
While the ICO will no doubt argue its work is not just about enforcement, the figures show consumer complaints continue to flood in, suggesting not enough is being done to tackle poor practices and that the watchdog is more puppy than Rottweiller.
The report, which covers the 12 months from April 1 2019 to March 31 2020, shows the ICO received 38,514 data protection complaints, down marginally on last year’s 41,661; 6,367 Freedom of Information moans (6,418 last year); and 127,940 gripes about unlawful calls, texts and emails under the PECR legislation (138,368). Meanwhile, personal data breaches triggered 11,854 complaints (13,840).
Out of all those complaints, however, the ICO investigated just 2,100 cases, taking regulatory action in only 236 cases – equivalent to 11.24% of the investigations. That included 54 information notices, eight assessment notices, seven enforcement notices, four cautions and eight prosecutions.
There were just 15 fines issued (0.71% of investigations), which would bring in nearly £3.5m to the Treasury if they all cough up. They include £500,000 penalties for Cathay Pacific, Dixons, CRDNN, and even Facebook finally agreed to pay its £500,000 fine over the 2018 Cambridge Analytica scandal, but the settlement included no admission of liability.
Just one fine – of £171,000 against Black Lion Marketing – was levied for breaches of PECR during 2019/2020, and that only scraped in because its rogue activities ended on April 3, reinforcing claims that the ICO has sidelined investigations into nuisance calls.
The regulator refutes such suggestions, however, stating that: “We have continued to act against nuisance marketing firms. The publicity generated by these fines, and our communications, highlight to the public what they can do to stop and report nuisance calls.”
The sole GDPR fine levied was a £275,000 against Doorstep Dispensaree. Of course, the ICO’s headline grabbing GDPR penalties against British Airways (£183m ) and Marriott International (£99m) are still no nearer – over a year after they were issued with notices of intent.
Over half of the annual report is devoted to what the regulator claims are its “key achievements” – including the launch of its regulatory sandbox, the age appropriate design code, a fact finding and networking trip to San Francisco, the ICO’s Research Grants Programme and its work with the Global Privacy Assembly.
There is even a section in which it claims to have made progress with the adtech industry, which has stuck in the craw of privacy groups who continue to berate the regulator for its lack of action.
Meanwhile, staff numbers continue to rise. As of March 31, the ICO had 768 permanent staff (equivalent to 720.3 full-timers), with over 250 employees who directly help customers through its helpline, live chat, email and complaints handling services.
Last month, Decision Marketing revealed that the regulator had tackled data protection fee dodgers, with its end of year financial results revealing it had exceeded its target by over £2m, raising a total of £48.7m from UK companies.
However, travel costs were £922,000 against a budget of £687,000, an overspend of £234,000, along with extra office costs of £734,000, staff costs of +£294,000, training and recruitment +£55,000, something called “project spend” +£461,000, financial costs +£49,000 and capital spend +£11,000.
Information Commissioner Elizabeth Denham said in the report: “We have seen a transformative period in our digital history, with privacy established as a mainstream concern, and with complex societal conversations increasingly asking data protection questions.
“This report shows the ICO has been at the centre of those discussions…and shows the ICO at its best: tackling challenging issues, consulting with those affected and taking practical steps that will prompt important changes that benefit society.
“It is now three years since I wrote in my first annual report as commissioner, and wrote that continued growth and citizen confidence in the digital economy needed an information rights regulator that is helpful, authoritative, tech-savvy, practical and firm.
“As we reflect on such a key year, I believe this report sets out how the ICO is now that regulator.”
Privacy groups hit out at fresh delay to adtech probe
ICO rounds up the fee dodgers but expenses skyrocket
At last, ICO issues the first PECR penalty in six months
Rogues go free as nuisance call crackdown is sidelined
Half of last year’s £2m fines for PECR breaches unpaid
Show us the money: £7m in ICO fines still outstanding