'Practical' ICO may not issue huge data breach fines
The ICO has called for a more 'practical' approach to data protection regulation in light of advancing technology, limited resources and the incoming EU Data Generation Protection Regulation - and this might result in more 'tellings off' and less fines.
'Practical' ICO may not issue huge data breach fines
Speaking at the European Conference of Data Protection Authorities in Manchester on Tuesday, the Information Commissioner Christopher Graham spoke at length on the challenge facing ICO and other bodies, focusing specifically on their need to adapt to new legislation, and ensure privacy for all users, while technology changes are afoot.
“The digital revolution has implications for every aspect of our lives – as citizens, as consumers, as individuals. We communicate. We consume. We transact. And, unless we are very alert, we are also tracked. Shopping in the supermarket or online, our purchasing habits are recorded and analysed. We live in a world of Big Data and the Internet of Things,” said Graham.
“Governments too have gone digital, keen to find efficiencies in the delivery of joined up public services. And now there's the security dimension, with politicians claiming that public safety is an absolute right, while privacy is a right that may need to be qualified.”
This, said Graham, would force regulators like the ICO to ‘get practical'. “If we want to be effective doing what we do, we are going to have to learn to do some things differently,” he said at the time.
He added that the ‘digital revolution' would mean that data protection authorities are “challenged to respond to the realities of what digital means, and to be able to continue to uphold the fundamental rights for which we stand”.
Adding to this complex picture was the view that “privacy has never been more threatened”, resulting in users demanding more on data protection (including control, transparency and security of their data), and for the DPAs governing them to be free from influence, visible, responsive to new technologies, and with enforcement measures if required.
EU General Data Protection Regulation
As a result, Graham called for international co-operation, a need for DPAs to be more visible (ICO's own research indicated only one percent would go to them for advice on their personal data), but appeared to suggest that the group won't be handing out huge fines anytime soon, despite the incoming EU Generation Data Protection Regulation potentially allowing for fines up to five percent of global turnover.
“It would be a mistake to believe that data protection authorities will be issuing huge fines left right and centre,” he said. “Fines can only follow investigation and often involve appeals. We have to follow due process which requires resources.”
Graham cited the ICO's £250,000 fines to Sony Computer Entertainment Europe in 2013; he questioned how, under GDPR, the ICO would have to work out the firm's global turnover, and said that the firm would be “much more likely to fight” over fines given the harsh penalties.
“The availability of fines of up to two percent of global turnover (or five percent in the Parliament's text) is important. It makes the punishment fit the crime – and fit the perpetrator. But DPAs need the discretion to be able to focus on the biggest threats, not be forced to fine every case of non-compliance regardless of priorities. Again, selective to be effective. And effective it would be, because data controllers would know that it could be them.”
Andrew Barratt, European MD of IT auditor Coalfire, told SCMagazineUK.com that practicality was important for any UK organisation operating under EU laws, but added that the UK could drive good practice and also facilitate co-operation across the EU as well as with the USA and other non EU countries.
But he questioned how feasible it would be for the ICO. “The ICO is a principles-based organisation and has never really set standards that gave direction – in part because standards that do so already exist for very specific types of data.”
“Trying to track the constantly moving IT and infosec landscape whilst also navigating EU legal frameworks is never going to be practical, it's going to be long-term challenge. Hopefully we'll see more of what the ICO does do well, where it offers guidance on interpretation that can be aligned with more practical standards.”
He added that the ICO also “has a difficult task of juggling the rights of individuals' privacy concerns, with providing practical guidance to both business and the end-consumers”.
“They've also had a history of arguably weak enforcement powers compared with other contractually enforced standards (such as PCI and ISO),” said Barratt, who added that ICO's privacy seal could also create compliance issues, potentially creating a cottage industry for ‘privacy consultants'.
Jon Baines, chairman of NADPO (National Association of Data Protection and Freedom of Information Officers), told SC that he was impressed in parts with Graham's talk, specifically on the practicality and big data, but questioned the ICO's ability – or even interest – in pushing fines.
“There is a risk of talking in platitudes, and while I'm all for practicality, for regulation to be effective it needs enforcement, and not just the threat of enforcement,” he said.
“Yes, monetary penalty notices have been served by the ICO, but mostly for old-fashioned data security cock-ups, often involving manual records. Very little enforcement has actually taken place in the digital landscape, [which] Chris Graham rightly identifies as one which "has implications for every aspect of our lives.”
Baines added: “A lack of resources is clearly one thing holding effective enforcement in the digital arena back, but I sometimes fear there is a lack of will as well.”
“A joined-up approach between data protection authorities will be essential for future regulation, and Chris is right to highlight this, but lots of work lies ahead in trying to reconcile the very different legal and cultural approaches across Europe.”
The ICO hadn't responded to SC's request for comment at the time of writing.