Friday 14 July 2023

Is the UK data protection authority giving free pass to big tech giants?


Asress Adimi Gikay (PhD), Senior Lecture in AI, Disruptive Innovation and Law (Brunel University London)

Photo credit: 

In the online space, it is perhaps difficult to find a more empty promise than “we value your privacy.“ Businesses promise to preserve our data privacy rights, but in reality, they have neither the carrot, nor enough sticks, to make them respect data protection rules. This holds true even in the European Union (EU), where the most comprehensive data protection legislation—the General Data Protection Regulation (GDPR)— failed to satisfactorily deliver on its promise to protect the fundamental rights of citizens.  As businesses openly flout data privacy laws, regulators either struggle to adequately enforce the law or wilfully ignore infractions.

The UK’s data protection authority— the Information Commissioner's Office (ICO)— has succumbed the most to its ambition of promoting innovation and economic growth while simultaneously protecting data protection rights. Unfortunately, the drive to appeal to businesses has reduced data privacy rights to mere buzzwords, not just in the business world but also within the ICO itself.

As a result, the authority's enforcement record defies the primary objective of protecting the public's data privacy rights, displaying an unexplainable leniency towards corporations. I argue that this indefensible record of the ICO’s underscores the authority’s insistence on operating with failed enforcement policy.

The ICO’s enforcement track record—the numbers don’t lie

During the 2021-2022 fiscal year, the ICO reported receiving 35,558  data privacy violation complaints. The complaints were diverse including companies refusing to delete individuals’ personal data or processing their data without consent. Sometimes, organizations infringed the individual’s right to access their own personal data, contrary to what the data protection legislation requires.

Similarly, in the 2022-2023 financial year, a total of 27,130  complaints were filed with the ICO, excluding data from the most recent financial quarter, yet to be reported by the authority. Out of the 62,688 complaints filed over a span of two years, the authority levied only 59 monetary penalties. This means that only approximately 0.094% of the complaints led to real consequences— organizations being sanctioned for breaching data protection rules.

The ICO closed most of the complaints alleging insufficient information to proceed with the complaints or lack of evidence of infraction. It resolved numerous cases through discussions with infringing companies. In such cases, the authority recognises the presence of  infringement by the organization but does nothing concrete other than what it describes as “informal action taken.”

Due to the ICO’s practice of not disclosing comprehensive details about these cases, except for summaries that serve more statistical purposes, the public tends to perceive the authority as prioritizing business interests over safeguarding data privacy rights. Interestingly, this public perception aligns with the available evidence.

The broader context

The enforcement of the GDPR has been unsatisfactory across the EU, since the implementation of what has been described as a breakthrough law, that promised to empower people in the digital world, through giving them more control on their personal data. Even when applying a more forgiving standard, the ICO's enforcement record remains unsatisfactory. Between 2018 and 2022, it levied around 50 monetary penalties, while German and the Italian authorities imposed 606 and 228 penalties between 2018 and 2021.

The ICO is generally passive compared to its European counterparts. In a notable case, the French authority, Commission Nationale de l’Informatique et des Liberté  (CNIL) fined Meta and Google €60 million and €150 million respectively in 2021 for their illegal use of cookies. Despite engaging in similar unlawful data collection practices in the UK, the companies made changes to their cookie-based data collection practices in the UK only while complying with the French ruling. They faced no threat of sanction in the UK.

The ICO's consistently poor enforcement record clearly undermines public confidence in the authority. In its 2022 annual report, the authority itself acknowledged getting the lowest score in complaint resolution in a 2021 customer survey it backed. An independent review—Trustpilot— rates the authority at 1.1 out of 5. This is based on self-initiated reviews conducted by members of the public, some claiming that the ICO prioritizes business interests rather than protecting privacy rights.

Unfit enforcement policy— corporate free pass

The lack of adequate data protection law enforcement in the EU has been explained by resource constraints.  For example, a report by the Dutch ombudsman highlighted that the relevant authority in the country had 9,800 unresolved privacy complaints at the end of 2020. And according to the Irish Council for Civil Liberties, “almost all (98%) major GDPR cases referred to Ireland remain unresolved”— in part due to lack of budget and sufficient specialist staff.

