The Information Commissioner’s Office (ICO) is the independent regulatory office in charge of upholding information rights in the interest of the public. The ICO has the power to take action against organizations that misuse personal data or fail to secure it properly. One of the ways the ICO can take action is by issuing monetary penalties or fines. But what exactly are the ICO’s fining powers and how are they applied in practice? This article will examine if and when the ICO can issue fines.
What are the ICO’s fining powers?
The ICO’s fining powers originate from two key pieces of legislation – the Data Protection Act 2018 (DPA 2018) and the Privacy and Electronic Communications Regulations (PECR).
Fines under the DPA 2018
The DPA 2018 gives the ICO the power to issue fines for breaches of data protection principles. Under the DPA 2018, the ICO can:
– Issue fines up to £8.7 million or 2% of global annual turnover for serious breaches by data controllers. This could include failing to have proper consent mechanisms in place or violating the rights of data subjects.
– Issue fines up to £17.5 million or 4% of global annual turnover for serious breaches by public authorities. The heightened penalties reflect the high standards expected of public sector data handling.
– Issue fines for other less serious breaches under Tier 1 (£1,000 max), Tier 2 (£2,500 max) and Tier 3 (£8,000 max). The tiers relate to aggravating factors like negligence, lack of cooperation with the ICO, and degree of harm caused.
Fines under PECR
The PECR give the ICO fining powers in relation to:
– Unsolicited marketing by phone, email, text, fax etc without consent. Fines can be up to £500,000.
– Nuisance calls. Fines can be up to £500,000.
– Cookies (and similar technologies) that don’t comply with regulations. Fines can be up to £500,000.
So in summary, the ICO has broad fining powers under both the DPA and PECR that equip it to punish and deter organizations from committing information rights breaches. The fines can be up to millions of pounds for serious contraventions.
When does the ICO issue fines?
The ICO does not issue fines for every breach that comes to its attention. According to the ICO’s own Regulatory Action Policy, it considers various factors when deciding whether to issue a fine, including:
Intent and negligence
The ICO will consider if the breach was intentional or the result of negligence. Intentional, negligent or reckless breaches are more likely to attract a fine.
Damage and distress
Breaches that cause substantial damage and distress, like exposing people’s information or denying them access to their data, are more likely to result in enforcement action.
Gain
Did the organization benefit or gain commercially from the breach in some way? Breaches motivated by financial gain are stronger candidates for fines.
Deterrent effect
The ICO can issue a fine if it would have a wider deterrent effect and remind other organizations to improve their compliance.
Previous issues
The ICO will consider previous regulatory action against the organization and whether formal action is appropriate to prevent further non-compliance.
Degree of cooperation
An organization’s degree of cooperation with the ICO’s investigation will factor into whether a fine is issued. Lack of cooperation can increase likelihood of sanctions.
Promptness of response
Did the organization act promptly to contain the breach, assess the risks, and mitigate any adverse effects following discovery? Slow, sloppy or non-existent responses count against organizations.
Wider public interest
The ICO has to consider the wider public interest and maintaining public confidence in information rights in deciding whether to issue fines.
So the ICO will essentially weigh up the severity of the breach against mitigating factors like cooperation and prompt remedial action. In cases where tough sanctions are needed to punish deliberate or reckless breaches, protect the public, and deter future non-compliance, the ICO has broad fining powers.
What types of breaches have resulted in ICO fines?
To understand how the ICO’s fining powers get applied in practice, it helps to look at some actual cases where organizations have been hit with major fines:
British Airways – £20 million
In 2019, British Airways received a record £20 million fine after a data breach that compromised personal and financial details of over 400,000 customers. The ICO found that poor security standards around payment card transactions were to blame. The huge fine reflected the intent to send a strong message about the need for robust security in the midst of rising cyber threats.
Marriott International – £18.4 million
Also in 2019, the hotel chain was fined £18.4 million after a data breach exposed 339 million guest records. Again, the ICO found security flaws had enabled the incident. The substantial fine drove home the need for due diligence and adequate controls when handling large volumes of people’s data.
Facebook – £500,000
In 2018, Facebook received the maximum possible fine under the Data Protection Act 1998 after the Cambridge Analytica scandal. Though small compared to ICO fines that followed, the episode highlighted the far-reaching privacy risks of social media platforms mishandling user data.
Doorstep Dispensaree – £275,000
This online pharmacy received a six-figure fine in 2016 after making hundreds of thousands of nuisance marketing calls. The huge volume of unsolicited calls demonstrated blatant disregard for PECR rules and people’s privacy rights. The fine was a warning to businesses tempted to breach marketing rules.
These and other major fines demonstrate that the ICO stands ready to deploy its sanctioning powers for contraventions ranging from security failings and data misuse to nuisance marketing and lack of transparency. When information rights abuses occur, firms should expect robust action.
How much are ICO fines actually totalling?
To grasp the full scale of ICO enforcement action, it helps to break down the totals for fines issued over recent years:
Year | Total fines issued |
---|---|
2018/19 | £3,001,500 |
2019/20 | £123,673,000 |
2020/21 | £21,957,500 |
2021/22 | £69,930,500 |
2022/23 (so far) | £7,890,500 |
A few things stand out:
– There was a massive spike in 2019/20 thanks mainly to the enormous British Airways and Marriott fines.
– But fines have remained high in general as tougher data protection laws enabled steeper penalties.
– Even the 2022/23 figure is likely to rise further through the year as investigations complete.
So after a quiet start, the ICO is now flexing its fining muscles robustly. And with entities like TikTok now facing scrutiny, 2022/23 may continue the trend. Overall, the growing fine totals underscore that the ICO has the tools and political backing to come down hard on information rights violators.
Conclusion
The ICO has wide-ranging powers under both the Data Protection Act 2018 and Privacy and Electronic Communications Regulations to issue substantial fines for breaches of information rights laws. It can impose fines up to £17 million or 4% of global turnover depending on severity, intent, damage caused and regulatory history. While the ICO does not fine every instance of non-compliance, it readily deploys its sanctioning powers for serious, deliberate or negligent episodes of data misuse, security failings, nuisance marketing or lack of transparency. With breach incidents and fine levels increasing, organizations must implement robust governance, security controls and compliance programs to avoid ICO penalties. Overall, the evidence clearly shows the ICO has both the mandate and resolve to hand down major fines when warranted to punish and deter contraventions of information rights legislation.