Digital Privacy
Briefing: The ICO Isn’t Working and How Parliament Can Fix It
Parliamentary briefing on amendments to the Data Protection and Digital Information Bill for the House of Lords Committee Stage, March 2024. In this briefing:
- CLARIFYING THE STATUTORY OBJECTIVE OF THE INFORMATION COMMISSION
Amendment HoL31 5
- INTRODUCING SUFFICIENT ARMS-LENGTH FROM THE GOVERNMENT
Amendments HoL32, HoL33, HoL34, HoL51, HoL52, HoL54, HoL23, HoL67, HoL68, Hol70, Hol71, and Amendments from HoL35 to HoL60 6
- PROTECTING THE INFORMATION COMMISSION FROM REVOLVING DOORS AND UNDUE CORPORATE INFLUENCE
Amendment HoL272 7
- PROTECTING THE RIGHT TO LODGE A COMPLAINT
Amendment HoL24 and Amendment HoL69 9
- INTRODUCING THE RIGHT TO LODGE A COLLECTIVE COMPLAINT
Amendment HoL63 10
- RETAINING THE BIOMETRICS AND SURVEILLANCE CAMERA COMMISSIONER
Amendment HoL64, Amendment HoL65 and Amendment HoL66 11
The ICO and the Data Protection and Digital Information Bill
The Information Commissioner’s Office (ICO) has a poor track record on enforcement. In 2021-22 it did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only four GDPR fines totalling just £633k,1 despite the fact that it received over 40,000 data subject complaints.2
Increased political pressure is casting doubts about the ability of the ICO to operate independently from government; and significant shortcomings have arisen in practice in how the ICO handles complaint and the mechanism available to individual to promote accountability over the ICO regulatory action.
If Parliament does not take action, all these issues will be heightened by provisions in the Data Protection and Digital Information (DPDI) Bill. To avoid this outcome, the House of Lords must support amendments which will:
- clarify the statutory objective of the new Information Commission;
- increase its arms-length body from the Government;
- protect the Information Commission from cronyism and undue corporate influence;
- allow effective judicial scrutiny of the new Information Commission regulatory function;
- allow not-for-profit organisations to lodge representative complaints;
- and retain the Office of the Biometrics and Surveillance Camera Commissioner.
The effective supervision and enforcement of data protection, and the investigation and detection of offenders, are crucial as a deterrent, to prevent violations, and to maintain transparency, control and options for redress against data misuse. Since Artificial Intelligence (AI) very often processes personal data, the ICO regulatory function is also pivotal for reaping the benefits of AI while mitigating risks for individuals — whether they are patients, residents, employees or customers. Parliament needs to ensure we have a strong, independent ICO that will stand up to corporations, organisations and government departments who are misusing our data and breaching our data rights. The consequences of these failures can have harmful real-life consequences: as revealed by case studies Open Rights Group has received. Failures have left bereaved families, members of professional bodies and victims of the Post-Office scandal without meaningful redress
“I submitted a freedom of information (FOI) request and a subject access request (SAR) to a hospital trust in 2016 to try to get answers regarding my father’s safety, care and treatment. I also wanted to know about the factors that led up to his avoidable death after being admitted into hospital for abdominal pain and receiving a diagnosis of constipation in 2012. I got no response from the hospital on either requests so I contacted the ICO.
“They eventually replied and agreed that the hospital had breached my data protection rights and informed me they were going to do an investigation into my complaint. This was in about 2019 but I still haven’t heard anything from them since about the outcome of the investigation or their actions against the hospital” – Julie James, Office Administrator.
Further, these changes would address concerns over the impact of the DPDI Bill on the UK adequacy decision. On March 8, the Chairman of the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) Committee wrote to the European Commission to warn of the impact of the DPDI Bill on the independence of the ICO and, consequently, of the risk it poses for the UK adequacy decision.3 The withdrawal of the UK adequacy decision, which allows the free flow of personal data from and to the European Union, would cost over 1.2bn pounds to UK businesses in administrative costs alone,4 and would risk undermining important cooperation initiatives between the EU and the UK such as data sharing for research (Horizon), law enforcement (Prüm) or immigration control purposes (Frontex).
