2010 looks set to be the year of the privacy regulator, with eye-watering data protection fines, audits, assessment notices and even prison sentences for “blagging offences” all supposedly coming into effect in or around April 2010. Phil Lee reports.
Who: Information Commissioner's Office
When: April 2010?
Law stated as at: 16 December 2009
We've been predicting it will happen for some time, but it now looks like the Information Commissioner's Office ("ICO") is finally going to get the substantial enforcement powers it sorely needs around April 2010.
And what a suite of enforcement powers they are set to be! Here is a summary of the enforcement risks that non-compliant data controllers will in future face:
• Jail time for blaggers:
The Ministry of Justice ("MoJ") launched a consultation in October 2009 (available here) on increasing the criminal penalties available to the courts against persons who knowingly or recklessly misuse personal data within the meaning of s.55 Data Protection Act 1998 ("DPA"). s.55 criminalises the so-called "blagging offence" where a person procures personal information from a data controller by deception (e.g. customer accounts details from a bank) and persons convicted of this offence currently face only a court-imposed fine.
The MoJ now proposes to introduce jail sentences of up to 2 years for breach of s.55 (under powers introduced by the Criminal Justice and Immigration Act 2008 ("CIJA")) – the first time that a DPA offence will attract a prison term. However, this proposal has been met with stiff resistance by the media sector, who claims that it could stifle journalistic investigation and freedom of expression. To address this concern, the CIJA provides a defence for anyone acting in the pursuit of journalistic, artistic or literary purposes and with the reasonable belief that the obtaining or disclosure of personal information is in the public interest.
The MoJ has indicated that these sanctions will come into effect in April 2010.
• Fines for data protection breaches:
Hot on the heels of this consultation, the MoJ launched a further consultation in November 2009 concerning data protection fines (available here). On receiving Royal Assent 2008, the CIJA introduced a new s.55A into the DPA that allows ICO to serve a "monetary penalty notice" (in English: a fine) on data controllers who deliberately or recklessly commit a serious data protection breach which is likely to cause substantial damage or distress.
ICO is awaiting enabling legislation to bring this power into force, and must also publish guidance on how it intends to exercise its powers to impose fines. Before it introduces enabling legislation, however, the government needs to decide the level of fines ICO should be able to impose – and this is the purpose of this consultation.
There had been rumours that the MoJ was considering introducing a fining regime similar to that operated by the Financial Services Authority, with the possibility that ICO could impose substantial fines of up to 10% of turnover. However, the MoJ has not been quite that bold and instead proposes a maximum fine of £500,000 – still a fairly hefty whack – and, in relation to small companies only, goes on to say that "we consider it desirable that the maximum amount of the penalty should not be higher than the equivalent of 10% of the highest annual turnover" (i.e. small companies face maximum fines equivalent to the lesser of £500,000 or 10% of their annual turnover).
The expectation is, again, that this power will come into effect in April 2010.
• Mandatory data protection audits:
Arguably the greatest surprise, though, is the news that ICO will have the ability to conduct mandatory audits of private sector companies. This power is introduced by the Coroners and Justice Act 2009 ("CJA"), which received Royal Assent on 12 November. Early drafts of this legislation sought only to give ICO the ability to conduct mandatory audits of public sector bodies and government agencies, and its extension to the private sector was the result of successfully lobbying on the part of ICO.
Of course, ICO does already have audit rights under s.51(7) of the DPA. The difference is that s.51(7) states that ICO may only audit a data controller with its consent. The new power introduced by the CJA will now enable ICO to conduct mandatory audits of businesses, with or without their consent.
The CJA provides that ICO can audit businesses of "a description designated for the purpose of this section" (s.173 CJA, inserting new s.41A into the DPA). The businesses will likely be designated by industry sector by the Secretary of State following recommendations by ICO and will first require consultation with the affected industry sector.
There's no word yet on when these designations may or are likely to be made. However, with enhanced criminal sanctions and data protection fines likely to come into effect from April, could mandatory audits also be on the table for then too?
Why this matters:
ICO has been decrying its lack of real enforcement teeth for some time now and the previous Information Commissioner, Richard Thomas, worked wonders to bring data protection enforcement onto the government agenda (helped by the government too, of course – odds are these powers would never have seen the light of day were it not for several high profile and embarrassing government data losses). Now it seems that, at long last, ICO is going to get the powers it has been looking for – and with them, a chance to finally flex its enforcement muscle.
So what does this mean for advertisers? Now is really the time to go back and revisit your compliance policies and procedures. Look at how you collect your customers' and employees' information, what you do with it, and who you share it with. Complaints from disgruntled customers and employees may previously have resulted in a slap on the wrist from ICO and some negative PR. Now, however, they may result in audits, hefty fines and, potentially, jail time. Don’t leave it too late – now is the time to get your shop in order!