ICO has long been pushing for the power to lock up non-compliant data controllers. This seemed about to happen under the Criminal Justice and Immigration Bill, but when the Bill finally became law, was this the end result? Phil Lee investigates.
Who: The Information Commissioner
When: 8 May 2008
Where: UK
Law stated as at: 15 May 2008
What happened:
The long-awaited (and much debated) Criminal Justice and Immigration Bill (the "Bill") finally received Royal Assent on 8 May this year, promoting it to the status of the Criminal Justice and Immigration Act 2008 (the "Act").
The Bill had been a hot topic in data protection circles because early drafts had proposed the introduction of a new criminal offence for data controllers who knowingly or recklessly disclose personal data in breach of data protection law. However, these proposals were dropped at later readings, following extensive lobbying by, amongst others, the media industry who expressed concerns about the proposal's impact on journalistic freedom and freedom of speech.
The end result is that, whilst increased enforcement powers have found their way into the Act, they have done so only in greatly watered-down form. Rather than introducing a criminal offence of knowingly or recklessly disclosing personal data, the Act simply gives ICO the power to impose a "monetary penalty" on data controllers who fail to comply with the data protection principles set out in Schedule 1 to the Data Protection Act 1998. This sounds harsh in principle, but its effectiveness is significantly limited by the facts that:
- ICO can only impose the penalty where the breach was of a kind likely to cause substantial damage or substantial distress; and
- ICO can only pursue a data controller if it: (i) deliberately committed the breach; or (ii) knew or ought to have known about the breach, that it would cause substantial damage or substantial distress and failed to take steps to prevent it.
These limitations will greatly limit ICO's powers to pursue misbehaving data controllers by subjecting it to an evidential burden that may, in practice, provide difficult to overcome ("Why yes, I suppose our breach did cause distress. But it didn't cause 'substantial' distress, did it? And anyway, what do you mean by 'substantial'"?).
Further, whilst ICO can determine the level of the monetary penalty it wishes to impose, the penalty must not exceed a "prescribed amount" to be set out in future regulations; ICO will therefore not have the ability to impose unlimited fines. The level at which this prescribed amount is set will clearly be crucial – setting the threshold too low may simply lead to disreputable data controllers accepting commercial risk and continuing to knowingly or recklessly breach data protection law; setting it too high may serve as a deterrent to establishing data processing operations in the UK.
ICO's power to impose fines will come into force at a date to be specified.
Why this matters:
Notwithstanding the manner in which the original proposals were watered down, the new power to impose fines afforded to ICO does give it the ability in certain cases to take quicker, more direct enforcement action against non-compliant data controllers.
Advertisers and marketing agencies run the risk of incurring ICO's wrath if they do not undertake their marketing campaigns in a data protection compliant way (e.g. collecting all necessary consents, making proper disclosures, respecting opt outs etc.). This risk will be relatively easy to manage for those targeting their own customer lists.
Bought-in list risks
However, the risk of ICO enforcement may be greater under these new measures when buying-in third party list rental data. Advertisers who do not exercise proper due diligence over list rental data could be exposed to risk if marketing rights do not exist in the data they have acquired. Appropriate due diligence measures might include, for example, only purchasing data from a reputable supplier, checking that the supplier has proper legal authority (e.g. consents) to supply the data, and cleansing the data against preference service suppression lists etc. Without performing this due diligence, it could be said that the advertiser or marketing agency "ought to have known" of its data protection breaches – exposing it to a possible fine from the Information Commissioner.
That said, the nature of the diluted powers given to ICO means that although there can be no certainties here, it will probably focus its energies on significant, high profile data protection breaches where there is little doubt as to whether "substantial" harm has been caused. ICO is unlikely to want to commit resource or money to pursuing data protection breaches where there is a risk that any fine it imposes could be subject to challenge and, possibly, overturned.