In the online space, one of the most empty promises is “we value your privacy.“ Businesses promise to preserve our privacy
rights but they neither have the carrot, nor the stick to make them respect
data protection rules. So, they flout data privacy laws, as regulators either struggle to adequately enforce the law or
wilfully ignore infractions.
The UK’s data protection authority— the Information
Commissioner's Office (ICO)— has succumbed the most to its ambition of promoting innovation and economic
growth while
simultaneously protecting the public’s personal data. The
authority's enforcement defies its
primary objective of protecting the public's data privacy rights.
The ICO’s enforcement track record—the numbers don’t lie
During the 2021-2022 fiscal year, the ICO reported receiving 35,558 data privacy violation
complaints. The complaints were diverse including companies refusing to delete
individuals’ personal data or processing their data without consent. Sometimes,
organizations infringed the individual’s right to access their own personal
data, contrary to what the data protection legislation requires.
Similarly, in the 2022-2023 financial year, a total of 27,130 complaints were filed with the
ICO, excluding data from the most recent financial quarter that the authority
is yet to report. Out of the 62,688 complaints filed over a span of two years,
the authority levied only 59 monetary penalties. Only approximately 0.094% of the
complaints led to organizations being sanctioned for breaching data protection
rules.
The ICO closed most of the complaints alleging insufficient
information to proceed with the complaints or lack of evidence of infraction.
It resolved numerous cases through discussions with infringing companies. In
such cases, the authority recognises the presence of infringement
by the organization
but encourages the organization to rectify the violation, including
addressing the underlying complaint.
Due to the ICO’s practice of not disclosing comprehensive
details about these cases, except for summaries, the public tends to perceive
the authority as prioritizing business interests over safeguarding data privacy rights.
Interestingly, this public perception
aligns with the available evidence.
The broader context
The enforcement of the GDPR has been unsatisfactory across
the EU, since the implementation of what has been described as a breakthrough law, that promised to empower people in the digital world, through giving more control to
citizens on their personal data. Even when applying a more forgiving standard,
the ICO's enforcement record remains unsatisfactory. Between 2018 and 2022, it
levied around 50 monetary penalties, while German and the Italian
authorities imposed 606 and 228 penalties between 2018 and 2021.
The ICO is generally passive compared to its European
counterparts. In a notable case, the French authority, Commission Nationale de l’Informatique
et des Liberté (CNIL) fined Meta and Google €60 million and €150 million respectively in 2021 for their illegal
use of cookies. Despite engaging in similar unlawful data collection practices
in the UK, the companies made changes to their cookie-based data collection
practices in the UK only while complying with the French ruling. They faced no
threat of sanction in the UK.
The ICO's consistently poor enforcement record clearly
undermines public confidence in the authority. In its 2022 annual report, the
authority itself acknowledged getting the lowest score in complaint resolution in a 2021 customer survey it backed.
An independent review—Trustpilot— rates the authority at 1.1 out of 5. This is based on
self-initiated reviews conducted by members of the public, some claiming that
the ICO prioritizes business interests rather than protecting privacy rights.
Unfit enforcement policy— corporate free pass
The ICO’s risk-based approach enforcement prioritizes a softer
approach to ensuring compliance, reserving enforcement actions to violations
that are likely to pose the highest risk and harm to the public. Enforcement action includes requiring
an offending organization to end violations and comply with relevant rules
through so-called enforcement notice and issuing penalty.
The ICO considers several factors in determining whether
imposing a penalty is appropriate, including the intentional or repeated nature
of the breach, the degree of harm to the public, and the number of people
impacted. In practice however, it uses discretion even in cases of intentional
and repeat violations.
In one fiscal year(2022/2023), Google UK violated the
law more than 25 times, as acknowledged by the ICO in
separate complaints, but the authority only advised the company to comply.
Google
UK's infractions include refusal or delaying to delete personal data upon
request by individuals exercising their right to be forgotten. Meta Platform(formerly Facebook Inc.)
received 20 compliance suggestions, after evidence of its infringement
has been found, while Microsoft and Twitter each received
the same soft compliance advices 8 times, in the same year.
In all these cases, taxpayer's data protection rights were
violated and evidence of infringement by big tech companies have been found,
yet the ICO consistently chose to give the offenders a free pass, rather than
standing up for citizens and upholding the law.
The ICO's enforcement policy relies on collaborating with
regulated entities rather than effectively sanctioning them to deter repeat
violations. This approach aims to support the digital economy by avoiding
excessive enforcement of data protection rights and fostering data innovation.
In theory, it should attract businesses to the UK, create jobs, and stimulate
economic growth. However, the policy is currently being applied to serve the
interest of big tech companies.
The companies repeatedly violating data protection laws don’t
necessarily contribute to digital innovation in the UK, while most of them are
not strategically positioned to provide job opportunities in the country. But
the UK remains their crucial consumer market. As such, sanctioning them is
unlikely to change their business decisions and behaviour to the detriment of
the UK economy.
The ICO’s failure to effectively enforce data privacy laws erodes public trust. It could also discourage data innovation, as the public might refuse to provide data for research and innovation, which could in turn negatively affect the digital economy.
I am a Senior Lecture in AI, Disruptive Innovation and Law (Brunel University London). If you are interested in occasional updates like this, follow me on Twitter or LinkedIn.
No comments:
Post a Comment