However, the ICO is considered to be a relatively resourced authority. It also has the ability to impose substantial fines that could finance its operations. So, it is unlikely that resource constraints explain its inadequate enforcement record. The ICO’s enforcement policy is largely culpable. 

The authority’s risk-based approach prioritizes a softer approach to ensuring compliance, reserving enforcement actions to violations that are likely to possess the highest risk and harm to the public. Enforcement action includes requiring an offending organization to end violations and comply with relevant rules through enforcement notice and issuing penalty. The ICO considers several factors in determining whether imposing a penalty is appropriate, including the intentional or repeated nature of the breach, the degree of harm to the public, and the number of people impacted.

In practice however, the authority exercises discretion even in cases of intentional and repeat violations impacting millions of people. For example, numerous companies illegally collect consumers’ personal data using cookies.

By tracking a user's browsing behavior, third-party cookies, known as tracking cookies, usually gather information that is enough to identify the person behind a device. Besides visits to particular web pages, they can record a person’s search queries, goods or services purchased, IP address and location.

From this, it is possible to infer a person's name, nationality, language, religion, sexual orientation, health condition, and other intimate details – most of which are considered special categories of personal data. These types of data cannot be processed without the individual's explicit consent, unless limited exceptions apply. Whilst these data could be used, for example for marketing health products, insurance companies could also use them to assess premiums, in a manner unknown and detrimental to the interest of the individual.

To its credit, the ICO has fined Easylife Ltd £1.35m which has later been reduced to £250,000 for using personal data to profile medical conditions without consent, to target individuals with health-related products. But the authority does not seem to recognise that it takes a simple switch to transition from inferring personal data from browsing behavior using cookies to profiling health conditions.

Cookies-based unconsented data collection is illegal and potentially poses a serious harm to the public, as companies could process special categories of data in a detrimental manner. Unfortunately, companies openly violate cookies-related legislations in the UK with impunity.

The ICO also shows unwarranted leniency towards tech companies repeatedly violating data protection rules. In one fiscal year (2022/2023), the ICO found evidence of Google UK’s potential infringement or infringement of the law more than 25 times,  in separate complaints. But the authority claims to have taken informal actions, essentially advising the company to do better work to comply.

Google UK's infractions include refusal or delaying to delete personal data upon request by individuals exercising their right to be forgotten. Meta Platform(formerly Facebook Inc.) received 20 compliance suggestions, after evidence of its infringement or potential infringement has been found, while Microsoft and Twitter each received the same soft compliance advices 8 times, in the same year.

In all these cases, taxpayers go through the stressful process of demonstrating that their data protection rights were violated, providing evidence of infringement by big tech companies. Yet the ICO consistently chose to be lenient to companies that obviously do not mind being told repeatedly that their data protection practices are non-compliant. The authority has essentially transformed itself into a legal advisory office for tech companies, neglecting its role as an overseer.

Data protection law inherently creates hurdles for individuals seeking compensation for privacy rights violations. In 2021, the UK's highest court ruled that without evidence of material damage or distress, mere loss of control over personal data is not compensable under the GDPR. This effectively forces individuals to wait for a recognized harm to occur due to violation of their data privacy rather than preventing it. The ICO, which should deter privacy violation, is unfortunately impotent as well.

The need for policy change

The ICO's enforcement policy heavily relies on collaboration with regulated entities rather than utilizing effective sanctions to deter repeat violations. This approach aims to support the digital economy by avoiding excessive enforcement of data protection rights and fostering data innovation. In theory, it should attract businesses to the UK, create jobs, and stimulate economic growth. However, the policy is currently being misapplied to serve the interest of big tech companies.

The companies repeatedly violating data protection laws do not necessarily contribute to digital innovation exclusively in the UK, while most of them are not strategically positioned to provide job opportunities in the country. But the UK remains their crucial consumer market. As such, sanctioning them is unlikely to change their business decisions and behaviour.  In the event of firm and measured enforcement actions, these companies will be left with no choice but to adhere to the rule of law, considering the market they operate in is one they cannot afford to lose.

