Trend: Have the national data protection authorities in your country focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to corona-related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?
The ICO has led the way in levying fines for breaching the security provisions of the GDPR – namely, failure to implement appropriate technical and organisational measures to keep personal data secure (Article 32) and non-compliance with the integrity and confidentiality principle (Article 5(1)(f)). There have been four such fines to date, ranging from EUR 320,000 to EUR 22,046,000.
The two highest fines were ordered against companies in the travel and leisure sector. However, in those cases, enforcement action was brought in response to personal data breaches experienced by each of those companies, rather than the ICO specifically setting their sights on the industry. Travel companies process high volumes of personal data, including payment details and travel documents, making them an attractive target for malicious actors. The other two companies that received fines were a ticketing website that had experienced a hack, and a supplier of medicines to customers and care homes that had failed to properly secure sensitive hardcopy records.
The ICO also takes a hard line on enforcing breaches of ePrivacy legislation against spammers and nuisance callers.
In addition, the regulator has also opened investigations into the adtech sector, as well as data brokers and credit reference agencies, and we are expecting more fines and other enforcement action to follow from those investigations.
Overall, what was the most significant fine in your country to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?
Two of the heftiest GDPR fines on companies were those ordered against British Airways ( EUR 22,046,000) and Marriott ( EUR 20,450,000) in relation to personal data breaches experienced by each of those companies, whose data had been left vulnerable to attack by hackers due to inadequate security measures. The ICO ultimately massively reduced the amount of the final fines issued to BA and Marriott in part in consideration of the fact that they had been particularly hard hit financially due to the impact of the COVID pandemic on the travel industry.
There are currently also class actions pending against those companies from affected data subjects claiming compensation for losses suffered as a result of their information being compromised.
Organization of authorities and course of fine proceedings
How is the data protection authority organized in your country? In particular: What is the annual budget? What is the number of staff? Is the authority assigned to a specific ministry? If so, which one?
The ICO budgeted income of £61 million for the year 2020/21.
As at 31 March 2020, the ICO had 768 permanent staff (720.3 full time equivalents).
The ICO is an independent public body but the Department for Digital, Culture Media and Sport is the ICO’s sponsoring department within Government.
How does a fine procedure work in your country? In particular: Can the authority itself impose fines? How does the procedure work (e.g. notification of the opening of proceedings (public/only towards company?), notification of the intention to impose a fine (public/only towards companies?), formal penalty notice)? What legal remedies are possible against an imposed fine?
The ICO has the power to issue fines itself. The ICO will issue a notice of intention to impose a fine and will give the respondent an opportunity to make representations before any final penalty notice is issued. The ICO also has the power to issue a penalty notice if an information notice or an assessment notice has not been fully complied with.
There is a right of appeal against a penalty notice to the First Tier Tribunal (General Regulatory Chamber). From there, a decision can be appealed on a point of law to the Upper Tribunal, and then further on to the Court of Appeal and ultimately to the Supreme Court.
In your country, does the data protection authority publish all imposed fines or other procedural steps (e.g. on its website)? Are the affected companies identifiable in such publication?
Most fines and other enforcement action by the ICO are published on the ICO website, with details of the organisations that the action was taken against being publicly available. However, the ICO has discretion not to publish such information, for example, where doing so would be likely to prejudice ongoing investigations.
When fines are imposed by the data protection authority: Where does the money go? (e.g. the state treasury, the authority's budget)?
When fines are imposed by the ICO, these go to Her Majesty’s Treasury.
To raise money to fund its activities, the ICO levies a data protection fee on controllers – this makes up around 85% to 90% of the ICO’s annual budget. The government also contributes grant-in-aid to fund the ICO’s regulation of various other laws.
Is there a common, official calculation methodology of fines in your country (such as the fining models in the Netherlands or Germany)?
The ICO has a fairly complex draft methodology for calculating fines in the UK. This is still being finalised but includes a ‘nine-step approach’ to calculating the penalty which includes a penalty starting point, then adjustments to take into consideration factors such as financial means and economic impact.
Can public authorities be fined in your country? If yes: Where does this money go?
Yes, public authorities can be fined in the UK. The money from these fines goes into Treasury's consolidated fund, which is then distributed as part of wider government spending.
Other legal consequences of non-compliance
Does your country have model declaratory proceedings / class actions in data protection law, i.e. the possibility for several data subjects to join forces and take legal action together against the data controller?
Yes, class actions by groups of data subjects can be brought in the UK. The DPA 2018 currently allows for the representation of data subjects only with their authority. There are a few of these actions in train at the moment, including against EasyJet, British Airways and Marriott off the back of data breaches that these companies experienced.
There are also representative actions working their way through the courts, notably Lloyd v Google LLC, which concerns Google’s online tracking activities.
What is more relevant in your country: Fines from authorities or court proceedings such as claims for damages or injunctions? Is there a trend here for the coming years?
Both fines and other types of enforcement action from the ICO can be significant – for example, if a company is ordered to stop processing data that is key to its business, this can be just as, if not more, disruptive than a high fine.
It is also open to claimants to seek injunctive relief for protecting their rights, such as interim injunctions, although this has not been common to date.
Court proceedings from data subjects for damages are a fairly recent trend but are likely to become more popular for high profile data breaches in particular, as litigation funders and others look to leverage this opportunity where there is sufficient skin in the game.
Editorial deadline: 1st March 2021.
You can find the UK-based Technology, Media & Telecommunications lawyers here.