The UK Information Commissioner’s Office (“ICO”) published its 2018-19 Annual Report on July 9, 2019. This is the first Annual Report published by the ICO since the EU General Data Protection Regulation (“GDPR”) took effect on May 25, 2018.
The overwhelming impression from the Annual Report is that of an industrious data protection regulator that takes its obligations seriously. It is a regulatory agency that is creative, ambitious and proactive in discharging its statutory functions, and in pursuing its stated aim of upholding information rights for the UK public in the digital age. The ICO is cognizant of challenges that lie ahead, and is readying itself to address those challenges with new substantive initiatives, such as establishing an Executive Director for Technology Policy and Innovation (who already is scrutinizing the adtech sector); creating a regulatory sandbox to help ensure that new technologies address data protection; announcing a strategic focus on enabling controllers to implement accountability for GDPR compliance, making tools such as seals and certifications a reality; building international visibility and reputation; and significantly increasing its staff and budget.
Calls and Complaints
In a year that the ICO describes as “unprecedented,” the ICO conducted almost half a million conversations through its helpline, live chat and written advice service, a 66% increase from the previous year. Its website also saw a 58% increase in traffic and a 72% increase in individual users visiting the site. Its GDPR guidance alone received over 15 million views. Complaints from the public almost doubled, and the ICO announced that it would streamline its complaints process in order to manage this increased workload in the coming year. As with previous years, the most common complaints related to subject access requests, constituting 38% of the total.
The impact of this increased demand for the ICO’s services is reflected in the fact that its call answer rates dropped from 80% to 65%, and the average wait time for callers almost doubled. The ICO has already increased its workforce from 505 to more than 700 in order to tackle the increased demand for its services, and aims to have 825 full-time employees by 2020-21, making it by far the largest EU data protection authority.
As well as the increase in complaints relating to the GDPR, complaints under the Privacy and Electronic Communications Regulations (“PECR”) increased by almost 30,000. Reported concerns about cookies increased from 147 to 1,276, although the highest number of complaints related to telesales calls with recorded voices. In addition, a further 616,000 individuals registered with the Telephone Preference Service (“TPS”) (indicating that they do not consent to receive direct marketing calls). More than 52,000 complaints were received by the TPS during this period.
The ICO also saw a substantial increase in the communications it received from companies, including 13,840 personal data breach reports under the GDPR, a four-fold increase on the 3,311 received in 2017-18. The ICO noted that cybersecurity had been at the root of a number of these breach reports. Although it is clear that breaches have been over-reported in the UK, the ICO stated that “the significant increase in breach reporting demonstrates that organizations are taking the requirements of the GDPR and DPA 2018 [Data Protection Act 2018] seriously and it is encouraging that these breaches are being proactively reported to us.”
In 82% of reported breaches, the ICO determined that the organization in question had sufficient measures in place, or was taking appropriate steps to address the breach, such that the ICO was not required to take any action. In less than 1% of cases the ICO felt the need to go beyond providing recommendations or requiring some action from the controller, and in only 0.05% of cases was a monetary penalty issued.
2018 Penalties
For the year, the ICO imposed 22 fines under the Data Protection Act 2018, totaling £3 million. These included fines against Equifax, Facebook, Uber, the Crown Prosecution Service and Yahoo. Since the infringements in question took place before the GDPR came into force, the maximum fine for a single violation was £500,000. The Annual Report was written prior to announcement of the ICO’s proposed record fines against British Airways (£183 million) and Marriott International (£99 million) (on July 8 and July 9, 2019, respectively).
Fines were also levied for failure to pay the Data Protection Fee, required for controllers operating within the UK (or processing data about UK data subjects). The ICO issued 3,335 notices of intent to fine for non-payment, 227 penalty notices, 67 of which led to payment (totaling almost £100,000 in fees and penalties).
Upcoming Priorities
The ICO sets out its priorities for the year ahead in the Annual Report, including the delivery of four statutory codes of practice, as required under the DPA 2018. These focus on age appropriate design, data sharing, direct marketing and data protection and journalism, and are expected to be finalized in 2019. Courts and tribunals will be required to consider these codes when dealing with cases. The ICO is also in the process of developing guidance for the use of personal data in political campaigns, following its Democracy Disrupted? report, published in July 2018. The report included a number of recommendations designed to restore trust and confidence in the integrity of the election process, including the recommendation that the guidance developed by the ICO be provided with the same legal status as the other statutory codes.
The ICO recognizes the challenges that companies have faced over the past year, particularly small and medium-sized enterprises and sole traders, and noted that it is considering establishing a “one-stop-shop” for SMEs within the ICO. This would aim to provide assistance to SMEs who do not have dedicated in-house compliance teams.
Finally, the ICO recognizes that the digital economy is a global phenomenon, and it has devoted significant resources to building its relationships and influence outside the EU, including by participating in networks such as the International Conference of Data Protection and Privacy Commissioners (which Elizabeth Denham chairs), the International Conference of Information Commissioners, the Asia Pacific Privacy Authorities, the Common Thread Network and the Global Privacy Enforcement Network (GPEN). It also continues to work closely with the U.S. Federal Trade Commission.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code