What's the point?
Why have hard legislation if you can't fully enforce it.
The UK Information Commissioner's Office has kicked £280m in data breach fines against British Airways and US hotel chain Marriott into the long grass. As spotted by City law firm Mishcon de Reya, the ICO has extended the time before it will fine the two companies what it claimed would be a total of £282m, split between BA's £ …
Give them £2M a year + 10% of all the fines they collect. Although for the first year, give them enough funding that they can extract the maximum fine from each company they go after.
I guarantee they will be far less willing to bend over for companies at that point...
I'd suggest some caution here. While I agree in principle that the ICO should benefit from the work it does enforcing the regulations, so that it can continue doing said work with decent funding, allocating them a percentage of fines levied does risk invoking the law of unintended consequences. Some examples:
1. Traffic enforcement officers incentivised to maximise revenue from fines will start issuing tickets for the smallest violations (e.g. right on a parking bay boundary) or exactly one minute after the penalty applies rather than allowing a short grace period.
2. A particularly egregious (and likely unusual one) involving a store detective that was incentivised to catch shop lifters. To increase their success rate they started slipping items into people's bags when they weren't looking, then "catching" them after the checkouts with said unpaid for items. The person involved was caught by the police but it goes to show incentives for desired behaviour risk undesirable consequences as the people involved work to maximise the incentive regardless of the wider cost.
The point here is the ICO is clearly underfunded compared to the work they need to do to enforce the regulations, and the potential revenue they can bring in from massive fines, but ensuring they are properly funded is a matter for HM Treasury to rectify. It's worth noting other enforcement agencies like the CPS, and HMCTS are also underfunded compared to the work they have to do so the ICO is not alone here. Giving them an incentive to directly benefit from the fines they levy risks them becoming over zealous which then risks the ICO, and the wider concept of data protection, losing popular public support; and that would be to everyone's disadvantage!
Objectively you're right, of course, there's no denying that. All enforcement organizations end up abusing their powers in some way and must be reigned in.
Unfortunately, there is also no denying that if the ICO is watering down its approach simply because the companies that it has in its sights have a bigger legal budget to play with, then 380k people are at risk of having been abused without recourse, and that is not fair either.
Why is it that we can't have an adaptive approach ? Give the ICO a percentage on its fines to enable it to enact justice, and take said bonus away when it is no longer necessary.
I agree - the ICO should be kicking some serious arse and collecting every penny of the fines discussed in the story. Only when CEOs see massive holes in their company's P+L, and by extension their bonus, will information security be taken seriously (and hopefully by further extension IT budgets in general). It's quite reasonable that the proceeds of those fines help fund further enforcement. I'm not against that, but I am suggesting some caution regarding a direct link between enforcement and income that could lead to the system being gamed in some way that is detrimental to wider society.
It ought to be the aim of any regulator to do such a good job that it does itself out of a job. That's probably unlikely but we all know the stories of "If you don't spend it this year you won't get it next year" to realise that the budget won't be reduced, unless some Government minister decides it's in their interest to forcibly cut it.
This is the right debate to have on the topic of enforcement. My observation is that the ICO have become much more secretive and amenable to plea bargains at the expense of data subjects rights in the last few years. Think the ICO is going to right that data protection wrong? You probably don't know the ICO nowadays.
Aside from the fact that the ICO has become little more than a ahem, data protection compliance protection racket ("just keep paying your data register fees okay?") I predict that GDPR compliance is about to go the way of tax compliance - offshored to extralegal entities beyond the reach of pesky regulators.
My evidence for this is the Danish toy maker, while registered with the ICO and claiming data protection compliance actually moved it's data controller to Denmark for UK customers (meaning that the ICO has no interest and the Danish regulator can claim the offence had been committed outside Denmark). This has been done with the full connivance of the ICO, to the detriment of data subjects rights. As long as they keep paying their fees to the ICO, they UK escape justice for GDPR breaches.
Evidenced also by the highly questionable Israeli sales contact data mining company that claims compliance with GDPR but has no offices, employees or interests within the legal jurisdiction of GDPR. That folks is the future of GDPR compliance and the proverbial asteroid hurtling towards the pea-size brained Wirral data police.
So spare a thought for the ICO (and for that matter HMRC). They are dinosaurs in the Chixuclub basin, wondering how bright their futures might be. Very bright is the answer. Very very bright.
While we're still in the EU a company can register with any data protection registrar - though it should be where the largest portion of where they business takes place. Once the UK leaves the EU, any companies trading in/with the UK will be subject to regulation by the ICO, and if external to the UK will have to register a representative in the UK. Similarly, any UK company trading in/with the EU will have to register a representative in an EU member state.
Your first example is literally enforcing the laws. One minute / small violations are still violations. Don't do it, you can't be fined.
Your second example is literally illegal.
Neither are good reasons for not funding a government enforcement agency looking after millions of citizens data properly.
But there is a big difference between literally enforcing the laws and enforcing justice. If someone intended to park legally/get back to the car in time but were unable to for whatever reason by a tiny amount, then it isn't in the public interest to punish someone in that case. If the intent or impact is criminal then indeed they should be punished. Society tends to agree with the view that law enforcement should have some discretion as it is far more efficient than having to get laws exactly perfect.
