Asress Adimi Gikay (PhD), Senior Lecture in AI, Disruptive
Innovation and Law (Brunel University London)
Photo credit: howtostartablogonline.net
In the online space, it is
perhaps difficult to find a more empty promise than “we
value your privacy.“ Businesses promise to preserve our data privacy
rights, but in reality, they have neither the carrot, nor enough sticks, to
make them respect data protection rules. This holds true even in the European
Union (EU), where the most comprehensive data protection legislation—the
General Data Protection Regulation (GDPR)— failed to satisfactorily
deliver on its promise to protect the fundamental rights of citizens. As businesses openly
flout data privacy laws, regulators either struggle to adequately
enforce the law or wilfully ignore infractions.
The UK’s data protection authority—
the Information Commissioner's Office (ICO)— has succumbed the most to its
ambition of promoting
innovation and economic growth while simultaneously protecting data
protection rights. Unfortunately, the drive to appeal to businesses has reduced
data privacy rights to mere buzzwords, not just in the business world but also
within the ICO itself.
As a result, the authority's
enforcement record defies the primary objective of protecting the public's data
privacy rights, displaying an unexplainable leniency towards corporations. I
argue that this indefensible record of the ICO’s underscores the authority’s
insistence on operating with failed enforcement policy.
The ICO’s enforcement track record—the numbers don’t lie
During the 2021-2022 fiscal year,
the ICO reported receiving
35,558 data privacy violation complaints. The complaints were diverse
including companies refusing to delete individuals’ personal data or processing
their data without consent. Sometimes, organizations infringed the individual’s
right to access their own personal data, contrary to what the data protection legislation
requires.
Similarly, in the 2022-2023
financial year, a total of
27,130 complaints were filed with the ICO, excluding data from the
most recent financial quarter, yet to be reported by the authority. Out of the
62,688 complaints filed over a span of two years, the authority levied only
59 monetary penalties. This means that only approximately 0.094% of the
complaints led to real consequences— organizations being sanctioned for
breaching data protection rules.
The ICO closed most of the
complaints alleging insufficient information to proceed with the complaints or
lack of evidence of infraction. It resolved numerous cases through discussions
with infringing companies. In such cases, the authority
recognises the presence of infringement
by the organization but does nothing concrete other than what it describes
as “informal action taken.”
Due to the ICO’s practice of not
disclosing comprehensive details about these cases, except for summaries that
serve more statistical purposes, the public tends to perceive the authority as prioritizing business
interests over safeguarding data privacy rights. Interestingly, this public
perception aligns with the available evidence.
The broader context
The enforcement of the GDPR has
been unsatisfactory across the EU, since the implementation of what has been
described as
a breakthrough law, that promised to
empower people in the digital world, through giving them more control on
their personal data. Even when applying a more forgiving standard, the ICO's
enforcement record remains unsatisfactory. Between 2018 and 2022, it levied
around
50 monetary penalties, while German and the Italian authorities imposed 606 and 228
penalties between 2018 and 2021.
The ICO is generally passive
compared to its European counterparts. In a notable case, the French authority,
Commission Nationale de l’Informatique et des Liberté (CNIL) fined Meta
and Google €60 million and €150 million respectively in 2021 for their
illegal use of cookies. Despite engaging in similar unlawful data collection
practices in the UK, the companies made changes to their cookie-based data
collection practices in the UK only while complying with the French ruling.
They faced no threat of sanction in the UK.
The ICO's consistently poor
enforcement record clearly undermines public confidence in the authority. In
its 2022 annual report, the authority itself acknowledged getting the
lowest score in complaint resolution in a 2021 customer survey it backed.
An independent review—Trustpilot—
rates the authority at 1.1 out of 5. This is based on self-initiated reviews
conducted by members of the public, some claiming that the ICO prioritizes
business interests rather than protecting privacy rights.
Unfit enforcement policy— corporate free pass
The lack of adequate data
protection law enforcement in the EU has been explained by resource
constraints. For example, a report
by the Dutch ombudsman highlighted that the relevant authority in the country
had 9,800 unresolved privacy complaints at the end of 2020. And according
to the Irish Council for Civil Liberties, “almost all (98%) major GDPR
cases referred to Ireland remain unresolved”— in part due to lack of budget and
sufficient specialist staff.
