Data Regulation: An ‘Empathetic’ Approach From The ICO, But Risks Remain – Privacy

To print this article, all you need is to be registered or login on

While the tragic human consequences of COVID-19 have played out
on nightly news bulletins, regulators across Europe have scrambled
to adjust their approach to minimise its immediate and longer-term
economic consequences. Early on, the UK’s Information
Commissioner (‘ICO’) declared its reasonableness and
pragmatism in the face of the health emergency and, on 15 April, it
fleshed this out in a publication setting out its regulatory
approach during the coronavirus pandemic. The ICO’s document is
one of a series issued by the data watchdog in recent weeks and
will be welcomed by data controllers and processors under
exceptional pressure. Nevertheless, those seeking dispensation from
data security obligations at this time will look in vain, and risks
remain for the unwary.

Three factors lie behind the ICO’s temporary regulatory
approach during the pandemic: regulated organisations face staff
and operating shortages; public authorities are pre-occupied with
meeting front-line service demands; and acute financial constraints
are restricting finances and cashflows. As the regulator
acknowledges, these factors may impact on data controllers’
ability to comply with data legislation. Rather than appearing
‘tin eared’, the ICO, like the European Data Protection
Supervisor and national data supervisory authorities across Europe,
has chosen to highlight the flexibility built into the GDPR, and to
reassure those it regulates by giving a steer on how data rules
will be applied during this exceptional situation.

ICO’s Approach During Health Emergency

Amongst the high-level indications set out on the ICO’s
document are that the regulator will suspend data audit work to
focus instead on the most serious challenges to the public, use its
formal powers to require information sparingly and allow greater
time to respond, and will conduct fewer investigations to
concentrate on circumstances suggesting serious regulatory
non-compliance. In fact, on 1 April, the First Tier Tribunal, which
hears appeals from ICO notices, had already granted the Information
Commissioner’s request for a 28-day general stay on all
proceedings as a result of the pandemic. While the ICO’s stay
application was made for technical reasons, it is a clear example
of the ICO’s modified regulatory approach. Its practical effect
will be that compliance with information, assessment, enforcement
and penalty notices will also be placed on hold, granting
recipients temporary ‘breathing space’.

As part of the ICO’s approach during the pandemic,
enforcement action is unlikely where Freedom of Information Act and
data subject access requests are not satisfied within normal
timescales Breach notification required under GDPR Article 33
should still be notified to the regulator within the requisite 72
hour period. However, even here, the watchdog hints at flexibility
where the reporting deadline is affected by the current crisis.
That said, any organisation breaching data protection laws to take
advantage of the situation is likely to face serious

In terms of COVID-19’s impact on GDPR penalties, much media
attention has focused on the ICO’s agreement with British
Airways and Marriott to extend until later in the summer its
disciplinary process for high profile data breaches involving
thousands of customers’ personal and financial data which came
to light during 2018. This deferral giving rise to speculation that
the pandemic was the cause. In fact, earlier extensions had been
granted in January, weeks before the pandemic was declared,
indicating that other factors are at work in the resolution of
those investigations. Nevertheless, the ICO’s established
Regulatory Action Policy had always included ability to pay as a
factor in determining the amount of any penalty, and the data
watchdog has now openly acknowledged the current situation is
likely to reduce fines. Given the financial ‘hit’ suffered
by the airline and hospitality industries since the pandemic was
declared, it would be surprising indeed if this was not a key
consideration when determining any sums ultimately paid by the two
stricken corporate giants.

A False Sense of Security?

While the speed at which COVID-19 spread left legislators and
regulators with little choice but to relax regulation, this brings
with it significant compliance risks.

Where regulation tries to adapt too quickly to novel and rapidly
developing circumstances, there is a risk of oversimplification.
For example, in its well-intentioned guidance to the many community
support groups which have grown up during the pandemic, the ICO
ostensibly reduces to a single sentence the finely balanced
three-part GDPR test of the legitimate interests basis for data
processing. This demonstrates the risk that urgent regulatory
guidance issued in the wake of the pandemic could lead the unwary
into inadvertent error.

Similarly, as traditional office-based working patterns have
been suddenly upended, criminals have stepped in to seize
opportunities provided by homeworking infrastructure using phishing
techniques, hijacking online meetings, and exploiting
vulnerabilities in desktop virtualisation technologies. On reading
of the ICO’s approach during the pandemic, a
‘forgiving’ attitude might initially be assumed towards
data breaches. In fact, though, the ICO elsewhere makes clear that
those responsible for data security should consider the same
measures for homeworking that would be considered in normal
circumstances. Lax security exposing data subjects to significant
risk – particularly after general warnings of heightened
danger from the National Cyber Security Centre, the National Crime
Agency and the ICO itself – may still precipitate a costly
and reputationally damaging regulatory investigation if not now,
later down the line.

While data controllers and processors will welcome the
reassurance provided by the ICO at the present time, the regulatory
approach remains principle-based; certainty of what is required
will remain elusive. Businesses and organisations may draw some
comfort from the ICO’s position during the current health
emergency, but they would be wise to maintain data protection
standards wherever possible and not to see the regulator’s
approach as a ‘free pass’.

Originally published April 2020

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.


Source link

Leave a comment