What's the point?
Why have hard legislation if you can't fully enforce it.
The UK Information Commissioner's Office has kicked £280m in data breach fines against British Airways and US hotel chain Marriott into the long grass. As spotted by City law firm Mishcon de Reya, the ICO has extended the time before it will fine the two companies what it claimed would be a total of £282m, split between BA's £ …
Give them £2M a year + 10% of all the fines they collect. Although for the first year, give them enough funding that they can extract the maximum fine from each company they go after.
I guarantee they will be far less willing to bend over for companies at that point...
I'd suggest some caution here. While I agree in principle that the ICO should benefit from the work it does enforcing the regulations, so that it can continue doing said work with decent funding, allocating them a percentage of fines levied does risk invoking the law of unintended consequences. Some examples:
1. Traffic enforcement officers incentivised to maximise revenue from fines will start issuing tickets for the smallest violations (e.g. right on a parking bay boundary) or exactly one minute after the penalty applies rather than allowing a short grace period.
2. A particularly egregious (and likely unusual one) involving a store detective that was incentivised to catch shop lifters. To increase their success rate they started slipping items into people's bags when they weren't looking, then "catching" them after the checkouts with said unpaid for items. The person involved was caught by the police but it goes to show incentives for desired behaviour risk undesirable consequences as the people involved work to maximise the incentive regardless of the wider cost.
The point here is the ICO is clearly underfunded compared to the work they need to do to enforce the regulations, and the potential revenue they can bring in from massive fines, but ensuring they are properly funded is a matter for HM Treasury to rectify. It's worth noting other enforcement agencies like the CPS, and HMCTS are also underfunded compared to the work they have to do so the ICO is not alone here. Giving them an incentive to directly benefit from the fines they levy risks them becoming over zealous which then risks the ICO, and the wider concept of data protection, losing popular public support; and that would be to everyone's disadvantage!
Objectively you're right, of course, there's no denying that. All enforcement organizations end up abusing their powers in some way and must be reigned in.
Unfortunately, there is also no denying that if the ICO is watering down its approach simply because the companies that it has in its sights have a bigger legal budget to play with, then 380k people are at risk of having been abused without recourse, and that is not fair either.
Why is it that we can't have an adaptive approach ? Give the ICO a percentage on its fines to enable it to enact justice, and take said bonus away when it is no longer necessary.
I agree - the ICO should be kicking some serious arse and collecting every penny of the fines discussed in the story. Only when CEOs see massive holes in their company's P+L, and by extension their bonus, will information security be taken seriously (and hopefully by further extension IT budgets in general). It's quite reasonable that the proceeds of those fines help fund further enforcement. I'm not against that, but I am suggesting some caution regarding a direct link between enforcement and income that could lead to the system being gamed in some way that is detrimental to wider society.
It ought to be the aim of any regulator to do such a good job that it does itself out of a job. That's probably unlikely but we all know the stories of "If you don't spend it this year you won't get it next year" to realise that the budget won't be reduced, unless some Government minister decides it's in their interest to forcibly cut it.
This is the right debate to have on the topic of enforcement. My observation is that the ICO have become much more secretive and amenable to plea bargains at the expense of data subjects rights in the last few years. Think the ICO is going to right that data protection wrong? You probably don't know the ICO nowadays.
Aside from the fact that the ICO has become little more than a ahem, data protection compliance protection racket ("just keep paying your data register fees okay?") I predict that GDPR compliance is about to go the way of tax compliance - offshored to extralegal entities beyond the reach of pesky regulators.
My evidence for this is the Danish toy maker, while registered with the ICO and claiming data protection compliance actually moved it's data controller to Denmark for UK customers (meaning that the ICO has no interest and the Danish regulator can claim the offence had been committed outside Denmark). This has been done with the full connivance of the ICO, to the detriment of data subjects rights. As long as they keep paying their fees to the ICO, they UK escape justice for GDPR breaches.
Evidenced also by the highly questionable Israeli sales contact data mining company that claims compliance with GDPR but has no offices, employees or interests within the legal jurisdiction of GDPR. That folks is the future of GDPR compliance and the proverbial asteroid hurtling towards the pea-size brained Wirral data police.
So spare a thought for the ICO (and for that matter HMRC). They are dinosaurs in the Chixuclub basin, wondering how bright their futures might be. Very bright is the answer. Very very bright.
While we're still in the EU a company can register with any data protection registrar - though it should be where the largest portion of where they business takes place. Once the UK leaves the EU, any companies trading in/with the UK will be subject to regulation by the ICO, and if external to the UK will have to register a representative in the UK. Similarly, any UK company trading in/with the EU will have to register a representative in an EU member state.
Your first example is literally enforcing the laws. One minute / small violations are still violations. Don't do it, you can't be fined.
Your second example is literally illegal.
Neither are good reasons for not funding a government enforcement agency looking after millions of citizens data properly.