The letter is the latest warning from the EU. Members of the European Parliament have already raised widespread concerns about the DPDI Bill and its potential to undermine the objective and impartial functioning of the ICO through a written question,5 a report on the implementation of the EU-UK Trade and Cooperation Agreement,6 and in a previous letter sent by López Aguilar on behalf of the LIBE committee.7 The Commission has answered both the written question8 and the LIBE letter,9 confirming that the risk of a revocation of the UK adequacy decision as a result of the lack of independence of the ICO is real. Indeed, 28 civil society organisations and privacy experts wrote to the European Commission,10 asking to revoke the adequacy decision if the DPDI Bill were to become law.
The Government have wrongly denied that the DPDI Bill would constitute a risk for the UK adequacy decision. Before sending the Bill to the House of Lords, MP John Whittingdale stated that the Government listened “to concerns about the perceived impact of the approval powers on the independence of regulators”.11 However, the issue of the independence of the ICO is still front and central, as demonstrated by López Aguilar’s letter. Another MEP tabled a written question only weeks ago, raising concerns over the oversight gap the abolition of the Biometrics and Surveillance Camera Commissioner would introduce,12 and asking if the Commission intends to revoke the UK adequacy decision.
The Government has failed to uphold integrity and due process, and denied the House of Commons a chance to carry out legislative scrutiny over this Bill. On November 29, the House of Commons was pushed to debate and approve more than 150 pages of amendments, tabled only a few days before the debate. Members of Parliament were not given a fair chance to scrutinise this Bill effectively — indeed, some MPs admitted that the had no idea of what they voted for, but voted in favour anyway.13 This is the last straw for this Bill, which was presented after a lop-sided consultation process14 and the Government repeated failures to address the widespread concerns the Bill has raised15 since it was presented. The Bill also lacked scrutiny from the Joint Committee on Human Rights, despite the significant impact it would have on the rights of British citizens and residents.
The House of Lords have an opportunity to intervene and address what the Government have negligently ignored by supporting the amendments reported in this briefing: the Bill needs radical changes and a closer scrutiny than the one the House of Commons was afforded.
CLARIFYING THE STATUTORY OBJECTIVE OF THE INFORMATION COMMISSION
Amendment HoL31
Clause 31 (Duties of the Commissioner in carrying out functions) of the DPDI Bill introduces competing and ambivalent objectives which would pressure the ICO into condoning breaches of data protection laws against competing interests, and reduce clarity of the regulatory function of the new Information Commission.
Data protection enforcement has already been limited in the UK.16 During 2021-22 period, the ICO secured no enforcement notices or criminal prosecutions and issued just four GDPR fines, all of which concerned data security17 and which came to a grand total of just £183k.18 During the Covid-19 pandemic, the ICO underperformed in their regulatory function when compared to other UK regulators, such as the Financial Conduct Authority (FCA), and other European data protection agencies.19
Clause 31 also frustrates the Duty to Grow of the Deregulation Act 2015: as recognised by the 2015 Statutory Guide on Growth Duty, “Non-compliant activity […] also harms the interests of legitimate businesses that are working to comply with regulatory requirements, disrupting competition and acting as a disincentive to invest in compliance.”20 Regulatory enforcement should not be weighted against business interests, but should be strengthened to support law-abiding businesses facing unfair competition from free loaders.
Amendment HoL31 would clarify the role and statutory objective of the Information Commissioner’s Office by removing unnecessary and potentially counterproductive objectives, and transposing relevant case law into the Data Protection Act 2018. This would clearly state in legislation that the ICO have a duty of investigating infringements and ensuring the diligent application of data protection rules.
If so amended, the new Section 120A of the DPDI Bill would promote clarity and consistency in the ICO regulatory function. As the Institute for Government notes, “Clarity of roles and responsibilities is the most important factor for effectiveness” of arms-length bodies,21 such as the ICO.
