On July 20, 2018, Elizabeth Denham, the Information Commissioner (“ICO”) for the United Kingdom (“UK”), released an Annual Report for 2017/18 (the “Report”). In the Report, the ICO commented that new laws and high profile investigations have helped put data protection and privacy at the centre of the UK public’s consciousness: “This is an important time for privacy rights, with a new legal framework and increased public interest. Transparency and accountability must be paramount, otherwise it will be impossible to build trust in the way that personal information is obtained, used and shared online.”

The Report makes interesting reading in terms of the UK regulator’s recent focus and areas of concern for enforcement purposes. In addition to outlining extensive work helping individuals and organizations prepare for the General Data Protection Regulation (“GDPR”), and providing expert advice to the Government during the passage of the Data Protection Act 2018 through Parliament (the UK’s GDPR implementing legislation), the Report confirms that the ICO also experienced “unprecedented demand for its casework on data protection and freedom of information.” Some of the highlights of the Report include:

  • A significant increase in data protection complaints (up 15%), self-reported breaches (up 30%) and freedom of information complaints (up 5%).
  • Another significant increase in telephone, live chat and written queries from the public and organisations, with new telephone services for small organisations and for self-reported breaches. In the final quarter the ICO had 30,000 more calls than in the previous three months.
  • The ICO issued the largest number and amount of civil monetary penalties in its history. This included 26 penalties totalling £3.28m for breaches of electronic marketing laws relating to nuisance calls and spam text messages, along with 10 enforcement notices and the execution of three search warrants.
  • The ICO issued eleven fines totalling £1.29 million for serious security failures under its previous legislation, the Data Protection Act 1998 (now repealed).
  • The ICO succeeded in a total of 19 criminal prosecutions resulting in 18 convictions - a further six cautions were issued and 11 search warrants were executed.

The Report illustrates a demonstrable increase in regulatory and enforcement activity by the ICO.  With this refreshed focus, and the new powers afforded to EU regulators under GDPR, we expect to see further increases in action taken by individuals and enforcement action taken by the ICO over the coming months and years. 

Also to be noted is that we continue to await the first of the expected major enforcement actions from EU regulators, including the ICO.  Many commentators expect that the vastly increased fining powers under GDPR will be exercised by the EU regulators over the coming months, for example, as data breaches which occurred after GDPR entered into force on May 25th 2018 are discovered.