UK watchdog ICO complains about limited powers

The Information Commissioner's Office (ICO) has once again hit out at its limited powers, but might get more resources and money when new EU data protection laws go live.

ICO wants more power as privacy complaints hit record levels
ICO wants more power as privacy complaints hit record levels

In a blog post published on the ICO website on Tuesday, ICO's head of enforcement Stephen Eckersley detailed how the watchdog is playing catch-up.

“Sometimes the simplest statements are the strongest: to be an effective regulator the ICO needs effective powers.”

Eckersley's post was specifically relating to the number of complaints the ICO deals with on nuisance calls and text messages. He wrote that the group had received 120,000 concerns on unsolicited calls and 30,000 regarding texts in the last year, and added that the laws are not adequate for keeping up with the deluge of spammers.

He cited one example where the ICO handed out its ‘highest civil monetary penalty', of £440,000, to Christopher Niebel and Gary McNeish (owners of marketing company Tetrus Telecoms) in November 2012 only for the fine to be overturned at a later date due to their actions causing 'insufficient damage and distress' under the Privacy and Electronic Communications Regulations (PECR).

Eckersley continued that the ICO is looking to lower the legal threshold it has to prove before issuing a fine – something that could be cleared up after government consultation later this year – and added that the body continues to work with existing powers and liaise with regulators and mobile phone operators to understand what personal data is collected, traded and used by organisations under PECR.

The body has also prosecuted 10 organisations and individuals over last year under the Data Protection Act, because they haven't register with ICO to confirm they are processing personal data.

This news comes shortly after Information Commissioner Christopher Graham bemoaned the watchdog's limited powers and fines  - and the fact that it's spending has been cut every year since 2009 – in its annual report, which also revealed that it reported a record number of complaints in the last year.

The ICO issued £1.97 million in penalties to companies found to have breached data protection laws, and saw 15,492 complaints – a 10 percent year-on-year rise.

A spokesperson told SC at the time: “Funding cuts to our freedom of information work have been consistent over the last five years, but our workload is going up and we're at the point now where it's going to have some impact on the level of service we're able to provide.”

The ICO's workload could go up substantially in 2015, if the proposed EU General Data Protection Regulation finally sees the light of day. The new law – which is still subject to European Council approval – will stipulate data breach fines of up to 5 percent of global turnover, and demand that data breaches are reported within 72 hours. It will also mean that companies don't have to pay a notification fee.

The ICO spokesperson further explained: “The European Directive is set to remove the notification fee that organisations have to pay under the Data Protection Act. Essentially there's going to be a £20 million hole in our funds and we need some way of being assured that that hole isn't just going to lead to our office shutting down.”

But privacy lawyer Stewart Room played down the recent complaints being made by the ICO, saying that it was part of the reform for data protection in the UK.

“The ICO regularly calls for an increase of new powers, and for new penalties,” Room told SCMagazineUK.com today. “It's part of the cycle of data protection law reform.”

As examples, he said that while the group now cites email and telephone spam as one of the biggest problems, it has previously pointed to auditing in healthcare, and serving information notices during the downturn of the UK economy during 2007/08. “This is what regulators do…its part of their job.”

He added that their wishes “will likely be granted” if  and when the EU General Data Protection Regulation gets the green-light.

Page 1 of 2