INTRODUCING SUFFICIENT ARMS-LENGTH FROM THE GOVERNMENT
Amendments HoL32, HoL33, HoL34, HoL51, HoL52, HoL54, HoL23, HoL67, HoL68, Hol70, Hol71, and Amendments from HoL35 to HoL60
The DPDI Bill would provide significant powers for the Secretary of State to interfere with the objective and impartial functioning of the new Information Commission, such as by discretionally appointing non-executive members of the newly-formed Information Commission (Schedule 15 – The Information Commission), designating strategic priorities for the Commissioner (Clause 32 – Strategic Priorities), and recommending the adoption of ICO Code of Practices before they are submitted to Parliament for consideration (Clauses 33 – Codes of practice for processing personal data, 34 – Codes of practice: panel and impact assessment, and 35 – Codes of practice: Secretary of State’s recommendations).
The guarantee of the independence of the ICO is intended to ensure the effectiveness and reliability of their regulatory function, and that the monitoring and enforcement of data protection laws are carried out objectively and free from partisan or extra-legal considerations. However, political pressure against the ICO has visibly increased over the years: in 2021, the Government framed the appointment of the new Information Commissioner as the first step in implementing their proposed reforms of the GDPR.22 In turn, a cross-party group of MPs accused the Government to be seeking “an Information Commissioner whose policy views match its own, rather than a regulator that will seek to enforce the law as Parliament has written it”.23
Correlation does not prove causation, but the Commissioner appointed as a result of that proceeding has expressed views on the DPDI Bill that, indeed, match those of the Government, despite widespread criticism coming from other arms-length bodies.24 Further, in September 2022, the ICO changed their “make a complaint” page, to include a requirement, introduced by Clauses 44 (Complaints to Controllers) and 45 (Power of the Commissioner to refuse to act on certain complaints) of the Bill, to complain directly to an organisation before escalating such complaint before the ICO.25 This suggests that the ICO may have started implementing the requirements of a Bill that Parliament haven’t enacted yet.
These amendments would limit the Secretary of State powers and leeway to interfere with the objective and impartial functioning of the new Information Commission, in particular by
- Removing clauses 32, 33, 34 and 35 of the Data Protection and Digital Information Bill, and +
- Modifying Schedule 15 of the DPDI Bill to transfer budget responsibility and the appointment process of the non-executive members of the Information Commission to the relevant Select Committee.
If so amended, the DPDI Bill would ensure that the new Information Commission has sufficient arms-length from the Government to oversee public and private bodies’ uses of personal data with impartiality and objectiveness.
PROTECTING THE INFORMATION COMMISSION FROM REVOLVING DOORS AND UNDUE CORPORATE INFLUENCE
Amendment HoL272
The issue of ‘revolving doors’, where public sector staff switch to the private sector, leaves organisations open to accusations of cronyism and corruption. The ICO seems to be particularly susceptible to this bad practice. For example, both the previous Commissioner and the previous Deputy Commissioner ‘switched sides’ and ended up working for industries they had supposedly investigated. In detail:
- On December 2021, days after her mandate as Information Commissioner ended, Elisabeth Denham joined Baker McKenzie,26 a law firm which advised Facebook on the appeal of sanctions imposed by the UK Information Commissioner in respect of the Cambridge Analytica investigations—arguably, the most relevant regulatory action she undertook as Commissioner.27
- On January 2022, six months after his mandate as Deputy Director ended, Simon McDouglas joined Zoominfo as chief compliance officer.28 Zoominfo is an online data broker that participates to the real time bidding data market (RTB). During his mandate as Deputy Commissioner, Simon McDouglas was heavily involved in two major ICO investigations into RTB and data broking.
- The ICO investigations into RTB and data broking represent two of the most resounding enforcement failure of the ICO to this date. An update report of the ICO found widespread non-compliance of RTB intermediaries in 202129 but, three years later, these infringements have been left unpunished. Likewise, online data exchanges were excluded from the ICO data broking investigation,30 despite this being the focus of the regulatory complaint that spurred this investigation. The exclusion of online data broking also contributed to the ICO loss against Experian in the Information Tribunal.31
To tackle these worrying failures of the ICO to uphold the law and meet acceptable standards of public life, Amendment HoL272 would preclude members of the new Information Commission from working for the industries they regulated during their term for a period of two years. This provision would align the terms of tenure of the members of the Information Commission to those of the California Privacy Protection Agency.