However, the ICO is considered to
be a relatively resourced
authority. It also has the ability to impose substantial fines that could
finance its operations. So, it is unlikely that resource constraints explain
its inadequate enforcement record. The ICO’s enforcement policy is largely
culpable.
The authority’s
risk-based approach prioritizes a softer approach to ensuring compliance,
reserving enforcement actions to violations that are likely to possess the
highest risk and harm to the public. Enforcement action includes requiring
an offending organization to end violations and comply with relevant rules
through
enforcement notice and issuing
penalty. The
ICO considers several factors in determining whether imposing a penalty is
appropriate, including the intentional or repeated nature of the breach, the
degree of harm to the public, and the number of people impacted.
In practice however, the
authority exercises discretion even in cases of intentional and repeat
violations impacting millions of people. For example, numerous companies
illegally collect consumers’ personal data using
cookies.
By tracking a user's browsing behavior,
third-party cookies, known as tracking cookies, usually gather information
that is enough to identify the person behind a device. Besides visits to
particular web pages, they can
record a person’s search queries, goods or services purchased, IP address
and location.
From this, it is possible to
infer a person's name, nationality, language, religion, sexual orientation,
health condition, and other intimate details – most of which are considered special categories of personal
data. These types of data cannot be processed without the
individual's explicit consent, unless limited exceptions apply. Whilst
these data could be used, for example for marketing
health products,
insurance companies could also use them to assess premiums, in a manner
unknown and detrimental to the interest of the individual.
To its credit, the ICO has fined
Easylife Ltd £1.35m which has later been reduced to
£250,000 for using personal data to profile medical conditions without
consent, to target individuals with health-related products. But the authority
does not seem to recognise that it takes a simple switch to transition from
inferring personal data from browsing behavior using cookies to profiling
health conditions.
Cookies-based unconsented data
collection is illegal and potentially poses a serious harm to the public, as
companies could process special categories of data in a detrimental manner.
Unfortunately, companies openly violate cookies-related legislations in the
UK with impunity.
The ICO also shows unwarranted
leniency towards tech companies repeatedly violating data protection rules. In
one fiscal year (2022/2023), the ICO found evidence of Google UK’s
potential infringement or infringement of the law more than
25 times, in separate complaints. But the authority claims to have
taken informal actions, essentially advising the company to do better work to
comply.
Google UK's infractions include
refusal or delaying to delete personal data upon request by individuals
exercising their right to be
forgotten. Meta Platform(formerly Facebook Inc.) received
20 compliance suggestions, after evidence of its infringement or potential
infringement has been found, while
Microsoft and Twitter each received the same soft compliance advices 8 times,
in the same year.
In all these cases, taxpayers go
through the stressful process of demonstrating that their data protection
rights were violated, providing evidence of infringement by big tech companies.
Yet the ICO consistently chose to be lenient to companies that obviously do not
mind being told repeatedly that their data protection practices are
non-compliant. The authority has essentially transformed itself into a legal
advisory office for tech companies, neglecting its role as an overseer.
Data protection law inherently
creates hurdles for individuals seeking compensation for privacy rights
violations. In 2021, the UK's highest
court ruled that without evidence of material damage or distress, mere loss
of control over personal data is not compensable under the GDPR. This
effectively forces individuals to wait for a recognized harm to occur due to
violation of their data privacy rather than preventing it. The ICO, which should
deter privacy violation, is unfortunately impotent as well.
The need for policy change
The ICO's enforcement policy
heavily relies on collaboration with regulated entities rather than utilizing
effective sanctions to deter repeat violations. This approach aims to support
the digital economy by avoiding excessive enforcement of data protection rights
and fostering data innovation. In theory, it should attract businesses to the
UK, create jobs, and stimulate economic growth. However, the policy is currently
being misapplied to serve the interest of big tech companies.
The companies repeatedly
violating data protection laws do not necessarily contribute to digital
innovation exclusively in the UK, while most of them are not strategically
positioned to provide job opportunities in the country. But the UK remains
their crucial consumer market. As such, sanctioning them is unlikely to change
their business decisions and behaviour. In the event of firm and measured
enforcement actions, these companies will be left with no choice but to adhere
to the rule of law, considering the market they operate in is one they cannot
afford to lose.
The ICO’s failure to effectively
enforce data privacy laws risks eroding public trust. It could also discourage
data innovation, as the public might refuse to provide data for research and
innovation, which could in turn negatively affect the digital economy.