European Union: Examining The ICO's Enforcement Powers Under The GDPR And The DPB

Information law analysis: Jon Baines, data protection advisor at Mishcon de Reya, highlights the enforcement powers available to the Information Commissioner's Office (ICO) under the General Data Protection Regulation (GDPR) and the Data Protection Bill (DPB).

What enforcement powers and sanctions are available to the ICO under the GDPR and DPB?

The basic powers available to the Information Commissioner (it's worth noting that the powers are vested in the Commissioner herself, and not the ICO) under the GDPR and the DPB do not differ substantially from those under the existing law, ie the Data Protection Act 1998 (DPA 1998).

However, the new regime does bring some changes. The general enforcement powers are specified in the DPB, and are to serve notices, to enter and inspect premises and to bring prosecutions. There are four types of notice—information notices, assessment notices, enforcement notices and penalty notices. In broad terms, these notices have the following effect:

• information notices require a data controller or processor to provide information reasonably required by the Commissioner for the purposes of carrying out her functions
• assessment notices empower her to require a controller or processor to submit to an audit by her office (this is an area where GDPR and DPB will effect change—previously, under DPA 1998, compulsory audits have only been possible on central government and—since 2015—NHS bodies)
• enforcement notices can require to take steps or refrain from taking steps specified in the notice—this type of notice is not new, but is potentially very powerful, as it could in effect require an organisation to stop operating, or introduce measures which are so onerous or costly that they could have the effect of stopping operations
• penalty notices, which in the main part, empower the Commissioner to require a data controller or a processor (the power to penalise the latter is a new power) to pay a monetary penalty if it fails to comply with its obligations under the GDPR or DPB, and if, broadly, it is a suitably serious failing. As is now well known, the maximum monetary penalty available to the Commissioner will be €20m, or 4% of global annual turnover (whichever is higher)

What criminal offences are set out in the DPB?

The DPB provides for a number of criminal offences. Primarily, these are set out in clauses 166, 167 and 169.

Clause 166 relates to the offence of knowingly or recklessly obtaining or disclosing (or procuring the disclosure of) personal data without the consent of the data controller. This is primarily the same offence as exists at DPA 1998, s 55, and the one which is most commonly prosecuted, for instance for blagging exercises, or when departing staff take customer databases to new employers without authorisation. However, the DPB adds an extra limb to the effect that retention of personal data, after obtaining it, without the consent of the person who was the controller in relation to the personal data when it was obtained, is also an offence. There are various defences available—for instance if the person charged can prove that the act was necessary to prevent or detect crime, or that it was justified as being in the public interest.

Clause 167 is new—it creates an offence of knowingly or recklessly re-identifying information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data. During parliamentary debate, concerns were expressed that this could potentially criminalise security researchers, and clauses 167(4)(d) and 168 now provide a defence for people re-identifying under the 'effectiveness testing conditions'.

Clause 169 is also new, and is framed in similar terms to section 77 of the Freedom of Information Act 2000—it creates an offence of altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure in response to a data subject access request.

There are various other offences which carry over from DPA 1998, for instance those relating to 'enforced subject access' (for example, an employer demanding prospective employees use their rights under DPA 1998 to see information held about them), or those relating to obstruction of the exercise of warrants.

It is noteworthy that one relatively common offence disappears under the GDPR and the DPB—it is no longer a requirement of European law to notify the ICO of one's processing of personal data. The UK has, in fact, legislated domestically for a different, but similar, requirement on specified controllers to pay a fee to the ICO, but a contravention of this new obligation will only be punishable by a civil monetary penalty.

What has the ICO said about their enforcement of the GDPR and DPB?

The repeated message coming from the ICO, and the Commissioner, is that their enforcement approach will be 'carrot over stick'.

In a blogpost in August 2017 the Commissioner said: 'It's scaremongering to suggest that we'll be making early examples of organisations for minor infringements or that maximum fines will become the norm...The ICO's commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR.'

Controllers, and processors, should however be aware of the recent opening of the consultation on

 the ICO's draft Regulatory Action Policy (closing date 28 June). As important as it is to note the general tenor of comments coming from the ICO, this policy will be the lynchpin for future regulatory action, and should be read closely.

Interviewed by Alex Heshmaty.

The views expressed by our Legal Analysis interviewees are not necessarily those of the proprietor.

Originally published LexisNexis

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.