The ICO failure to uphold decent public life standards will heighten the public’s fear and distrust over the use of modern information technology systems to improve public service delivery. Because of the ever-increasing importance of automated systems and digitalisation in public services’ delivery, strong and effective oversight is a necessary mechanism to attain policy goals, mitigate risks, and avoid scandals that can lead to Government resignations — as happened with the childcare algorithmic scandal in the Netherlands.
PROTECTING THE RIGHT TO LODGE A COMPLAINT
Amendment HoL24 and Amendment HoL69
Clause 45 (Power of the commissioner to refuse to act on certain complaints) of the DPDI Bill would insert new s165A to the Data Protection Act 2018, according to which the Commissioner would have the discretion to refuse to act upon a complaint if the complainant did not try to resolve the infringement of their rights with the relevant organisation and at least 45 days have passed since then. Likewise, Clause 36 (Vexatious or excessive requests made to the Commissioner) of the DPDI Bill would expand the Commissioner’s discretion to refuse to act upon a “request” by lowering the threshold from “manifestly unfounded or excessive” to “vexatious or excessive”.
The right to an effective remedy constitutes a core element of data protection: most individuals will not pursue cases before a court because of the lengthy, time-consuming and costly nature of judicial procedures. It also acts as a deterrent against data protection violations insofar victims can obtain meaningful redress: administrative remedies (such as enforcement notices or fines) are particularly useful because they focus on addressing malpractice and obtaining meaningful changes in how personal data is handled in practice.
However, the ICO indicates that in 2021-22 it did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only four GDPR fines totalling just £633k,32 despite of the fact that it received over 40,000 data subject complaints.33 Moreover, avenues to challenge ICO inaction are extremely limited: scrutiny of the Information Tribunal has been restricted to a purely procedural as opposed to substantive nature,34 and it was narrowed even further by the Administrative Court decision which found that the ICO was not obliged to investigate each and every complaint.35
Amendment HoL24 and Amendment HoL69 would remove clauses 36 and 45 of the DPDI Bill have been presented: the ICO already enjoys a wide margin of discretion and little accountability for how it handles complaints. In light of its poor performance, it does not seem appropriate to expand the discretion of the new Information Commission even further.
Amendment HoL69 would also extend the scope of orders under Section 166 of the Data Protection Act to the appropriateness of the Commissioner’s response to a complaint. This would allow individuals to promote judicial scrutiny over decisions that have a fundamental impact into how laws are enforced in practice, and would increase the overall accountability of the new Information Commission.
INTRODUCING THE RIGHT TO LODGE A COLLECTIVE COMPLAINT
Amendment HoL63
Individuals could be deterred from or unwilling to seek justice, exercise their rights, and lodge data protection complaints on their own, either for fear of retaliation from a powerful organisation, or the stigma that may be associated with the circumstances where a data protection violation occurred. In turn, independent supervisory authorities like the ICO can play a decisive role in evening out power imbalances and ensure meaningful redress. Likewise, civil society organisations have long helped complainants navigate justice systems in seeking remedies in the data protection area, providing a valuable addition to the enactment of UK data protection laws.
Amendment HoL 63 would implement article 80(2) of the UK GDPR, which allows public interest organisations to lodge representative complaints even without the mandate of data subjects in order to encourage the filing of well-argued, strategically important cases with the potential to significantly improve the data subject landscape as a whole.
RETAINING THE BIOMETRICS AND SURVEILLANCE CAMERA COMMISSIONER
Amendment HoL64, Amendment HoL65 and Amendment HoL66
The Bill abolishes the role of the Biometrics and Surveillance Camera Commissioner and the requirement for the government to publish a surveillance camera code of practice.
The Biometrics Camera Commissioner was established under Section 20 of the Protection of Freedoms Act 2012 (PoFA) as a response to several instances where the European Court of Human Rights found the UK to violate the right to private life, such as in the case of biometrics data collection in S and Marper v United Kingdom, or Gaughran v Chief Constable of Northern Ireland [2015] UKSC 29 for the retention of DNA and fingerprint data.
