The UK’s data protection regulator has, not surprisingly, continued to impose a significant numbers of fines for unsolicited marketing calls, emails and texts sent in breach of the Privacy and Electronic Communications Regulations (PECR). However, apart from these PECR fines and some fines for non-payment of the data protection registration fee there were only 5 monetary penalty notices issued by the ICO in the year from April 2019 to March 2020, compared with 22 in the preceding year. Why might the numbers have gone down so much? Is this just a temporary blip, perhaps resulting from the introduction of the GDPR, or is there something more behind it? And what has happened to the swingeing penalties that the ICO announced, getting on for a year ago now, that it was intending to impose on British Airways and Marriott International?
What has happened to British Airways and Marriott?
Back in July 2019 the ICO announced its intention to fine BA and Marriott £183m and £99m, respectively, under the GDPR following security breaches. At the time, surprise was expressed by many about the size of the proposed fines, not just in terms of their impact on the businesses concerned, but also in terms of the precedent that they were setting for future UK fines under the GDPR. However, since last July everything has gone surprisingly quite. Normally the ICO moves comparatively quickly from issuing a notice of intent to taking a final decision on any fine. Indeed, under the Data Protection Act 2018 it has to issue any fine within 6 months of its notice, although this period can be extended by agreement between the parties. Initially it was reported that for both companies the period had been extended to 31 March this year. Now it is being reported that there has been a further extension presumably, but not necessarily, related to the Covid-19 coronavirus emergency. Before this all the signs were already pointing to the ICO climbing down significantly from the very high level fines proposed initially, if indeed the ICO was still intending to going ahead with imposing fines at all. Were this was not the case it would be hard to understand why the process from issuing the notices of intent onwards was taking such an extraordinarily long time and why the businesses concerned would have agreed to any extension.
Perhaps, though, the Covid-19 coronavirus emergency is playing into the ICO’s hands here. International airlines and hotel chains must be amongst those businesses most quickly and most dramatically suffering the adverse effects of the pandemic. Economic impact and affordability, which the ICO is saying in its newly published approach it will take into account before issuing fines, will be very different today than they were even only a matter of weeks ago for these businesses. It would be very easy now for the ICO to slash the proposed fines, or even suspend them altogether on economic grounds. Indeed, it would appear perverse were the ICO to go ahead with fines at anything like the original level proposed given the current climate. Potentially this would avoid the ICO having to admit that it had got the proposed fines wrong in the first place and enable it to put any reduction down solely to the economic impact of the Covid-19 coronavirus. However, we must hope that when the ICO eventually proceeds it is open and clear about how it has calculated the level of any fines. Other businesses are watching closely and are entitled to an understanding of what penalties they are likely to face in similar circumstances. The ICO will need to live up to its commitment to transparency. This means that when it eventually concludes its deliberations it should set out very clearly what the penalties, if any, are that would have been imposed on BA and Marriott in more normal times and how far those penalties have been reduced on the grounds of economic impact and affordability related to the current crisis.
What might be the prospects for other fines?
Whilst the ICO’s recently published regulatory approach refers to the level of any fines reducing as a consequence of the Covid-19 coronavirus emergency, it says nothing explicit about what might happen to the number of such fines. Presumably there is unlikely to be much change so far as the number of fines related to the sending of unsolicited electronic marketing messages is concerned, given the hard line that the ICO has consistently taken on PECR breaches. Indeed, even in the context of the Covid-19 coronavirus emergency, it is hard to see why, in many cases, there would be any justification for reducing either the numbers or the levels of these fines given that they are already capped at £500K and often result from deliberate or highly negligent breaches of the law. What about other the other fines though? Might the numbers fall even further or could it be that there is a big backlog in the pipeline? It would be nice to think that the fall that we have seen is as a result of improvements in compliance and that this will be a continuing trend but perhaps that would be overly optimistic. How far could it simply be as a consequence of the introduction of the GDPR?
Although it is now nearly two years since the GDPR came into force we have only seen one fine, that against Doorstep Dispensaree, imposed under its provisions to date. Of course there are the notices of intent issued to BA and Marriott but around the time of announcing these notices in July last year, Elizabeth Denham said that we could expect “around another dozen or so over the summer period”. Where have they gone to? Perhaps investigations under the GDPR are taking the ICO longer or are more complex than those under the Data Protection Act 1998, perhaps some of them are tied up in the one stop shop mechanism or perhaps the ICO is struggling with setting the level of fines in the light of the ongoing uncertainty over BA and Marriott. However, it is hard to see that any or even all of these can provide a complete explanation.
The ICO will have continued to receive substantial numbers of complaints and breach notifications before the current emergency started. It would be surprising if there wasn’t some significant non-compliance revealed amongst these. Not all of these cases will necessarily involve cross-border processing, require complex investigations or have the potential for multi-million pound fines. If the BA and Marriott cases could get to notices of intent within less than twelve months of the ICO being notified of the incidents behind them, then it is unclear why other, not necessarily as significant cases, should be taking so much longer. Perhaps more cases than previously have been concluded without the imposition of a fine but it would seem odd if cases that would have attracted a fine under the former legislation are not now doing so under the GDPR . Maybe the ICO has been concentrating on big, headline grabbing cases at the expense of the more routine or maybe there will be a flood of cases that we have yet to hear about. Either way if the ICO has been struggling to deliver the level of post-GDPR enforcement action that many of us were expecting to see it certainly won’t have been helped by the ongoing coronavirus crisis.