GDPR (Enforcement) | Information Law Blog

On 20^th December 2019, the Information Commissioner published a Penalty Notice [pdf] it had issued under the Data Protection Act 2018 to Doorstep Dispensaree Limited in the sum of £275,000. While we have had the Marriot and British Airways Notices of Intent, this is the first penalty notice published by the Information Commissioner exercising her powers under the Data Protection Act 2018 and the General Data Protection Regulation to issue administrative fines (formally known in the UK as “Penalty Notices”).

In this case, the Information Commissioner was acting upon information received from another UK Regulator (the Medicines and Healthcare Products Regulatory Agency, or “MHRA”). The MHRA had executed a search warrant under its own regulatory scheme and discovered in a courtyard approximately 500,000 documents containing personal data, all of which were contained in an insecure manner. The MHRA inspected the documents and discovered that they contained personal data and special category personal data. The documents were dated from January 2016 to June 2018 and the condition of them indicated that they had been stored in the courtyard for some time. The Information Commissioner began an investigation; she wrote to the data controller asking a number of questions. The controller responded, via its solicitor; however, its response didn’t answer any of the Commissioner’s questions, but instead it seemed to the Commissioner (as recorded in the penalty notice) that the controller was denying any knowledge of the documents.

The Commissioner followed-up with more information and repeated the questions initially asked. The controller refused to answer those questions and the Commissioner records that it appears as though the Controller was conflating the separate investigation by the Commissioner with the one being undertaken by the MHRA. The Commissioner thereafter issued it with an information notice, which the controller (unsuccessfully) appealed to the First-Tier Tribunal. The Commissioner’s Penalty Notice then records that after the appeal was disposed of by the Tribunal, the controller did not comply timeously with the notice and the Commissioner had to threaten the controller with obtaining an information order and/or issuing a penalty notice.

The controller finally responded to the Information Notice, refusing to provide some information (under section 143(6) of the Data Protection Act 2018) on the basis that providing that information would open the controller up to prosecution by the MHRA in its separate criminal investigation. The controller provided various documents to the Commissioner, most of which were dated from 2015.

The Commissioner ultimately found that the controller’s infringements of data protection law were systemic in nature; the Commissioner pointed to the inadequate and outdated policies and procedures that it had in place. Furthermore, its privacy notice fell far short of what was enquired by Articles 13 and 14 of the GDPR. Interestingly, there appears to be no reference in the Penalty Notice to the early payment discount that was a feature of monetary penalty notices issued by the ICO under the Data Protection Act 1998.

The controller was also issued with an Enforcement Notice [pdf] by the Commissioner; which requires the controller to, among other things, update its internal policies and procedures, appoint a member of staff as an Information Governance Lead or Data Protection Officer, introduce mandatory training and update its privacy notice in line with Articles 13 and 14.

This Penalty Notice contains much that can be of assistance to controllers when it comes to enforcement action under the GDPR. The first point that is worth mentioning is that it is not recommended that controllers do not co-operate with the ICO during investigations. Indeed, controllers (and processors) and their representatives are under a positive duty to co-operate with the Commissioner (Article 31 of the GDPR). In any event, the Commissioner has a range of powers to ensure that she can properly investigate alleged breaches of data protection law; including, the power to issue an information notice, obtain an information order and obtain (and execute) a search warrant. It’s important that where you’re facing multiple regularly investigations simultaneously that you take each one seriously and understand precisely what each regulator is investigating and what their respective powers are.

It also appears that the Commissioner has dropped the early payment discount that used to be offered to controllers to encourage them to pay the penalty notice (an appeal automatically meant that the controller lost the early payment discount, as it would delay payment of the monetary penalty).

Alistair Sloan

We are able to assist data subjects, controllers and processors with data protection law matters, as well as a range of other information law concerns. If you would like to speak to us about an information law matter, then please contact our team on 0141 229 0880 or by E-mail.

Yesterday there was a great deal of excitement as some news outlets reported that British Airways had been fined £183m by the Information Commissioner’s Office. It became apparent fairly quickly that this wasn’t what had happened and that we are still waiting for the Commissioner to issue the first “penalty notice” for a breach of the General Data protection Regulation.

What did come to light yesterday was that the Commissioner had issued a notice of intent to British Airways giving them notice that she intends on issuing a penalty notice in the sum f £183m. This is not the first time where news of a notice of intent has resulted in reporting that the Commissioner had actually issued a financial penalty. The last time was when she issued Facebook with a notice of intent in respect of a pre-GDPR breach (a penalty was subsequently served on Facebook in the sum of £500,000 and that penalty is currently the subject of an appeal to the First-Tier Tribunal).

