ICO: expect fewer and lower fines as coronavirus bites

The UK regulator has outlined a revised regulatory approach which will apply during the coronavirus public health emergency, which will impact its enforcement under a number of pieces of legislation in the UK, including data protection law, the e-privacy framework, and freedom of information (FOI) and environmental information laws. The ICO also acts as a regulator in respect of UK cybersecurity rules for digital service providers.

The ICO said: "In deciding whether to take formal regulatory action, including issuing fines, we will take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis. We may give organisations longer than usual to rectify any breaches that predate the crisis, where the crisis impacts the organisation’s ability to take steps to put things right."

"All formal regulatory action in connection with outstanding information request backlogs will be suspended. As set out in the regulatory action policy, before issuing fines we take into account the economic impact and affordability. In current circumstances, this is likely to mean the level of fines reduce," it said.

Information law expert Michele Voznick of Pinsent Masons, the law firm behind Out-Law, said organisations across many sectors would welcome the announcement given the challenges they are currently facing, but she warned against compliance complacency and emphasised the importance of good record-keeping.

"While the message from the ICO may provide a level of comfort during the crisis, it does not permit an organisation to ignore its data protection or FOI obligations," Voznick said.

"The ICO indicates that where there may be a breach of obligations, or responses are not as  timely as required, they are likely to be understanding and permit additional time to put things right. However, organisations may, in the future, have to demonstrate the impact the crisis has on their information/privacy functions, whether through a reduction, or diversion of, resources. Data protection officers and others with responsibility for compliance should keep records of specific instances affecting data or information rights to ensure that, as the crisis eases, there is a record of matters where there were delays or issues requiring action or improvement," Voznick said.

"Different sectors and business may be affected by this pandemic for different periods of time. One question outstanding is how the ICO will determine when the crisis is over for different businesses as part of its light touch regulatory approach," she said.

Cyber risk specialist Ian Birdsey, also of Pinsent Masons, said the ICO's revised regulatory approach has the potential to impact high-profile cases ongoing before the regulator, including penalties British Airways (BA) and Marriott could face following cyber incidents.

The ICO went public with its plans to fine BA £183 million, and Marriott £99.2m, last year after the companies disclosed the regulator's intentions to market regulators.

Birdsey said: "The ICO has yet to announce its finalised decisions in both the BA and Marriott cases. Prior to the coronavirus crisis the ICO had applied extensions to the timeframes for concluding its investigations, and it has since reportedly further extended the time limits involved in both cases, The earlier delays in concluding these cases can be attributed at least in part to the fact that both BA and Marriott have vigorously challenged the ICO's provisional findings and because of the potential for the ICO to become bogged down in years of potential litigation on the cases, which could impact the bandwidth of its own internal legal resources as well as its external legal spend. There are also implications potentially for the ICO's reputation including how it enforces cases under the GDPR if the cases are appealed and those appeals are successful."

"The ICO may have already been planning to impose lower penalties on BA and Marriott than originally intimated, but the coronavirus crisis – and the particular impacts that is having on businesses in the airline and hospitality sectors – give the ICO an opportunity to draw upon its revised regulatory action policy, take account of the financial challenges BA and Marriott are experiencing, and apply material reductions to the intended fine in a way which might reduce the risk of drawn-out appeals from the companies and criticism of a softening of its position from outsiders," he said.

"A further factor in the BA case may be the optics of imposing a large fine on the airline in circumstances in which it may be the beneficiary of financial aid from the taxpayer," Birdsey said.