The need for oversight over these sensitive practices remains. A recent report36 by the Centre for Research into Surveillance and Privacy warns that “plans to abolish and not replace existing safeguards in this crucial area will leave the UK without proper oversight just when advances in artificial intelligence and other technologies mean they are needed more than ever.” Currently, the office is responsible for oversight of public space surveillance cameras and police use of DNA and fingers prints in England and Wales.
AmendmentsHol 64, Hol 65 and Amendment Hol 66 would remove Clauses 147 (Oversight of retention and use of biometric material), 148 (Removal of provision for regulation of CCTV etc) and 149 (Oversight of biometrics databases) from the DPDI Bill, thus preventing the abolition of the Biometrics and Surveillance Camera Commissioner.
If you are interested in our work, contact:
Mariano delli Santi, Legal and Policy Officer: mariano@openrightsgroup.org
James Baker, Campaigns and Grassroots Activism Manager: james@openrightsgroup.org
Published by Open Rights Group – Open Rights is a non-profit company limited by Guarantee, registered in England and Wales no. 05581537. The Society of Authors, 24 Bedford Row, London, WC1R 4EH. (CC BY-SA 3.0)
1 David Erdos, Towards Effective Supervisory Oversight? Analysing UK Regulatory Enforcement of Data
2 Information Commissioner, Annual Report and Financial Statements 2021-22 (2022), p. 42.
3 See IPOL-COM-LIBE D (2024) 7722, at: https://www.openrightsgroup.org/publications/8-march-2024-letter-to-commissioner-reynders-from-libe-committee-chair-dpdi-bill/
4 See The cost of data inadequacy at: https://neweconomics.org/2020/11/the-cost-of-data-inadequacy
5 See Question for written answer E-001790/2023 to the Commission, at: https://www.europarl.europa.eu/doceo/document/E-9-2023-001790_EN.html
6 See OPINION OF THE COMMITTEE ON CIVIL LIBERTIES, JUSTICE AND HOME AFFAIRS (10.10.2023) for the Committee on Foreign Affairs and the Committee on International Trade on the implementation report on the EU-UK Trade and Cooperation Agreement, at: https://www.europarl.europa.eu/doceo/document/A-9-2023-0331_EN.html#_section11
7 See IPOL-COM-LIBE D (2023) 21234, at: https://www.openrightsgroup.org/publications/13-june-2023-letter-to-reynders-from-lopez-aguilar-dpdi-bill/
8 See Answer given by Mr Reynders on behalf of the European Commission, at: https://www.europarl.europa.eu/doceo/document/E-9-2023-001790-ASW_EN.html
9 See Ares(2023)s706, at: https://www.openrightsgroup.org/publications/28-august-2023-reply-from-commissioner-reynders-to-libe-committee-chair-dpdi-bill/
10 See Open Letter to the EU Commission regarding UK’s data bill, at: https://peoplevsbig.tech/open-letter-to-the-eu-commission-regarding-uk-s-data-bill
11 See: https://hansard.parliament.uk/Commons/2023-11-29/debates/46EF0AA6-C729-4751-A3DA-6A3683EB8B87/DataProtectionAndDigitalInformationBill
12 See Question for written answer E-000591/2024/rev.1 to the Commission, at: https://www.europarl.europa.eu/doceo/document/E-9-2024-000591_EN.html
13 See MP Flick Drummond, as reported by Silkie Carlo, at: https://x.com/silkiecarlo/status/1731797160604176846?s=20/TA-9-2023-0436_EN.html
14 See Data Reform Bill consultation ‘rigged’ say civil rights groups, at: https://techmonitor.ai/policy/privacy-and-data-protection/data-reform-bill-consultation-dcms-nadine-dorries/1731797160604176846?s=20/TA-9-2023-0436_EN.html
15 See Open letter to Rt Hon Michelle Donelan MP, at: https://www.openrightsgroup.org/app/uploads/2023/03/DPDI-Bill-UK-civil-society-letter.pdf
