ICO Bares Enforcement Teeth for Privacy Breaches

At the press conference for the launch of its Annual Report on 2 July, the UK Information Commissioner Christopher Graham highlighted the changing legislative landscape for the ICO’s regulatory powers against privacy breaches and put forward its proposals for the upcoming year.

Some of the most significant points made by the Commissioner include:

  • In March 2015, the ICO was granted the “long wished-for commencement of the offence of enforced subject access”. The new Section 56 of the UK Data Protection Ac makes it a criminal offence to pressure an individual into making a subject access request for their own personal data. Committing such an offence in England and Wales can now carry an unlimited fine. This new offence enables the ICO to prosecute, for example, organisations that carry out back-door criminal record checks on their employees.
  • The ICO found that in the past year there has been a 12% increase in reports about nuisance calls and texts. The ICO has issued civil monetary penalties totalling £386,000 for nuisance calls and texts. The amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 has made “the job of pinning civil monetary penalties on phone callers and text spammers” easier, by removing the requirement to prove substantial damage or distress before the ICO could issue a fine.
  • The ICO is pushing for the ability to make unannounced audits of certain public sector organisations and private companies.
  • The ICO is seeking more cooperation with other regulators, such as the Financial Conduct Authority, which have “more resources and power” than the ICO to punish financial companies for privacy breaches.

According to the Commissioner, the “enhanced powers granted to the ICO represent a vote of confidence in the organisation’s policing of data protection” and lead to the vision of the ICO as “the authoritative arbiter of information rights”.  It is clear that these changes would strengthen the ICO’s regulatory powers and enhance the ability of the ICO to build wider scopes of investigation, opening the doors to increased enforcement against privacy breaches in the UK.