But there is a big difference between literally enforcing the laws and enforcing justice. If someone intended to park legally/get back to the car in time but were unable to for whatever reason by a tiny amount, then it isn't in the public interest to punish someone in that case. If the intent or impact is criminal then indeed they should be punished. Society tends to agree with the view that law enforcement should have some discretion as it is far more efficient than having to get laws exactly perfect.
Having incentives that encourage the removal of common sense can have known on implications for society.
ICO have a mailing list, perhaps some providing information about the sloppy ways of BA and that Marriott, and advice to avoid might be wise. Bullying bullies should always be fun.
I am on the ICO mailing list but have already noted that both outfits are to be avoided.
While the unintended consequences you point out are a risk, in each case the "staff" were incentivised to commit their crime directly (i.e. they could make a personal difference to their remuneration).
I don't think with something as fundamentally different as major fines for corporations issued by a body that there is the same opportunity for an individual in the ICO to "line their own pockets" in the same way as your Cop or Security Guard.
You need to trust the integrity of your staff to an extent, and have audit controls to monitor compliance.
With examples like that--having no grace period and always going for max fines, etc... I say great! At that point, we have laws being enforced equally, and can change the laws to reflect the way they should be dealt with, instead of writing massively draconian laws and penalties that may or may not be enforced.
On the counter argument.... if the Police gave a £££ share for Video footage of Vehicular Miscreants if convicted as a ‘bounty’ I could give up my day job.
25% of each and every £100 traffic violation fine ??
Endemic bad driving would evaporate overnight as crowd-sourced enforcement takes over.
The problem is they will start looking at return on investment and soon realise the best thing to do is fine lots of little companies for technical violations - the ones who will probably just pay up with a simple lawyers letter threatening a full investigation. That's for more efficient and low risk than going against big organisations with proper legal teams who might fight and win.
Pre-GDPR coming fully into force, the ICO stated prosecution/fines would be “impact related”.
Small violation - small fine/enforcement
Big Violation (BA/Marriot grade) - large fine/enforcement/arse kicking
£2m is a piddling little legal budget and if not increased massively will lead companies to going GDPR... m’eh.
Underfunded regulators, perpetrators allowed to negotiate their penalties, and at least a few extraordinary decisions.
For example, I have an official ruling from the ICO that it's legitimate to conceal processing performed on the basis of Legitimate Interest. This is strange to me, as data subjects have a statutory right to object to processing on that basis. The ICO specifically nevertheless considers it "sufficient" for a data controller to provide "examples" of its processing on the basis of Legitimate Interest, which effectively means that the data controller can simply not mention some of such processing when a data subject exercises their right to be informed.
I may possibly have missed something obvious, but it's not clear to me how one can object to something one hasn't been told about. It therefore seems that the national regulatory body is advocating that data subjects be denied a statutory right.
They easily created the excellent GDPR without thinking it through how simple-minded and weak-willed countries could apply it, or their incorporation of it into their own law, when they light-mindedly wandered off to achieve Independence ( and no doubt FREEDOM! ) afterwards. A government of imbeciles cannot be expected to adequately fund anything, especially when it has a philosophical horror of government spending any money whatsoever...
Don’t think so. Enforcement is down to local countries and most of this is a refresh/clarify of existing legislation across the EU as a common framework.
Enforcement of measures against say murder depends on funding of local regulators. Not yhe EU’s bag.
Weak and underfunded regulators does no-one any good long term. Governments/politicians need to stop creating new laws if existing ones barely enforced. Will become worse than useless. Plague of wild enforcement of Box-ticking of DBS in scope child protection ... whilst shit like Rotherham - and many others - proliferated.
Data, financial, hand-held mobile phones, child protection. environmental, emissions.
Just another one to concatenate to a very long list of ICO excuses...
"We lost your complaint".
"We are not adequately funded".
"We don't have any enforcement powers".
"We are not IT experts".
"It was only a technical offence".
"There was implied consent for this processing (the processing no one was informed about)".
"It was a small scale trial".
"The solicitor with the Rolls Royce and Surrey mansion house told us he has no money to pay a fine, so we let him off with a £1 fine".
"The GPRS doesn't apply so 5p per offence is the best we can do"
"We are going to fine the crooks! Unlimited cash! (but lets not rush into it eh? we have agreed to an extension so they can suggest a better excuse we can use)".
Taken from The Information Commissioner's Office web site (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/11/ico-issues-the-first-fines-to-organisations-that-have-not-paid-the-data-protection-fee/)
The fees you pay each year and the amount they fine you for not paying.
Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400
Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60 Fine: £600
Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900. Fine £4,000
There is a £5 discount for payments by direct debit.
Looks wrong to me for Tier one and two the fine is 10 times the fee but Tier 3 it is not even twice the fee. I think massive companies pay a relatively small fee which if they do not pay get a relatively small fine and now I know if they do something wrong they can get away without paying any fine. This does look rather anti-competitive!
If the ICO needs a slogan I think it should be
"Catch and fining the small while letting the big get away with it"
Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.
EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.
In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.
California lawmakers met in Sacramento today to discuss, among other things, proposed legislation to protect children online. The bill, AB2273, known as The California Age-Appropriate Design Code Act, would require websites to verify the ages of visitors.
