Data protection enforcement has been put on hold in the UK, with the Information Commissioner’s Office (ICO) telling complainants their cases won’t be investigated during lockdown.
In April, the ICO said it would focus on the most serious cases during the pandemic and consider the impact of the wider situation on companies under investigation, but called for organisations to continue to report breaches as it was still operating. But in reality, observers claim, it has almost completely stopped operating.
In recent weeks, the ICO has been informing complainants that it isn’t taking forward any cases. That follows the watchdog delaying a major adtech investigation and suggesting fines may be reduced because of the pandemic – sparking a complaint from activists at the Open Rights Group (ORG), which has written to the ICO demanding clarification. “The strain on external organisations should be a factor in their policies, but it can’t be an overriding one – especially when a lot of the response to COVID is all about processing personal data,” says Jim Killock, executive director at ORG.
The ORG’s complaint was sparked by a letter sent by the ICO to a lawyer filing a data protection complaint, which suggested the watchdog had paused new investigations to avoid adding pressure to companies already struggling with the pandemic. “Unfortunately, I am not able to write to [the company in question] for further information about your complaint and their information rights practices, at present,” reads the letter from the ICO, seen by WIRED. “This is because, as you are aware, the coronavirus pandemic is putting unprecedented pressure on all organisations and a great many are either suspending activity or having to prioritise resources.”
The letter adds: “We have therefore decided not to take forward any complaints that require organisations to take action or respond to enquiries from us until the situation improves.”
That raises concerns, says Killock, that people will think they can “just ignore data protection in the short term because nobody’s looking”. Given the pandemic, it’s reasonable to prioritise cases and be flexible with companies, and the ICO’s own staff needs to work from home and stay safe. Enforcement shouldn’t entirely halt but be examined on a case-by-case basis, he says.
The ICO says that, despite the letter, it is still pursuing investigations. “Like many other regulators, we have issued a new regulatory approach that says we will take a pragmatic approach when conducting investigations during the pandemic, taking into account the particular impact of the crisis,” a spokesperson says.The pandemic hasn’t only tripped up new cases, but also delayed major investigations that are already past due. In September 2018, a group of privacy advocates — including ORG, Johnny Ryan of browser company Brave, and Michael Veale of University College London – filed a complaint with the ICO against Google and IAB Europe regarding real-time bidding advertising technologies. That sparked a consultation, but as yet no enforcement action, though the ICO suggested in January that the industry should “prepare for the ICO to utilise its wider powers”.
On May 7, the ICO said it was pausing that work. “It is not our intention to put undue pressure on any industry at this time but our concerns about adtech remain and we aim to restart our work in the coming months, when the time is right,” it said in a statement.
While Killock does agree that companies may need more leeway during the outbreak, he says the ad tech industry shouldn’t be able to put off improving their behaviour. “It’s been such a long time for those companies to do something and to actually see change, they shouldn’t suddenly get a free pass,” he said. The ORG has said its lawyers will be writing to the ICO about the delay.
The ad tech consultation isn’t the only inquiry disrupted by the pandemic, as last week the resolution of two high-profile cases was pushed back until August. Marriott and British Airways were investigated by the ICO following significant hacking incidents that exposed the personal details of hundreds of millions of customers. In July 2019, the ICO ruled that each had breached data protection laws, saying it had the “intention to fine” Marriott £99 million and British Airways £183.4m. It has yet to actually issue the fines, pushing the final action to August, according to Mischon De Reya’s data protection advisor Jon Baines.
That additional delay and potential reduction in fines could also be pinned on the pandemic. ICO head Elizabeth Denham reportedly suggested at a conference last week that fines will have to be assessed with the pandemic in mind, specifically mentioning an airline and a hotel chain as examples. “When it comes to an airline and a hotel chain that are both significantly hit with the results of the pandemic, there will have to be a reexamination of the financial case of each of those companies,” she said, according to a report by legal news service MLex cited by Baines.
A little leeway on fines may be justified. Rowenna Fielding, data protection lead at consultancy Protecture, suggests there’s other action that could be effective, including enforcement notices that force companies to make changes. “I think that the [ICO] backed itself into a corner when they announced these huge fines,” she says. “Now they’re having to walk that back, and no matter what they say about it at this point, people are going to interpret that as the ICO not being fit for purpose because that’s their experience in the past.”
The ICO’s reduced action during the outbreak comes alongside wider criticism that the watchdog isn’t enforcing GDPR. At the start of May The Telegraph reported that an American consultant had been brought in to consider the ICO’s powers, following a parliamentary inquiry last year calling for a review into whether the ICO has “the resources necessary to act as an effective regulator”. The ICO said that it was a planned, routine review.
And we need an effective privacy watchdog, even more so during the outbreak. The ICO has had plenty of work sparked by the pandemic, including an increase in scams and the government’s attempt to build a contact-tracing app. The ICO consulted on the initial plans for the app, but has said that doesn’t constitute approval.
Fielding says the contact-tracing app debacle suggests the ICO was working more as a consultant than a watchdog, giving advice that was ignored by NHSX as it built the app. “Denham stated publicly that decentralised architecture was better from a privacy point of view,” Fielding says. “And then when questioned in the parliamentary committee meeting why this line hadn’t been taken more robustly with NHSX, she didn’t really have much of an answer.”
However, the ICO has done well offering guidance and education to companies during the outbreak, in particular around how to manage health information with employees when they return to work, Fielding adds. The ICO says it will take strong action against anyone taking advantage of the current crisis, and has refocused its priorities “on the information rights issues that are likely to cause the most harm or distress to citizens and businesses,” according to a spokesperson.
But if the watchdog is seen as impotent or distracted, the concern is that companies may not bother following the law, especially if they believe there are no repercussions looming, says Fielding. And it could impact whether people take the time to file reports, like the complainant who received the letter from the ICO saying no action would be taken. “If people don’t have any faith the ICO will do anything, they won’t bother complaining to the ICO,” Fielding says. “There’s a sense that even if the ICO might be a bit of a threat under normal circumstances, now it’s just crawled into its burrow and shut the door.”
Coronavirus coverage from WIRED
📖 How coronavirus kills, one organ at a time
🏘️ Failing care homes are the real coronavirus scandal
🔒 The UK’s lockdown rules, explained
❓ The UK’s job retention furlough scheme, explained
💲 Can Universal Basic Income help fight coronavirus?
👉 Follow WIRED on Twitter, Instagram, Facebook and LinkedIn
Get The Email from WIRED, your no-nonsense briefing on all the biggest stories in technology, business and science. In your inbox every weekday at 12pm sharp.
Thank You. You have successfully subscribed to our newsletter. You will hear from us shortly.
Sorry, you have entered an invalid email. Please refresh and try again.