The ICO’s failure to effectively enforce data privacy laws risks eroding public trust. It could also discourage data innovation, as the public might refuse to provide data for research and innovation, which could in turn negatively affect the digital economy. 

Tuesday 4 July 2023

EU cooperation on migration with third countries: Time to address the genealogy of informal agreements in EU migration law


Dr Céline Hocquet, Teaching Fellow, Birmingham Law School, University of Birmingham

Photo credit: Issam Barhoumi, via Wikimedia Commons 

As the EU makes yet another proposal to cooperate with a third country on containing migrants outside its territory, it is urgent to engage with a critical analysis of the EU externalisation policy and the use of informal cooperation informed by the historical, legal and political context underpinning the EU external migration and asylum policy.

From the EU-Turkey to the EU-Tunisia deal?

On 11th June, the EU and Tunisia issued a joint statement agreeing to work together on a comprehensive partnership package. This partnership would cover several cooperation areas, including economy, energy, and migration. More specifically, the EU and Tunisia declared ‘the fight against irregular migration’ and ‘the prevention of loss of life at sea’ as their ‘common priority’. As such, it addresses migrant smuggling and human trafficking and bolster border controls and migrants’ registration and return. In exchange for Tunisia’s cooperation, the EU offers 100 million euros for border management, search and rescue, anti-smuggling and return operations in addition to a 1 billion euros investment plan for Tunisian economic development, including projects in the digital and energy sectors.

To those familiar with EU migration law and policy, this news will, no doubt, sound familiar.

Back in March 2016, the European Council published a press release following a meeting with representatives from the Turkish government. The EU-Turkey Statement – widely known as the EU-Turkey deal – traded the containment and return to Turkey of all irregular migrants arriving in Greece in exchange for 6 billion euros of EU funding.

At the time, arrivals of migrants to Europe crossing the Mediterranean Sea were characterised by the EU as a ‘crisis’. Emphasis was put on the exceptional nature of migration flows, the extraordinary numbers of migrants reaching European shores and the severe loss of lives during sea crossings. In this way, the situation faced by the EU and its member states was presented as critical and unprecedented. Its characterisation as a ‘crisis’, highly questioned by researchers, highlighted potential threats to the stability and security of the EU and/or its asylum system. Swift and exceptional measures were, therefore, necessary to put an end to the ‘crisis’ situation and its disruption. Such measures focused on further controlling irregular migration and EU external borders notably by externalising controls to third countries and third actors.

The EU-Turkey Statement was rapidly considered a blueprint for future EU migration and asylum policy developments by swiftly reducing migrant arrivals from Turkey to Greece. Despite criticisms raised against the precedent set by its informal nature and the threats caused to migrants and asylum seekers’ rights (see for instance on this blog here and here), similar non-binding and opaque partnerships, such as the 2017 Italy-Libya memorandum of understanding or the 2016 Afghanistan-EU Joint Way Forward, were signed between the EU or its member states and third countries to facilitate the return and/or containment of unwanted migrants.

Investigating the lineage of EU informal cooperation on migration

In my PhD thesis, I focus on this development. Namely, the EU’s increasing use of informal cooperation arrangements with third countries to control migration. More specifically, my research focused on investigating the implications of characterising the arrivals of migrants to Europe as a 'crisis' for the EU migration and asylum law system. Rather than focusing on informal cooperation developed as a result of the so-called ‘crisis’, I argue for the need to contextualise these developments within the EU migration and asylum law system as a whole. Only by doing so are we able to step away from crisis-driven considerations of emergency and security and understand the genealogy of the EU’s use of informal cooperation to externalise migration and border controls.