Critics of the legislation contend this requirement threatens the privacy of adults and the ability to use the internet anonymously, in California and likely elsewhere, because of the role the Golden State's tech companies play on the internet.
"First, the bill pretextually claims to protect children, but it will change the Internet for everyone," said Eric Goldman, Santa Clara University School of Law professor, in a blog post. "In order to determine who is a child, websites and apps will have to authenticate the age of ALL consumers before they can use the service. No one wants this."
Europe's data protection regime has reduced the number of apps available in Google Play by "a third," increased costs, and reduced developer revenues, according to a study published Monday.
And with higher costs, fewer apps are being created, to the detriment of consumers and the mobile app economy, it claims.
"At the start of our sample period in July 2016, our data on the contain 2.1 million apps in the Google Play Store, while AppBrain reported 2.2 million.26 The number of Play Store apps in our sample then rises to 2.8 million in the fourth quarter of 2017, then falls by almost one million – about 32 percent – by the end of 2018. Available apps in AppBrain saw a similar decline, by 31 percent between the beginning of 2018 and the end of 2018
Legal experts say UK government plans to create new data protection laws will make more work and add costs for business, while also creating the possibility of challenges to data sharing between the EU and UK.
Last week, the Queen's Speech – in which the British government sets out its legislative plans – said the ruling Conservative party planned to replace the EU's General Data Protection Regulation (GDPR) to ease the burden on business with an approach to data protection that encourages innovation while retaining protection of personal data and privacy.
BCS, The Chartered Institute for IT, has warned that proposed changes to Britain's data protection rules must not put the flow of data between the EU and the UK at risk.
The professional body said the supposed benefits of a leaner data protection regime – something the government promised last week – should not come at the expense of the UK's current "data adequacy" arrangement with the EU.
The UK remained compliant with the EU's General Data Protection Regulation (GDPR) when it formally left the EU at the end of 2020. Its interpretation of EU law meant that the trading bloc gave the UK an "adequacy" ruling, permitting data sharing across the border.
The vice premier of China and Xi Jinping's economic right hand man, Liu He, has offered a rare show of support to China's tech industry – both domestic and abroad.
According to state-sponsored media, Liu told around 100 members of the Chinese People's Political Consultative Congress (CPPCC) it is important to have a good relationship between the government and tech, and to research and support specific measures that grow the platform economy.
"It is necessary to wage a successful battle for the strategic ground of critical core technologies," Liu said, according to Xinhua news agency.
UK watchdogs under the banner of the Digital Regulation Cooperation Forum (DRCF) have called for views on the benefits and risks of how sites and apps use algorithms.
While "algorithm" can be defined as a strict set of rules to be followed by a computer in calculations, the term has become a boogeyman as lawmakers grapple with the revelation that they are involved in every digital service we use today.
Whether that's which video to watch next on YouTube, which film you might enjoy on Netflix, who turns up in your Twitter feed, search autosuggestions, and what you might like to buy on Amazon – the algorithm governs them all and much more.
Criminal defense law firm Tuckers Solicitors is facing a fine from the UK's data watchdog for failing to properly secure data that included information on case proceedings which was scooped up in a ransomware attack in 2020.
The London-based business was handed a £98,000 penalty notice by the Information Commissioner's Office under Article 83 of the EU's General Data Protection Regulation 2018*.
The breach was first noted by Tuckers on August 23 2020 when part of its IT system became unavailable. On closer inspection, resident techies found a note from the attackers confirming they had compromised part of the infrastructure. The Microsoft Exchange server was out of action and two days' worth of emails were lost, as detailed by the company blog at the time.
A team of researchers at University of Wisconsin-Madison and Google say they have found a way to use artificial intelligence to neutralize manipulative cookie consent pop-ups that have become ubiquitous on the web.
The project, revealed this month and dubbed CookieEnforcer, has the goal of automating the clicking through of choices in these online consent forms to disable all non-essential cookies on a website. The resulting software can therefore spare netizens from having to manually reject cookies presented by a website.
When confronted with cookie popups, which are required by European law and other legislation, many users simply click "accept all," despite the fact that unnecessary cookies may compromise privacy, the project's paper stated. Some of the organizations forced to implement these pop-ups have designed them specifically to be tricky to navigate, or use dark patterns to fool someone into selecting the opposite desired option, to discourage people from disabling tracking cookies.
Britain's data watchdog has issued an £80,000 penalty to a financial advisor that dispatched hundreds of thousands of unsolicited text messages during lockdown.
H&L Business Consulting, based in Penrith, Cumbria, was found by the Information Commissioner's Office (ICO) to have sent 378,553 texts between January and June 2020, resulting in more than 300 complaints [PDF].
The spam promoted the debt management scheme devised by UK government as the outbreak of the novel coronavirus morphed into a pandemic. This is despite the fact that H&L Business Consulting was unauthorized by the Financial Conduct Authority to sell regulated financial products or services.
Biting the hand that feeds IT © 1998–2022