In the past 12 months, the Information Commissioner’s Office (ICO) has seen the way in which it has attempted apply its enforcement powers substantially curtailed. There have now been two successful appeals against monetary penalty notices (MPNs) issued by the ICO. Last month, the decision in one of those appeals was upheld by the Upper Tribunal.
The other was in relation to a business called Tetrus Communications, which was fined £440,000 after sending millions of spam text messages.
In both cases, the Tribunal held that whilst there had been a serious breach of the law, the breach was not of a sort that was likely to cause substantial distress or substantial damage to data subjects. The substantial distress/damage test is one of the statutory requirements that must be met in order for the ICO to be able to impose an MPN.
In particular, in the Tetrus decision the Tribunal held that spam messages simply caused an irritation, and that the substantial distress/damage test could not be met simply by the shear volume of spam messages being sent.
The ICO’s head of enforcement has now posted a blog explaining how the ICO is going to respond to these decisions in its day to day enforcement strategy.
Whilst the blogpost appears to be focussed on enforcement of the PECR (in particular action taken in relation spam text messages), the subtle change in enforcement strategy is something that all data controllers should be aware of.
So what does this mean for data controllers?
In the medium to longer term, the ICO is lobbying Government to change the law, so that the test for issuing a monetary penalty notice is easier to satisfy. As the ICO says in the blogpost linked to above, “an unworkable law is a bad one.”
Why does the ICO think that the law is unworkable? Well, if they correct, the SBC and Tetrus decisions mean that the monetary penalty regime does not give the ICO the powers that it originally craved, as in many cases it will be difficult or impossible to prove substantial distress or substantial damage, notwithstanding that a serious breach has occured.
The Government has indicated that it will launch a consultation later this year on potential changes to the law. However, any change in the law will take time to work its way through the legislative process.
In the short term, we will see (and are already seeing) a change in tack from the ICO when it comes to enforcement.
Firstly, there has been a increase in the ICO’s use of enforcement notices. Enforcement notices (and the less formal undertaking) were the ICO’s primary enforcement mechanism prior to the monetary penalty notice regime coming into force.
Enforcement notices are notices that require a data controller to take (or avoid taking) certain action to rectify a breach, with a timescale for rectification. A failure to comply with an enforcement notice is a criminal offence. Crucially (from the ICO’s perspective), the test for issuing an enforcement notice is simply that there has been a contravention of the DPA that has caused damage or distress (not substantial damage or distress).
Ironically, the lack of teeth attached to an enforcement notice was one of the reasons that the ICO campaigned for the right to issue MPN.
Following the Tribunal decisions in the SBC and Tetrus cases it appears that the ICO will now increasingly seek to impose (and publicise) enforcement notices, rather than risk a successful challenge to an MPN in a case where proving substantial damage or distress may be difficult.
Failure to notify
The ICO has also states in the blogpost that it is going to be taking a more aggressive approach to failures by data controllers to properly register as a data controller under the Data Protection Act. It has prosecuted ten organisations in the last year alone for failing to notify.
Rather ironically, the concept of registration/notification is one of the things that will be abolished if and when the proposed new data protection regulation is finally approved.
In the meantime, however, it seems that the ICO will use this power as a first step in enforcement action where serious breaches have taken place and the organisation in question has failed to notify.
If your organisation is handling personal data and has not yet registered with the ICO then now is the time to do it.
On August 15, 2014