Ministers urged to get ICO enforcement back on track

parliament_2The Government is coming under increasing pressure to give the Information Commissioner’s Office a kick up the backside, amid claims the regulator all too often takes on high profile cases, such as nuisance calls, but is failing to properly enforce more serious data protection issues.

With the Digital, Culture, Media, & Sport Committee of the House of Commons due to hold a hearing with the Information Commissioner this month, the Open Rights Group has joined growing calls for more action from the regulator, setting out six key questions that the organisation claims need answering.

The ORG’s demands follow concerns over its inaction against the adtech sector, while industry body the DMA has also waded in over what it perceives as a lack of consistency in the ICO’s investigations.

Meanwhile an analysis of its GDPR enforcement has shown the ICO is way behind other EU nations; the UK has so far issued just four penalties under the regime, while Spain’s data protection authority has issued 143, followed by Romania (43), Hungary (32), Italy (31) and Germany (27).

In a blog post, ORG executive director Jim Killock writes: “In 2018, when the GDPR came into force, the ICO acquired new powers and responsibilities. These included new teeth, such as the ability to fine companies 4% of their annual global turnover. GDPR also gave individuals new rights over their data – rights which the ICO is responsible for upholding. Yet it is now clear that the ICO is failing to use their powers and responsibilities to deliver GDPR’s regulatory expectations.

“For us at ORG, the greatest of these failures is their work on adtech, but there are many others. GDPR was always going to require a big change in mindset from the ICO, which had only recently acquired enforcement powers and the ability to fine more than token sums.

“It arrived at its enhanced GDPR obligations with a weak culture of enforcement, as well as a legacy of only targeting high profile problems, such as operations blacklisting trade union members or automated spam robo-calls.

“GDPR, however, envisages regulators which proactively work to prevent and punish a wider range of data abuses. This proactive enforcement was meant to create both carrots and sticks for companies to abide by the law.”

Killock goes on to detail the six key issues:

1. Why do the ICO’s fines only target data leaks, spam, and robocalls?
Despite GDPR’s enhanced powers, the ICO’s fining practices have continued to target companies for very simple abuses, ones which are clear and easy to understand. Fines have been issued for spam emails and calls without consent, and for security failures leading to vast amounts of customer data being leaked.

On the other hand, what is not being tackled through GDPR’s powers are abuses of data which are both systemic and egregious, but also, more legally complicated. Adtech is a clear example of this.

The ICO’s decision to hold back from issuing fines sends a clear message. No matter how bad your reasoning is, no matter how rich your company is, and no matter how much money you make from data misuse, the ICO will not issue a financial penalty, so please feel free to carry on ignoring GDPR.

2 Why is the ICO silent when the Government fails to respect citizens’ data rights?
The ICO made some general observations about the Covid-19 Tracing App for England and Wales when it was asked to do so by Parliament, but failed to make any public statement when the app was launched without completing basic data checks, including the data protection impact assessment (DPIA) required by law. When the DPIA appeared, it was shoddy. The ICO said nothing.

When the call-centre Test and Trace scheme was launched involving multiple contractors, software platforms, and temporary staff, no over-arching DPIA had been carried out to assess the risks. The programme was launched and operating unlawfully. Since then, multiple data failures have emerged. The ICO has said nothing. As far as we know, the scheme still has not completed its DPIA.

Test and Trace was relaunched on a statutory footing, asking venues to record customer personal data. The Government has taken no direct responsibility for this data collection to ensure that it is legally compliant. The ICO has said nothing.

During the pandemic, other European data protection watchdogs have done their job, by calling out their governments for failing to safeguard public privacy, going so far as to suspend the use of the app in Norway’s case. Ours however stated that they viewed their role over government’s pandemic data practices as that of a “critical friend”.

The result of this is that government feels no reason to improve its privacy and data protection practices, or to take steps to safeguard user privacy, with a “friendly” watchdog prepared to look the other way.

3 Why did the ICO do nothing to tackle automated A-level results?
When the scandal over automated A-level results broke, we learned that the ICO knew about the scheme and had been speaking with Ofqual. It would have been obvious to them that the students whose education was placed in jeopardy by the marking system would be owed the right to human review of those results under Article 22 of GDPR, as these had been automated decisions which had a legal or similar significant effect.

This was a strategic and calamitous decision. The ICO had a chance to educate the nation’s young people about their about key digital and legal data rights, including the right to human review and the need for data processing to be fair. A generation would have understood how important data protection rights are for their futures.

4 Why has the ICO failed to draw the line on profiling by political parties?
Several years into an investigation into profiling by political parties, the ICO released some recommendations into ways to improve data protection practices.

However, the critical question remaining is the use of electoral register data for personal profiling. All major parties have been found to be appending general profiling information about income and broad demographic characteristics to voter records. The Conservative Party, in particular, was found to be profiling voters for religious and racial characteristics.

Much of this profiling is likely to go beyond what data protection law allows, but the ICO still has not issued clear advice about what is acceptable. Meanwhile, parties will be preparing for the 2021 elections and are purchasing profiling information now. The lack of clear guidance and enforcement is failing both parties and voters.

5 Why is the ICO delaying enforcement in the adtech industry, while other DPAs are litigating?
In Belgium, the data protection authority opened a formal proceeding against the Adtech industry body IAB, following the results of their investigations. The UK’s ICO however, has closed our formal Complaint, and gives no timescale for action. Widespread, unsafe sharing of millions of people’s personal data continues.

6 If the ICO is seen as ineffective or unaccountable, how will this impact an EU adequacy decision?
The EU will require the UK to have an effective regulator in order to grant a data protection adequacy agreement. This means that the ICO needs to show that strong, effective, and proportionate action is taken when information rights are abused.

Killock concludes: “DCMS have a great opportunity to start to examine how effective the ICO is. Many people are upset about their work and are questioning their ability to enforce the law. If GDPR is going to deliver greater public trust and respect for individual’s data rights, then it needs to be enforced. When Parliament agrees laws, these should result in behaviour change. Parliament should take a hard look at the work of the ICO and ask if it is living up to expectations.”

Related stories
DMA wades into ICO row over axed adtech investigation
Uproar as ICO axes adtech probe into Google and IAB
ICO and Irish DPC ‘among the worst GDPR enforcers’
Deceptive data processing sparks biggest GDPR fines
EU told to block UK data deal due to ICO’s dismal record
Adtech breach widens, two years after first complaints
Privacy groups hit out at fresh delay to adtech probe
‘Chicken’ ICO kicks adtech investigation into long grass