Why stakeholders and consumers should welcome the ICO’S revised fining regime
This year, the Information Commissioners Office (ICO) announced its intention to bolster and streamline its fining practices. To do this, the ICO aims to build upon the guidelines set out in the Regulatory Action Policy by incorporating the proposed Data Protection Fining Guidance (DPFG).
The primary aims of the draft DPFG are to supply clarity on the powers available to the Commissioner when imposing fines, expand on the processes and procedures that the Commissioner must adhere to when deciding whether to issue a penalty, and to make the formula used to calculate fines more accessible.
Having reviewed the guidance published by the ICO, overall, we welcome the proposed changes and clarity.
The ICO’s approach to deciding the severity of an infringement appears balanced. It makes clear reference to the legislative powers afforded to the Commissioner, and the calculation process used to determine fine amounts, which will be used consistently by the ICO when assessing each penalty.
One notable change outlined in the guidance is that maximum fine amounts will differ based on whether the controller or processor is an ‘undertaking’ (a subsidiary of a parent company).
- The standard maximum amount is £8.7 million or, in the case of an undertaking, is the higher of either £8.7 million or 2% of the undertaking’s total worldwide annual turnover in the preceding financial year.
- The higher maximum amount is £17.5 million or, in the case of an undertaking, is the higher of either £17.5 million or 4% of the undertaking’s total worldwide annual turnover in the preceding financial year.
The applicable statutory maximum amount is only calculated by reference to a percentage of turnover where an undertaking’s total worldwide annual turnover exceeds:
- £435 million in relation to the standard maximum amount (the 2% percentage figure applies)
- £437.5 million in relation to the higher maximum amount (the 4% percentage figure applies).
We believe that the proposed ‘undertaking’ concept will incentivise large corporations to adhere to regulatory standards across the entirety of their portfolio, as the risk of one subsidiary falling short would apply to all. This approach also addresses concerns from consumers that large companies have been able to offset penalties or receive lighter reprimands by sacrificing subsidiaries to minimise the impact of ICO rulings.
Additionally, the introduction of fixed amount and turnover based penalties will ensure that smaller organisations are not disproportionately affected by ICO fines, and that prospective stakeholders are not deterred from venturing into the UK markets by an overbearing regulator.
We expect legal professionals will appreciate the detailed and concise information about the regulatory apparatus that paved the way for the implementation of this measure.
Within the guidance, the ICO has clearly explained and supplied examples of the five-stage process it will follow when issuing standard and higher-level fines, and further expanded on its commitment to ensure that fines are effective, proportionate and dissuasive.
For standard and high-level infringements, penalties will be calculated based on the severity of the offence and the relevant maximum fine ranging from 20 – 100% for serious infringements, 10 – 20% for medium level offences, and 0 –10% for lesser breaches. By not imposing a pre-set ‘tariff’ for the above categories, relevant stakeholders will be assured that each infringement will be assessed from a neutral start point, with fines being issued proportionately and in instances of clear breaches.
We note that the ICO will still be bound by penalty restrictions per infringement. This is good news as, without such limits, this could deter growth and potentially foster an environment in which processors and controllers go to greater lengths to avoid showing instances of non-compliance.
Commenting on the proposed changes, Nick Richards CIPP/E CIPM FIP, data privacy expert and Data Protection Officer at KP Law said: “I believe these changes will be broadly welcomed, though deciding whether to impose fines and if so at what level could still prove problematic in some cases, as some of the criteria will still be challenging to quantify. It will be difficult to accurately assess the potential ‘dissuasiveness’ of fines particularly with large global corporates, and in many cases the use of turnover in calculating fines may not accurately reflect either the size of the organisation, their ability to pay, or indeed the dissuasive effect. There could still be some issues also when imposing enforcement on subsidiary companies where there may be some complexity around defining the relationship with the parent. Overall, however, the proposed process appears to be well considered.”
The ICO’s revised approach to investigating, and where necessary, reprimanding stakeholders who have accrued multiple infringements is another welcome change that should raise standards of compliance to the benefit of all. Furthermore, the Commission’s stance on considering other indicators of an organisation’s financial position such as assets, funding, or administrative budget in cases where imposing turnover-based penalties would cause disproportionate harm, will also be welcomed by businesses who would be forced to shut down due to a lack of non-essential financial resources.
By committing to assessing the nature, gravity, and duration of each infringement, including the other criteria listed in the proposal, the ICO affirms its obligations and commitment to regulation for the benefit of data subjects. At the same time, its proportionate and balanced approach, and its commitment to assessing whether imposing penalties for infringements is effective, proportionate, and dissuasive, will further contribute towards a constructive and transparent relationship between key stakeholders and the regulator.
In addition, by supplying clarity that allows organisations under investigation to better predict the scale of expected penalties, we predict that the changes will result in fewer appeals. Or if an appeal is pursued, a more time efficient and less costly process.
KP Law also welcomes Section 105 of the proposal. This expands on the Commissioner’s obligation under section 108 of the Deregulation Act 2015, which says that ‘the Commissioner will have regard to the desirability of promoting economic growth’.
In summary, we believe that the proposal successfully balances the need to hold stakeholders accountable whilst not deterring compliance and engagement from the existing and potential entities that the ICO regulates. We encourage all efforts by the ICO to ensure that data protection standards are upheld and modernised, especially in the face of fluid technological and legal changes.