BCL partner Julian Hayes and associate Greta Barkle's article titled 'The UK ICO's modified approach to data regulation during COVID-19 is welcome but risks remain' has been published by Euronews.
Here's an extract from the article:
While the tragic human consequences of COVID-19 have played out on nightly news bulletins, regulators across Europe have scrambled to adjust their approach to minimise its immediate and longer-term economic consequences. Early on, the UK's Information Commissioner (ICO) declared its reasonableness and pragmatism in the face of the health emergency and, on 15 April, it fleshed this out in a publication setting out its regulatory approach during the coronavirus pandemic.
The ICO's document is one of a series issued by the data watchdog in recent weeks and will be welcomed by data controllers and processors under exceptional pressure. Nevertheless, those seeking dispensation from data security obligations at this time will look in vain, and risks remain for the unwary.
Three factors lie behind the ICO's temporary regulatory approach during the pandemic: regulated organisations face staff and operating shortages, public authorities are pre-occupied with meeting front-line service demands, and acute financial constraints are restricting finances and cashflows. As the regulator acknowledges, these factors may impact on data controllers' ability to comply with data legislation. Rather than appearing "tin eared," the ICO, like the European Data Protection Supervisor and national data supervisory authorities across Europe, has chosen to highlight the flexibility built into the EU's General Data Protection Regulation (GDPR), and to reassure those it regulates by giving a steer on how data rules will be applied during this exceptional situation.
ICO's approach during health emergency
Amongst the high-level indications set out on the ICO's document are that the regulator will suspend data audit work to focus instead on the most serious challenges to the public, use its formal powers to require information sparingly and allow greater time to respond, and will conduct fewer investigations to concentrate on circumstances suggesting serious regulatory non-compliance. In fact, on 1 April, the First Tier Tribunal, which hears appeals from ICO notices, had already granted the Information Commissioner's request for a 28-day general stay on all proceedings as a result of the pandemic. While the ICO's stay application was made for technical reasons, it is a clear example of the ICO's modified regulatory approach. Its practical effect will be that compliance with information, assessment, enforcement and penalty notices will also be placed on hold, granting recipients temporary "breathing space."
As part of the ICO's approach during the pandemic, enforcement action is unlikely where Freedom of Information Act and data subject access requests are not satisfied within normal timescales. Breach notification required under GDPR Article 33 should still be notified to the regulator within the requisite 72-hour period. However, even here, the watchdog hints at flexibility where the reporting deadline is affected by the current crisis. That said, any organisation breaching data protection laws to take advantage of the situation is likely to face serious consequences.
In terms of COVID-19's impact on GDPR penalties, much media attention has focused on the ICO's agreement with British Airways and Marriott to extend its disciplinary process for high profile data breaches involving thousands of customers' personal and financial data, which came to light during 2018, until later on in the summer. This deferral is giving rise to speculation that the pandemic was the cause. In fact, earlier extensions had been granted in January, weeks before the pandemic was declared, indicating that other factors are at work in the resolution of those investigations.
Originally published by Euronews, 30 April 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.