UK data watchdog having a hard time making GDPR fines stick: Marriott scores another extension, BA prepares to pay 11% of £183m penalty threat British Airways expects the fine for its 2018 credit card data leak to be just 10.8 per cent of the £183m proposed by the UK data watchdog – while US hotel chain Marriott has both halved and kicked its own data blunder punishment into the long grass once again, The Register can reveal. Marriott has secured an extension for …
In order to continue the pretense that the gov actually wants GDPR enforced - while ensuring funding and will for such are entriely lacking - is it time for the Information Commissioner to take one for the team?
i.e. Resign, wait a few months then get a pass into the House of Lords?
Don't be silly, in a few month's time they can just revoke the entirety of the GDPR. Why bother?
All those years of compliance (with a quite sensible and powerful-to-the-consumer law) will be wasted because of our "independence". They'll just cut the red tape so that their own projects (like the track and trace, etc.) don't fall foul of it either.
All those years of compliance (with a quite sensible and powerful-to-the-consumer law) will be wasted because of our "independence". They'll just cut the red tape so that their own projects (like the track and trace, etc.) don't fall foul of it either.
I can understand reasonable arguments pro/anti Brexit, but why do remainers keep spouting this ludicrous nonsense? Is it just a desperate attempt at propaganda, or blind refusal to understand the arguments of people you disagree with, in case they might be right?
We need to respect international rules to continue international trade (with the EU and elsewhere). British consumer and data protection law has consistently been tougher than EU minima, and tougher than those implemented by other EU countries (pre-GDPR the UK maximum fines were higher than those permitted in Germany, for example). Part of the parliamentary work before Brexit was specifically to enshrine GDPR in UK law, so that it would not just vanish afterwards. There is no credible reason to believe that reducing UK data protection to levels below GDPR is planned, useful or desirable.
>There is no credible reason to believe that reducing UK data protection to levels below GDPR is planned, useful or desirable.
Exactly, the whole point of Brexit was that as a sovereign nation we would be able to keep all the Eu regulations in place while dictating terms to those American colonials who would be desperate to trade with us any whatever terms we demanded.
"why do remainers keep spouting this ludicrous nonsense?"
General distrust of the competance of the government of the day?
"British consumer and data protection law has consistently been tougher than EU minima, and tougher than those implemented by other EU countries"
That is debatable - there are/were procedings in place by the EU against the government, as the Data Protection Act 1998 is not actually compliant with the Directive 95/46/EC. The govenment won't reveal the details of non-compliance as it would jeopardise international trade.
https://www.theregister.com/2017/03/16/uks_gdpr_law_will_not_be_judged_adequate_if_it_contains_provisions_that_made_the_dpa_inadequate/
The Sales of Goods Act 1960 gave a longer period of time to commence action against a seller than the European standard. However, the standard European implementation of 2011/83/EU gives a minimum of 2 year guarantee - the UK implementation does not (it states "reasonable period", which some retailers take the mickey with).
From https://europa.eu/youreurope/citizens/consumers/shopping/guarantees-returns/index_en.htm
"You always have the right to a minimum 2-year guarantee at no cost, regardless of whether you bought your goods online, in a shop or by mail order.
This 2-year guarantee is your minimum right, however national rules in your country may give you extra protection."
Data Protection Act 1998 is not actually compliant with the Directive 95/46/EC.
But the replacement DPA 2018 explicitly implements those parts of GDPR which member states must do, so effectively enshrining GDPR in UK law even though it is no longer an EU member.
The Sales of Goods Act 1960 gave a longer period of time to commence action against a seller than the European standard. However, the standard European implementation of 2011/83/EU gives a minimum of 2 year guarantee - the UK implementation does not (it states "reasonable period", which some retailers take the mickey with).
That's because UK law generally offers guidance, leaving the details to be decided by the courts, which is not the case in many other countries. The courts have already created precedents that "reasonable" can be 5+ years in the case of domestic goods, for example.
It doesn't detract from the fundamental point that there is no reason for the UK to weaken consumer protection below that of GDPR, since it generally applied higher standards than EU/EC minima, even before it was a member.
Abolish GDPR? Not for awhile I hope. I am busy (well my lawyers are) battering a POS parking enforcement company that incorrectly and illegally ticketed me. So much fun costing those b*ards time and money. Next step is getting the ICO involved, so just need a year or so to really twist the knife.
Best of luck to you! Those scumbags deserve everything they get and more. But just remember, you weren't "illegally ticketed". They had no authority to ticket you in the first place, legal or otherwise. You have (I presume) merely broken an implicit contract by overstaying your welcome.
Give them a jolly good kicking, unless it's Parking Eye. Sorry but you wouldn't stand a chance against them annoyingly as they're the ones with friends in low places etc.
Parking Eye? Right, will avoid any parking that has one of their signs. As for legality, I had actually paid for the duration, but there was a type-o. Got the notice through 2 months later, and a little research and they according to some bylaw regarding land owned by railway, they are not allow to do what they did. But that is besides the point, as I just sent in a scan of the parking stub (as I had done it to claim expenses 2 months prior) and they let me off, because they had no chance.
But, and this is the reason I am now getting my lawyers involved, this really pissed me off, they said if I make a type-o again, they would fine me anyway and I would have to pay. Fat chance.
So far, from their return letters, it looks like they are shifting themselves and keep apologizing. I am still trying to find out why it took 2 months to even query DVLA for my details. So far, they are not releasing all the info I am after. ICO is next step once the current 30 timer is up and they fail to release all of it.