16 See David Erdos, University of Cambridge, Towards Effective Supervisory Oversight? Analysing UK Regulatory Enforcement of Data Protection and Electronic Privacy Rights and the Government’s Statutory Reform Plans, at: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4284602
17 Information Commissioner, Annual Report and Financial Statements 2021-22, pp. 32-33, at: https://ico.org.uk/media/about-the-ico/documents/4021039/ico-annual-report-2021-22.pdf
18 Information Commissioner’s Office, ICO and Cabinet Office reach agreement on New Year Honours data breach fine, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/11/ico-and-cabinet-office-reach-agreement-on-new-year-honours-data-breach-fine/
19 See Open Rights Group, Data privacy and the Information Commissioner’s Office during a crisis: Lessons learned from the Covid-19 pandemic, at: https://www.openrightsgroup.org/publications/data-privacy-and-the-information-commissioners-office-during-a-crisis-lessons-learned-from-the-covid-19-pandemic/
20 See Growth Duty Statutory Guidance, at: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/603743/growth-duty-statutory-guidance.pdf
21 See Institute for Government, Read before burning, p. 33, at: https://www.instituteforgovernment.org.uk/publication/read-burning-arms-length-bodies
22 See Financial Times, New approach to data is a great opportunity for the UK post-Brexit, at: https://www.ft.com/content/ac1cbaef-d8bf-49b4-b11d-1fcc96dde0e1
23 See Open Rights Group, Cross-party group of MPs warn Govt about unduly influencing Regulator’s appointment, at: https://www.openrightsgroup.org/press-releases/cross-party-group-of-mps-warn-govt-about-unduly-influencing-regulators-appointment/
24See The National Data Guardian, at: https://committees.parliament.uk/writtenevidence/121615/pdf/
See also The Biometrics and Surveillance Camera Commissioner, at: https://bills.parliament.uk/publications/51173/documents/3425
See also The Scottish Biometrics and Surveillance Camera Commissioner, at: https://www.biometricscommissioner.scot/news/commissioner-reiterates-concerns-about-data-protection-and-digital-information-no-2-bill-to-scottish-mp-on-westminster-committee/
See also The Equality and Human Rights Commission, at: https://publications.parliament.uk/pa/cm5803/cmpublic/DataProtectionDigitalInformation/memo/DPDIB38.htm
25 https://webarchive.nationalarchives.gov.uk/ukgwa/20220911081202/https://ico.org.uk/make-a-complaint/data-protection-complaints/
26 https://www.reuters.com/legal/legalindustry/baker-mckenzie-lands-ex-uk-data-watchdog-leader-denham-2021-12-02/
27 https://ico.org.uk/action-weve-taken/investigation-into-data-analytics-for-political-purposes/
28 https://www.wsj.com/articles/zoominfo-adds-former-u-k-data-protection-regulator-as-compliance-chief-11642628328
29 https://ico.org.uk/media/about-the-ico/documents/2615156/adtech-real-time-bidding-report-201906-dl191220.pdf
30 https://privacyinternational.org/frequently-asked-questions/4258/qa-uk-regulators-action-data-brokers
31 https://www.independent.co.uk/money/experian-very-pleased-with-outcome-of-appeal-against-ico-action-b2285770.html
32 Information Commissioner, Information Commissioner’s Annual Report and Financial Statements 2021-22, p. 41, at: https://ico.org.uk/media/about-the-ico/documents/4021039/ico-annual-report-2021-22.pdf
33 Ibid, p. 42.
34 See Leighton v Information Commissioner (No. 2) (2020)103, Scranage v IC (2020), Killock and Veale, EW and Coghlan (2021)
35 See Landmark Decision Handed Down on ICO’s Responsibilities in Handling Subject Access Requests, at: https://www.jdsupra.com/legalnews/landmark-decision-handed-down-on-ico-s-5683866/
36 See Gov.uk, Changes to the functions of the BSCC: independent report, at: https://www.gov.uk/government/publications/changes-to-the-functions-of-the-bscc-independent-report