Jul 172015

ICO Bares Enforcement Teeth for Privacy Breaches

Geraldine Scali
, , ,

At the press conference for the launch of its Annual Report on 2 July, the UK Information Commissioner Christopher Graham highlighted the changing legislative landscape for the ICO’s regulatory powers against privacy breaches and put forward its proposals for the upcoming year.

Some of the most significant points made by the Commissioner include:

  • In March 2015, the ICO was granted the “long wished-for commencement of the offence of enforced subject access”. The new Section 56 of the UK Data Protection Ac makes it a criminal offence to pressure an individual into making a subject access request for their own personal data. Committing such an offence in England and Wales can now carry an unlimited fine. This new offence enables the ICO to prosecute, for example, organisations that carry out back-door criminal record checks on their employees.
  • The ICO found that in the past year there has been a 12% increase in reports about nuisance calls and texts. The ICO has issued civil monetary penalties totalling £386,000 for nuisance calls and texts. The amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 has made “the job of pinning civil monetary penalties on phone callers and text spammers” easier, by removing the requirement to prove substantial damage or distress before the ICO could issue a fine.
  • The ICO is pushing for the ability to make unannounced audits of certain public sector organisations and private companies.
  • The ICO is seeking more cooperation with other regulators, such as the Financial Conduct Authority, which have “more resources and power” than the ICO to punish financial companies for privacy breaches.

According to the Commissioner, the “enhanced powers granted to the ICO represent a vote of confidence in the organisation’s policing of data protection” and lead to the vision of the ICO as “the authoritative arbiter of information rights”.  It is clear that these changes would strengthen the ICO’s regulatory powers and enhance the ability of the ICO to build wider scopes of investigation, opening the doors to increased enforcement against privacy breaches in the UK.

Geraldine Scali

gscali@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.