Since 2010 the Information Commissioner has had the power to impose a Monetary Penalty Notice in respect of certain breaches of the Data Protection Act 1998 (“the DPA”), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). In 2015 I undertook a Master of Laws degree and my dissertation looked at how the Commissioner had used the power to serve these penalties, but only in relation to breaches of the DPA. What became clear from my research was that the Commissioner tended to focus on breaches of the seventh data protection principle (which relates to having in place sufficient technical and organisational measures). However, the Commissioner’s enforcement team have been even more active in issuing monetary penalties for breaches of PECR. You can see examples of the types of DPA and PECR breaches that can result in the Commissioner serving a Monetary Penalty Notice in my blog post on Data Protection/Privacy Enforcement from August 2017.
The GDPR also includes provisions for financial penalties, which it terms as “administrative fines”, for certain breaches of the Regulation. For some breaches the maximum penalty is €10m or 2% of global turnover (whichever is the greater); while for others the maximum penalty is €20m or 4% of global turnover (whichever is the greater). These penalties are far greater than the maximum penalty currently available to the Commissioner, which I fixed at £500,000. Of course, while the maximum penalties prescribed in the GDPR are in Euros, the UK does not use the Euro as its currency. The recent Statement of Intent [pdf] from the UK Government (published in August 2017) suggests that the equivalent will be £17m where the GDPR sets a maximum of €20m. The Government is expected to publish a Data Protection Bill later this month; once it does, we may become more enlightened about how the UK Government intends on converting the maximum penalties from Euros to Pounds Sterling.
Over the last year or so, there have been numerous articles published which focus on the high level of the administrative fines which will be available to the Commissioner. At this stage it is far too early to tell exactly how the Commissioner will make use of her greatly extended powers; however, looking at how the current powers have been used may well cast some light onto the future. It is probably fairly unlikely that the ICO will radically change how they have been enforcing data protection law upon the GDPR becoming effective (at least not immediately anyway). Indeed, the Commissioner herself has published a blog post on the ICO’s blog seeking squash the idea that her office will be rushing to issue crippling financial penalties to errant data controllers.
The consistency mechanism within the GDPR, when having reference to Recital 150, may be used to ensure that there is a consistent approach taken across Member States in the application of administrative fines. This may well mean that, over time, a more consistent approach to financial penalties may develop across supervisory authorites. What impact this will have in the UK remains to be seen, given that developing a consistent approach, if indeed that is what happens, will take time; the UK is on course to leave the European Union a little under 12 months after the GDPR becomes applicable.
As I noted above, insofar as the DPA is concerned, much of the Commissioner’s use of monetary penalties has been in relation to breaches of the seventh data protection principle. Where monetary penalties have been issued, common features have been a failure to have in place adequate policies and procedures; a failure to ensure the staff have been adequately trained in the organisation’s policies and procedures; and a failure to have in place adequate security (especially encryption).
The seventh data protection principle has survived, and is now to be found in Article 5(1)(f) of the GDPR. Article 5(1)(f) reads: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”. In GDPR language it is the ‘integrity and confidentiality’ principle; a failure to comply with this basic principle of processing is one of the breaches that can result in a maximum administrative fine of €20m or 4% of global turnover (whichever is the greater).
Given that the Commissioner (and her predecessor) has historically taken action for breaches of the seventh data protection principle (including, but not limited to, the imposition of financial penalties); a reasonable assumption to make is that she will enforce against breaches of the integrity and confidentiality principle. Therefore, if an oragnisation is found to have breached the integrity and confidentiality principle, and one of the common contributory factors mentioned above are presents; they should consider that an administrative fine is a real possibility (but not necessarily an inevitability).
What is impossible to tell at the moment is the level of the administrative fines that the ICO will issue; although, it is unlikely that there will be a tectonic shift in the size of penalties issued by the Commissioner. The ICO has traditionally taken into account the organisation’s financial resources when fixing the financial penalty and it is likely that this will continue; indeed Recital 150 of the GDPR states that the supervisory authority should take into account the “economic situation of the person in considering the appropriate amount of the fine.” However, the GDPR does require the ICO to ensure that the imposition of administrative fines in respect of infringements of the Regulation shall, in each individual case, be effective, proportionate and dissuasive.
Recital 148 of the GDPR does state that “in a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.” The Recital continues by stating that:
“due regard should be given to the nature, gravity and duration of the infringement, the intentional character of the infringement, actions taken to mitigate the damage suffered, degree of responsibility or any relevant previous infringements, the manner in which the infringement became known to the supervisory authority, compliance with measures ordered against the controller or processor, adherence to a code of conduct and any other aggravating or mitigating factor.”
There will therefore need to be a balancing exercise undertaken by the ICO to find the right level of fine in each case (in the same way as is done today).
There may be some small increase in the level of penalties being issued by the ICO from May 2018, but it is unlikely that we will begin to see financial penalties much larger than those that we are seeing today (not immediately anyway). The Article 29 Working Party and the ICO will no doubt issue guidance on administrative fines in due course and once we see that guidance we might have a better idea as to how the administrative fines will operate in practice.
If you have a data protection/privacy matter which you would like to discuss, then you can contact Alistair Sloan on 0345 450 0123; or you can complete the contact form on this blog. Alternatively, you can send him an E-mail directly.