The UK Information Commissioner’s Office (“ICO”) published its 2018-19 Annual Report on July 9, 2019. This is the first Annual Report published by the ICO since the EU General Data Protection Regulation (“GDPR”) took effect on May 25, 2018.
The overwhelming impression from the Annual Report is that of an industrious data protection regulator that takes its obligations seriously. It is a regulatory agency that is creative, ambitious and proactive in discharging its statutory functions, and in pursuing its stated aim of upholding information rights for the UK public in the digital age. The ICO is cognizant of challenges that lie ahead, and is readying itself to address those challenges with new substantive initiatives, such as establishing an Executive Director for Technology Policy and Innovation (who already is scrutinizing the adtech sector); creating a regulatory sandbox to help ensure that new technologies address data protection; announcing a strategic focus on enabling controllers to implement accountability for GDPR compliance, making tools such as seals and certifications a reality; building international visibility and reputation; and significantly increasing its staff and budget.
Calls and Complaints
In a year that the ICO describes as “unprecedented,” the ICO conducted almost half a million conversations through its helpline, live chat and written advice service, a 66% increase from the previous year. Its website also saw a 58% increase in traffic and a 72% increase in individual users visiting the site. Its GDPR guidance alone received over 15 million views. Complaints from the public almost doubled, and the ICO announced that it would streamline its complaints process in order to manage this increased workload in the coming year. As with previous years, the most common complaints related to subject access requests, constituting 38% of the total.
The impact of this increased demand for the ICO’s services is reflected in the fact that its call answer rates dropped from 80% to 65%, and the average wait time for callers almost doubled. The ICO has already increased its workforce from 505 to more than 700 in order to tackle the increased demand for its services, and aims to have 825 full-time employees by 2020-21, making it by far the largest EU data protection authority.
As well as the increase in complaints relating to the GDPR, complaints under the Privacy and Electronic Communications Regulations (“PECR”) increased by almost 30,000. Reported concerns about cookies increased from 147 to 1,276, although the highest number of complaints related to telesales calls with recorded voices. In addition, a further 616,000 individuals registered with the Telephone Preference Service (“TPS”) (indicating that they do not consent to receive direct marketing calls). More than 52,000 complaints were received by the TPS during this period.
The ICO also saw a substantial increase in the communications it received from companies, including 13,840 personal data breach reports under the GDPR, a four-fold increase on the 3,311 received in 2017-18. The ICO noted that cybersecurity had been at the root of a number of these breach reports. Although it is clear that breaches have been over-reported in the UK, the ICO stated that “the significant increase in breach reporting demonstrates that organizations are taking the requirements of the GDPR and DPA 2018 [Data Protection Act 2018] seriously and it is encouraging that these breaches are being proactively reported to us.”
In 82% of reported breaches, the ICO determined that the organization in question had sufficient measures in place, or was taking appropriate steps to address the breach, such that the ICO was not required to take any action. In less than 1% of cases the ICO felt the need to go beyond providing recommendations or requiring some action from the controller, and in only 0.05% of cases was a monetary penalty issued.
For the year, the ICO imposed 22 fines under the Data Protection Act 2018, totaling £3 million. These included fines against Equifax, Facebook, Uber, the Crown Prosecution Service and Yahoo. Since the infringements in question took place before the GDPR came into force, the maximum fine for a single violation was £500,000. The Annual Report was written prior to announcement of the ICO’s proposed record fines against British Airways (£183 million) and Marriott International (£99 million) (on July 8 and July 9, 2019, respectively).
Fines were also levied for failure to pay the Data Protection Fee, required for controllers operating within the UK (or processing data about UK data subjects). The ICO issued 3,335 notices of intent to fine for non-payment, 227 penalty notices, 67 of which led to payment (totaling almost £100,000 in fees and penalties).
The ICO sets out its priorities for the year ahead in the Annual Report, including the delivery of four statutory codes of practice, as required under the DPA 2018. These focus on age appropriate design, data sharing, direct marketing and data protection and journalism, and are expected to be finalized in 2019. Courts and tribunals will be required to consider these codes when dealing with cases. The ICO is also in the process of developing guidance for the use of personal data in political campaigns, following its Democracy Disrupted? report, published in July 2018. The report included a number of recommendations designed to restore trust and confidence in the integrity of the election process, including the recommendation that the guidance developed by the ICO be provided with the same legal status as the other statutory codes.
The ICO recognizes the challenges that companies have faced over the past year, particularly small and medium-sized enterprises and sole traders, and noted that it is considering establishing a “one-stop-shop” for SMEs within the ICO. This would aim to provide assistance to SMEs who do not have dedicated in-house compliance teams.
Finally, the ICO recognizes that the digital economy is a global phenomenon, and it has devoted significant resources to building its relationships and influence outside the EU, including by participating in networks such as the International Conference of Data Protection and Privacy Commissioners (which Elizabeth Denham chairs), the International Conference of Information Commissioners, the Asia Pacific Privacy Authorities, the Common Thread Network and the Global Privacy Enforcement Network (GPEN). It also continues to work closely with the U.S. Federal Trade Commission.