Having incentives that encourage the removal of common sense can have known on implications for society.
ICO have a mailing list, perhaps some providing information about the sloppy ways of BA and that Marriott, and advice to avoid might be wise. Bullying bullies should always be fun.
I am on the ICO mailing list but have already noted that both outfits are to be avoided.
While the unintended consequences you point out are a risk, in each case the "staff" were incentivised to commit their crime directly (i.e. they could make a personal difference to their remuneration).
I don't think with something as fundamentally different as major fines for corporations issued by a body that there is the same opportunity for an individual in the ICO to "line their own pockets" in the same way as your Cop or Security Guard.
You need to trust the integrity of your staff to an extent, and have audit controls to monitor compliance.
With examples like that--having no grace period and always going for max fines, etc... I say great! At that point, we have laws being enforced equally, and can change the laws to reflect the way they should be dealt with, instead of writing massively draconian laws and penalties that may or may not be enforced.
In case that doesn't seem egregious enough, this is a worse example of why it is a problem: Donald_P._Scott
On the counter argument.... if the Police gave a £££ share for Video footage of Vehicular Miscreants if convicted as a ‘bounty’ I could give up my day job.
25% of each and every £100 traffic violation fine ??
Endemic bad driving would evaporate overnight as crowd-sourced enforcement takes over.
The problem is they will start looking at return on investment and soon realise the best thing to do is fine lots of little companies for technical violations - the ones who will probably just pay up with a simple lawyers letter threatening a full investigation. That's for more efficient and low risk than going against big organisations with proper legal teams who might fight and win.
Pre-GDPR coming fully into force, the ICO stated prosecution/fines would be “impact related”.
Small violation - small fine/enforcement
Big Violation (BA/Marriot grade) - large fine/enforcement/arse kicking
£2m is a piddling little legal budget and if not increased massively will lead companies to going GDPR... m’eh.
Underfunded regulators, perpetrators allowed to negotiate their penalties, and at least a few extraordinary decisions.
For example, I have an official ruling from the ICO that it's legitimate to conceal processing performed on the basis of Legitimate Interest. This is strange to me, as data subjects have a statutory right to object to processing on that basis. The ICO specifically nevertheless considers it "sufficient" for a data controller to provide "examples" of its processing on the basis of Legitimate Interest, which effectively means that the data controller can simply not mention some of such processing when a data subject exercises their right to be informed.
I may possibly have missed something obvious, but it's not clear to me how one can object to something one hasn't been told about. It therefore seems that the national regulatory body is advocating that data subjects be denied a statutory right.
They easily created the excellent GDPR without thinking it through how simple-minded and weak-willed countries could apply it, or their incorporation of it into their own law, when they light-mindedly wandered off to achieve Independence ( and no doubt FREEDOM! ) afterwards. A government of imbeciles cannot be expected to adequately fund anything, especially when it has a philosophical horror of government spending any money whatsoever...
Don’t think so. Enforcement is down to local countries and most of this is a refresh/clarify of existing legislation across the EU as a common framework.
Enforcement of measures against say murder depends on funding of local regulators. Not yhe EU’s bag.
Weak and underfunded regulators does no-one any good long term. Governments/politicians need to stop creating new laws if existing ones barely enforced. Will become worse than useless. Plague of wild enforcement of Box-ticking of DBS in scope child protection ... whilst shit like Rotherham - and many others - proliferated.
Data, financial, hand-held mobile phones, child protection. environmental, emissions.
Just another one to concatenate to a very long list of ICO excuses...
"We lost your complaint".
"We are not adequately funded".
"We don't have any enforcement powers".
"We are not IT experts".
"It was only a technical offence".
"There was implied consent for this processing (the processing no one was informed about)".
"It was a small scale trial".
"The solicitor with the Rolls Royce and Surrey mansion house told us he has no money to pay a fine, so we let him off with a £1 fine".
"The GPRS doesn't apply so 5p per offence is the best we can do"
Now
"We are going to fine the crooks! Unlimited cash! (but lets not rush into it eh? we have agreed to an extension so they can suggest a better excuse we can use)".
Taken from The Information Commissioner's Office web site (https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/11/ico-issues-the-first-fines-to-organisations-that-have-not-paid-the-data-protection-fee/)
The fees you pay each year and the amount they fine you for not paying.
Tier 1 – micro organisations. Maximum turnover of £632,000 or no more than ten members of staff. Fee: £40 Fine: £400
Tier 2 – SMEs. Maximum turnover of £36 million or no more than 250 members of staff. Fee: £60 Fine: £600
Tier 3 – large organisations. Those not meeting the criteria of Tiers 1 or 2. Fee: £2,900. Fine £4,000
There is a £5 discount for payments by direct debit.
Looks wrong to me for Tier one and two the fine is 10 times the fee but Tier 3 it is not even twice the fee. I think massive companies pay a relatively small fee which if they do not pay get a relatively small fine and now I know if they do something wrong they can get away without paying any fine. This does look rather anti-competitive!
If the ICO needs a slogan I think it should be
"Catch and fining the small while letting the big get away with it"