Using an iterative approach, I looked at the emergence and early development of the EU migration and asylum law system, especially some of its key measures. My analysis shows that informal cooperation such as the EU-Turkey Statement, the Afghanistan-EU Joint Way Forward, or the Italy-Libya Memorandum of Understanding, is far from being the result of unprecedented circumstances specific to 2015-2016 requiring swift and exceptional measures. Instead, they fit within the genealogy of the EU external migration and asylum policy. In my analysis, I identified a number of long-lasting tendencies that underpin the EU migration and asylum law system throughout its evolution. One of these tendencies is the use of informal and diversified cooperation frameworks and measures circumventing regular procedures and fundamental rights guarantees.

The legacy of the intergovernmental era

The emergence of a common approach to asylum and migration law at the then-EEC level shows the significant role of informal cooperation between member states. Indeed, well before the 2015 crisis member states developed cooperation informally among themselves using intergovernmental cooperation. A particular example is the cooperation developed within the Trevi Group. An ad hoc group of interior ministers initiated by the 1975 European Council in Rome, the Trevi group initially focused on member states’ cooperation regarding counter-terrorism before its scope expanded to asylum and immigration in the 1980s. This informal cooperation led to the adoption of several soft law measures in the field of immigration and asylum with long-lasting impacts on the common migration and asylum law system. The Dublin Convention and acts related to its implementations were, for instance, originally agreed upon as part of this ad hoc group before being incorporated into the acquis communautaire and formalised by Maastricht. Still, this shows how fundamental informal and opaque cooperation has been in shaping the common migration and asylum policy. The use of informal cooperation circumventing existing frameworks is not uncommon in the field of EU migration and asylum law. Informal cooperation agreements with third countries are therefore not the result of exceptional circumstances in 2015-2016. Rather, they fit within the legacy of the common migration and asylum policy and of how cooperation in these fields emerged in the first place.

Tampere and the comprehensive approach to migration

Although the EU cooperation on migration with third countries initially focused on entering into formal EU readmission agreements, the use of informal and diversified tools is not recent. Back in 1999, the Tampere European Council called for a comprehensive approach to external migration policy. This meant diversifying external measures related to migration by using other tools of EU external action and by addressing ‘political, human rights and development issues’ in third countries as means to reduce immigration to the EU. Signed on 23 June 2000, the Cotonou Agreement is considered the first example of the diversification of EU externalised migration and border controls. This agreement was primarily focused on EU development cooperation with African, Caribbean and Pacific states. Yet it also included readmission clauses to facilitate the return of migrants irregularly staying in the EU. It corresponds to the widening of EU migration-related cooperation to other aspects of external action. The allocation of 6 billion euros funding in exchange for Turkey’s cooperation on migration containment is therefore not a practice unique to the crisis context at the time of the EU-Turkey deal.

The EU’s Global Approach to Migration and Mobility and political agreements

Following the adoption of the Global Approach to Migration and Mobility (GAMM) in 2011, the EU introduced a new tool to develop its cooperation with third countries on migration: mobility partnerships. These political agreements are non-binding and aim at providing ‘tailor-made’ partnerships addressing shared concerns between the EU and its partner. They provide significant flexibility in terms of how to conduct the cooperation and the areas covered and contain little guarantees for fundamental rights. Therefore, although informal and opaque cooperation with third countries circumventing human rights and ordinary procedures was presented as a shift in the EU external migration policy justified by the 2015 crisis, my findings suggest otherwise. The EU’s use of non-binding and flexible tools to develop cooperation on migration and border controls with third countries pre-dated the crisis. The adoption of such informal agreements from 2015 onwards, therefore, constitutes a continuation of pre-existing practices.


This brief overview shows the significance of genealogy when analysing developments in the field of EU migration and asylum law. Crisis-focused analyses of these developments only provide a limited understanding as they ignore the underpinnings and historical, political, and social contexts in which these arrangements operate. Contrastingly, contextualising informal cooperation with third countries (such as the EU-Turkey deal or the emerging negotiations between the EU and Tunisia) within the broader evolution of the EU migration and asylum policy enables us to distance ourselves from the crisis or exceptional circumstances used to justify such measures. In doing so, it reveals that far from being policy innovation driven by emergency and security considerations, informal arrangements and diversified tools to externalise EU migration and border controls are a long-lasting legacy of earlier developments in the EU migration and asylum policy.