"But, and this is the reason I am now getting my lawyers involved, this really pissed me off, they said if I make a type-o again, they would fine me anyway and I would have to pay. Fat chance."
you really have far too much time on your hands.
from your earlier post i had assumed they sent in the bailiffs or something
Yep,
Don't take on Parking Eye, they manage to do what other parking shysters can't, successfully getting prosecutions thought the courts. I took them on after a 26 minute overstay. While at the 'court' I saw the magistrate/judge laughing/joking/flirting with the Parking Eye solicitor multiple times before my case, but yet they told me they hadn't had any discussions before the hearing. The judge wasn't having any of my defense of the fact that no loss had been incurred and I was promptly ordered to pay 3 times the cost of the original ticket. After paying the 'fine' I requested multiple times a receipt to prove I'd payed it, for the purposes of avoiding a CC judgement on my credit record, but they ignored every request. I therefore got an entry on my credit record which has only just been removed after 6 years. I would recommend never parking on a car park operated by them, they are a complete scam organisation.
She has a CBE already - the cynic in me wonders if that may be linked to lack of going after companies.
The cynic in me also believes that if someone has accepted an honour then their partiality must be deemed suspect in such roles as they have fully succumbed to establishment assimilation.
The cynic in me says that it will all be quietly dropped, "never brought in any money in any case", in preparation of the takeover of UK plc by the Americans as part of the bestest ever, have cake and eat it, line the pockets of the rich, trade deal.
P.S. Can Liam Fox please be charged for leaking secrets from his email account?
After all the fanfare and copious amounts of GDPR "expert" consultants getting UK PLC over the start line for GDPR, you do have to wonder what on earth is the point of the whole process and fines if they aren't going to be upheld.
I can understand a reduced fine for early payment, but dragging on negotiations ad infinitum is not exactly showing the corporate world that GDPR has any teeth when enforced.
I wonder if similar DP regulations are facing the same problem when it comes to enforcement and fines globally? i.e. the California Consumer one and others.
If any company being hit by fines thinks they can allocate lower amounts, then where is the pressure to perform and act correctly?
It would appear that the consumer will be the one taking the hit again as more data is lost and more PII etc, gets into the wild!
The mind boggles.
See if you can get the speed camera to testify in court.
With any luck, it'll be yammering about failing diodes down it's left side, and the judge will reduce the fine to a half hour poetry lesson.
I'll get my coat, hopefully I still have the Electronic Thumb in the pocket...
The amount collected in fines over the two years won't even cover the cost of running the department.
To say nothing of the millions honest companies have given to "GDPR compliance consultants"
for telling companies what they should have been doing anyway.
Typical Sir Humphrey meets Jean-Claude cockup.
Actually, it's not any kind of loss to the taxpayer (at least not directly). The ICO is not funded from taxation (to avoid any suggestion of conflict of interest if it takes action against a government entity). Nor is it funded by fines (to avoid any suggestion of vested interest). It's funded from the registration fees, which, although not proportional, are scaled in accordance with the size of the registrant organisation.
Given this position, going after large companies has clearly nothing to do with revenue for the ICO, but it may be good for raising its profile, and that could well be necessary if the ICO wants to remain recognised by the EU. That in turn could at least unofficially affect whether or not the UK gets its adequacy decision swiftly (or indeed at all).
I can just see how this goes:
1) ICO Commissioner resigns and is boosted to HoL
2) Baroness Harding, fresh from the TalkTalk Track 'N Trace fiasco takes over
3) ICO sequester several BA jets in attempt to get the money
4) Nobody wants to buy them except BA who offer 5% as a buyback.
The UK Information Commissioner has publicly declared that the ICO will concentrate on going after the big offenders and aiming for large fines. This is clearly good for raising the profile of the ICO, but it has the following disadvantages:
[1] it preferentially selects those best equipped to challenge any action against them
[2] it consumes resources on a few cases that might otherwise be applied to dealing with large numbers of meritorious complaints
[3] it does not deter the majority of offenders as they consider themselves under the radar.
Only by pursuing a reasonable percentage of the majority-scale abuses will the legislation ultimately be made to stick. For example, I've been conducting research into the quality of privacy notices since May 2018, and out of hundreds I've only found literally a couple that actually comply with the requirements of the GDPR. Somewhat surprisingly, the ICO's own template privacy notice for SMBs doesn't. It requires all the statutory information, but presents it in a manner that prevents the exercise of data subject rights in respect of specific purposes and processing. This is not trivial. The privacy notice is the primary basis on which a data subject must initially rely to exercise their statutory rights. If it prevents them doing so, that is itself an offence under the principles of transparency and accountability (inter alia Articles 5 and 12).
going after the small guys ensures there is precedence for when they go after the big fish.
The Banks jumped at the notion that they will be responsible for their contractors taxes. The banks are not stupid enough to let the taxman gain obvious advantage over them so have rushed to reduce their exposure.
It has actually had a negative effect on users privacy.
By requiring users to "agree" to cookie use unscrupulous companies have been putting in all sorts of extras into the unread "privacy policy" which legally exposes the users data to much more abuse than was previously possible.
You can always negotiate fines, such as those for not paying taxes on time. In general, people you owe money too would rather have some money than have you in jail & unable to pay anything.
The problem is that it's not worth the bother of negotiating (on either side) unless the amount is in the millions, so rarely affects ordinary folk. Never hurts to ask, though.
We see the same thing on this side of the pond. Civil Service staffs are budget constrained and big corporations are not. Big corporations can throw as many (tax deductible) lawyers at the problem as they want. The outcome is not in doubt.
Plus, groups like the ICO start negotiations with what they consider reasonable, not with what could be the maximum penalty.
I can't say if there's a revolving door between the ICO and industry but there are certainly plenty of those in the States.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
