U.K. push for GDPR reprimand transparency draws mixed reviews

The Information Commissioner’s Office (ICO) believes the move highlights the regulator’s pragmatism regarding GDPR enforcement and improves transparency.

The ICO’s director of investigations said in December the regulator would publish all reprimands from January 2022 onward, excluding cases involving national security and ongoing legal proceedings. In a speech at the National Association of Data Protection Officers conference in November, Information Commissioner John Edwards said he wanted “to have a predictable approach to enforcement,” where “regulating for outcomes, not outputs” was the main driver.

“The number or quantum of fines is not the measure of our success or failure, nor of our impact,” he said.

“Every regulatory action must be a lesson learned by the rest of the economy and play a role in behavior change,” Edwards continued. “… By publicizing and explaining our enforcement action(s), organizations won’t be able to rely on the ‘I didn’t know any better’ defense. Our approach to enforcement should not be a surprise, either to other organizations or to the public. Certainty breeds trust.”

The majority of the reprimands currently posted involve public-sector organizations, which Edwards admitted he was reluctant to fine because it creates a “money-go-round” of public money shifting between the Treasury and government departments.

Virgin Media was reprimanded in September for failing to properly deal with subject access requests quickly enough between July 2021 and April 2022. The ICO recommended the company provide additional staff to ensure future access request compliance.

“By publicizing and explaining our enforcement action(s), organizations won’t be able to rely on the ‘I didn’t know any better’ defense. Our approach to enforcement should not be a surprise, either to other organizations or to the public. Certainty breeds trust.”

U.K. Information Commissioner John Edwards

Other companies to receive reprimands were Allied Health Professionals, which was accused of accidentally making patient data available to other health providers without patients’ consent; Direct Clothing, where an online customer was allegedly defrauded after a hacker exploited a website vulnerability; and LGBTQ+ dating app Grindr over the way it allegedly failed to notify users personal data could be used by third parties for targeted advertising.

Legal experts shared mixed views toward the ICO’s approach.

Emily Carter, information law partner at law firm Kingsley Napley, said publishing reprimands “provides organizations with valuable insight into the areas of focus and concern for the ICO and the circumstances in which formal action will be taken.” The regulator’s action “is likely to encourage greater data protection compliance,” she said.

Eddie Powell, partner at law firm Fladgate, said such disclosure will help companies’ GDPR compliance in two ways:

• The more published decisions from the ICO relating to breaches, the easier it will be for companies to work out what they can and cannot do within the scope of the law.
• The “naming and shaming” effect of publicizing reprimands should encourage companies to devote sufficient resources to compliance to avoid negative publicity.

However, Powell also warned there is a danger the ICO could view issuing reprimands as a way “to quickly deal with complaints on a rough and ready basis.”

Becky White, senior data protection solicitor at law firm Harper James, said the ICO’s approach is “unfair.” Unlike monetary penalty notices or enforcement notices, there is no set process under the U.K. GDPR or the U.K. Data Protection Act 2018 governing how the regulator should investigate the facts surrounding the issuing of a reprimand or whether an organization can appeal.

“This could leave organizations in the undesirable position of having information regarding their alleged noncompliance made publicly available but without an obvious route to challenge it or make representations to the ICO,” said White. “It could also place them—potentially unfairly—on the backfoot during the litigation process, where claimants could use the reprimand as a foundation on which to start a claim for compensation.”

Abigail Healey, consultant at Quillon Law, questioned whether reprimands will have the desired deterrent effect.

“Many breaches are fact specific, whether to the organization, individuals involved, or technological processes,” she said. “Unless third parties actively dive into the detail of a particular reprimand, it is difficult to see how lessons will be learned at first blush.”

Healey warned organizations might be less inclined to self-report if there is a risk the potential GDPR breach and compliance failings will later be published. Instead, rather than let companies try to work out what they might be doing right or wrong, she said she believes the ICO “would be far better issuing general guidance on trends or developments arising out of the reprimands that need bringing to the attention of other organizations.”