There is quite a bit of difference between a notice of intent and a penalty notice (formally known as a monetary penalty notice in the Data Protection Act 1998) and they shouldn’t be confused with one another. So, given the confusion, I thought I might write a brief guide to the process adopted in the UK in respect of administrative fines under the GDPR and the Law Enforcement Directive.

The process essentially begins with the Commissioner opening an investigation. This could be as a result of a mandatory breach notification by the controller, a complaint made by a data subject or it having come to the attention of the Commissioner in some other way (for example, via the media). The Commissioner then enters into an information gathering phase, and she has the power to compel (subject to appeal and some other limited exceptions) data controllers to provide her with information by issuing an information notice should data controllers refuse to engage with her office.

At some stage the Commissioner will decide whether enforcement action is appropriate in the particular case. There will have been a dialogue of sorts going on between the Commissioner’s office and the controller during the information gathering phase. A financial penalty is not the only option available to the Commissioner. If the Commissioner decides that an administrative fine (in GDPR language, or “penalty notice” in the language of the Data Protection Act 2018 (“DPA2018”)) might be the appropriate means to deal with the breach, then she is required by Paragraph 2(1) of Schedule 16 to the DPA2018 to the to give written notice to the controller of her intent to do so; this is known as a “notice of intent”. This notice must contain certain information, which is set out in paragraph 3 of Schedule 16 to the DPA2018.

The notice of intent is an important step because, by virtue of paragraph 3(4) of Schedule 16, the notice of intent must contain details of a period in which the controller can make written representations to the Commissioner; this period must not be less than 21 days. The Commissioner is prohibited from serving a penalty notice until this period has expired (paragraph 4(1) of Schedule 16). Furthermore, before deciding to issue a penalty and before finally deciding upon the amount of any penalty, the Commissioner must consider any written or oral representations made by or on behalf of the controller (paragraph 4(2) of Schedule 16).

Essentially, the notice of intent forms part of the due process of law. The Commissioner sets out in the notice the basis upon which she believes a penalty notice is appropriate and the proposed amount of the penalty notice. The controller then has an opportunity to make its case to the Commissioner and put forward a legal or factual case which:- (a) argues that no penalty notice should or can be given; (b) challenges proposed findings in fact contained within the notice of intent; and/or (c) challenge the proposed amount.

When the commissioner issues a notice of intent, she (and her office) must continue to have an open mind. It is not simply a tick-box exercise; it is an important part of a formal legal process. The Commissioner must be open to being persuaded by the controller that she is wrong in any of the matters set out in the notice of intent; including, being persuaded that the legal tests for issuing a penalty notice has not been met.

A notice of intent is certainly not (or shouldn’t be) a guarantee that a penalty notice will follow, or that it will be in the amount specified in the notice of intent. It is no more than a formal document giving notice to a controller of the Commissioner’s intentions and forms part of the legal process for issuing an administrative fine.

Once a notice of intent has been served by the Commissioner, she is normally required to issue the penalty notice within 6 months (paragraph 2(2) of Schedule 16); this includes the time permitted for written, and where applicable, oral representations. However, this period can be extended where the Commissioner and the controller agree (paragraph 2(3) of Schedule 16)

Appeals
Unlike a notice of intent, a penalty notice is subject of a right of appeal to the First-Tier Tribunal. In such an appeal all of the relevant factual and legal matters are reconsidered by the Tribunal. The Tribunal is empowered to uphold the penalty notice, modify the penalty notice or quash the penalty notice. Thereafter, there are appeals (but not as of right, only with permission) to the Upper Tribunal and the courts on points of law. Failures within the notice of intent procedure would give rise to grounds of appeal in respect the penalty notice. Depending upon the nature of the defects they could ultimately lead to the Tribunal quashing the Penalty Notice.

“One Stop Shop”
One final thing of note is that the Information Commissioner is acting as the “lead supervisory authority” in the British Airways matter; this is a mechanism which exists in the General Data Protection Regulation and applies so long as the United Kingdom remains a member of the European Union. Other supervisory authorities from elsewhere in the EU will also have the opportunity to comment on the Commissioner’s enforcement action in this case. This is an important aspect to note in relation to all enforcement action, not just penalty notices. Before taking a final decision in the British Airways case the Information Commissioner will have to circulate a draft of her decision to those other supervisory authorities, who are then permitted to make comments; the Commissioner must take these comments into account. This mechanism applies where there is cross-border processing taking place (see Article 4(23) of the General Data Protection Regulation for a definition of “cross-border processing”), which was the case in repsect of the British Airways data breach.

Alistair Sloan