Out-Law News 2 min. read

Competition to offer privacy protections could help deflect regulatory action to other markets, says ICO

Companies operating in markets in which businesses can gain a competitive advantage from offering enhanced privacy protections to customers are less likely to be the subject of enforcement action over breaches of data protection laws, the Information Commissioner's Office (ICO) has said.

The UK's data protection watchdog has published a Data Protection Regulatory Action Policy that sets out the factors it will take into account when deciding whether to initiate regulatory action, such as the serving of enforcement notices or monetary penalties, for breaches of the Data Protection Act.

In it the ICO said that it will be selective about which breach cases to pursue regulatory action in and said that "market factors" could influence its decision whether to take up an investigation.

"Our approach will be driven by concerns about significant actual or potential detriment caused by non-compliance with data protection principles, the PECR (Privacy and Electronic Communications Regulations) or other relevant legal requirements," the ICO's Policy said. "The initial drivers will usually be: issues of general public concern (including those raised in the media); concerns that arise because of the novel or intrusive nature of particular activities; concerns raised with us in complaints that we receive; concerns that become apparent through our other activities."

"In setting priorities for regulatory action we will pay particular attention to the priority sectors or activities identified for particular regulatory attention in our information rights strategy," it said. "In selecting areas for attention we will bear in mind the extent to which market forces can themselves act as a regulator. Thus the public sector, particularly where processing is hidden from view, where individuals have little or no choice and where sensitive personal data are involved might well receive more attention from us than the private sector."

Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "It will be interesting to assess this approach in intervals over time to see what measurable improvements in privacy come about in the UK as a result of this policy."

Out-Law.com asked the ICO to elaborate on what it meant by 'market forces'. A spokesperson for the watchdog said: "If consumers demand effective privacy protection then providing such protection will bring competitive advantage to businesses and so market forces will be driving businesses to deliver better privacy protection, without the need for the regulator to intervene."

"There have been some recent examples of this, including Microsoft who have been trying to gain competitive advantage by presenting some of their products as more privacy friendly than rivals through their ‘Your privacy is our priority’ campaign," they added.

As well as promoting the privacy protections offered by its own systems and technology, Microsoft has undertaken a campaign against practices allegedly engaged in by Google. In a recent example, Microsoft claimed Google violates the privacy of users of its 'Gmail' email service "by reading every single word of every single email sent to and from Gmail accounts" in order to serve personalised adverts and further claimed that it was also using that personal data to spam users' inbox "with ads that look like real emails".

Under its existing information rights strategy, the ICO pledged to focus its regulatory attention on organisations operating in the health, credit and finance, criminal justice, internet and mobile services and security sectors.

In its new Regulatory Action Policy, the ICO also explained how "the number and nature" of any complaints it receives about breaches of the law can influence its decision on whether to pursue regulatory action.

However, it said that it would only pursue a case based on complaints if it would be proportionate to serve those responsible for breaches in those cases with a "monetary penalty, a sanction for a criminal breach or other formal action to bring about compliance" and providing such regulatory action was "reasonably achievable". This is unless "necessary improvement in practice" could otherwise be expected to be brought about by requiring organisations to participate in one of its data protection audits, the watchdog said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.