Hogan Lovells 2024 Election Impact and Congressional Outlook Report
15 November 2024
The ICO has published its Data Protection Fining Guidance, aiming to clarify why the ICO decides to issue penalty notices as well as how they calculate fines under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018). The Guidance has been published following a public consultation late last year. The Guidance focusses on fines arising out of violations of the UK GDPR and DPA 2018, it does not change the rules for fines levied under the Privacy and Electronic Communications Regulations 2003 (PECR). It is without doubt that the new guidance will help clarify the position around data protection fines. A question that remains is how businesses can respond to the new clarifications and to what extent this will make it easier to calculate financial risk in a particular situation.
The ICO’s guidance gives a helpfully structured step-by-step outline of the factors that the Commissioner will consider when deciding to levy a fine.
Under data protection law in the UK, the Commissioner is obliged to consider certain factors such as the nature, gravity (seriousness), and duration of the infringement, any relevant aggravating factors and as well the effectiveness, proportionately and dissuasiveness of the fine. The ICO uses these legal obligations as a basis for their 5-step procedure.
Although they emphasise that they wish to continue to exercise discretion when deciding on the amount of a fine, the 5-step procedures include an explanation of the factors that will influence how serious the infringement is, including any mitigating or aggravating factors. They also explain how they calculate the starting point for the penalty with respect to an organisation’s turnover, with the help of illustrative tables.
Although the procedure is not new, to have it explicitly outlined in ICO guidance does make it more tangible for businesses of all sizes to understand. Specifically, it gives an insight into how they will take into account the seriousness of the infringement, as well as any mitigating and aggravating factors.
Although some the factors involved in calculating and levying a fine are prescribed in UK data protection law, the Guidance helpfully adds some colour and detail as to how the Commissioner would consider each factor in practice. As is perhaps to be expected, it does not provide any concrete statements to the effect of ‘if you do this, we will definitely fine you [x]’ or any guaranteed ‘get out of jail free’ cards. The ICO consistently highlight that infringements will be investigated and considered on a case-by-case basis, which, together with the sheer number of factors to be considered, still gives considerable wiggle room in terms of the amount of a fine. What the guidance does helpfully do is provide a good steer as to which actions they consider significant, and which could attract an increased or decreased fine.
This new guidance takes precedence over earlier draft versions of the ICO’s regulatory policy. In early 2022 the ICO launched a consultation into new draft versions of their Regulatory Action Policy (RAP) and their Statutory Guidance on our Regulatory Action. However this consultation ended, and final versions of the updated documents have not yet been published.
This Guidance replaces the sections about penalty notices in the RAP published in November 2018. This is a significant development as it will be the new precedent for the ICO’s policy on fining.
Looking forward, the ICO is planning on publishing new procedural guidance about regulatory action required by the DPA 2018 which will replace the statutory guidance under the Regulatory Action Policy.
The guidance will be laid before Parliament, as is required under the DPA 2018. However, it became applicable when it was published on 18 March 2024.
Key areas where the Guidance has enhanced our understanding of the calculation of fines by the ICO
Concept of an undertaking
Under the UK GDPR the ICO has the power to levy a fine up to 4% of the whole undertaking’s total annual turnover. To those organisations that have ever considered the question of whether the ICO would calculate their annual turnover for their limited company or for the parent company or whole group, the ICO has given some much needed clarity.
The ICO confirm the position that an ‘undertaking’ is to be understood as developed in UK competition law through UK and retained EU case law. Crucially, an undertaking would be considered as such if the organisations connected form a single economic unit, as opposed to a strict commercial or tax law view. A key factor when considering whether a set of organisations form a single economic unit is whether the parent exercises decisive influence over it, or whether it can act autonomously of the parent company. The ICO emphasise that they will look at this on a case-by-case basis.
However, this does not represent a departure from how ‘undertaking’ is considered under the EU and UK law. For example, when the ICO fined TikTok in 2023 they stated that they considered the global annual turnover of TikTok Inc, TikTok Ltd (the immediate parent company and joint controller of the data in questions) as well as Bytedance (the ultimate parent undertaking). Despite this, the question of parent or group company liability has been the subject of much speculation, and this is the first time the point has been concretely referenced in UK guidance by the ICO. It is also, of course, of critical importance in relation to the potential size of fine for many organisations.
In deciding whether to issue a penalty notice, the Commissioner will take into account a variety of factors. These factors are mandatory under UK data protection law and are documented methodically by the Commissioner whenever there is a fine levied.
In the Guidance the ICO gives a wider context to each of the factors than is given under the RAP, which is relatively brief on these matters. When attempting to understand the seriousness of the breach the Commissioner has specifically called out processing that is “large and, for example, involves systemic and extensive profiling of data subjects”. We saw this emphasis on large scale profiling from the ICO in the fine levied against EasyLife, where the ICO decided to impose the fine partially on the basis that EasyLife conducted profiling on a large scale which included 145,000 data subjects.
Another factor which the Commissioner is obliged to take into consideration when levying a fine is the number of data subjects affected. The ICO has added some colour to this area, explicitly stating that he will take into consideration the number of data subjects potentially affected by the infringements, as well as those actually affected.
It has already been acknowledged by the ICO that they consider issues if they are ‘potential’ rather than concrete evidence of actual damage caused. For example under the RAP the ICO stated that they would consider "the nature and seriousness of the breach or potential breach”. Under both the Ticketmaster and British Airways data breach fines the ICO took into consideration the number of data subjects that were potentially affected.
Now the ICO have explicitly included potential risk to data subjects as a factor, rather than just the potential of a breach. This raises the risk to companies as it could increase the final fine amount.
The Commissioner will also need to consider the level of damage suffered by data subjects when choosing to levy a fine. This damage can be material (i.e. financial loss, physical harm) or non-material (i.e. psychological harm).
The Guidance explicitly lists discrimination as a type of harm that the Commissioner will consider when levying a fine. Discrimination is a key area of AI risk to data subjects. As the UK Government’s approach to AI governance empowers regulators like the ICO to take more authority in the regulation of AI in their sector, we may see more convergence on related issues coming from the ICO.
The Commissioner must also consider the types of personal data affected in the violation. Special category data and criminal convictions data under the UK GDPR as well as sensitive data under the DPA 2018 are all types of data to be considered.
The ICO’s guidance gives additional examples which may be taken into account as they may be regarded as particularly sensitive. These include location data, private communications data, passport details or financial data. Although not considered as an aggravating factor increasing the final fine amount, the ICO stated in the British Airways penalty notice that they were entitled to regard the disclosure of financial data in their case as a cause for significant concern.
The ICO must also consider whether there are any factors which could mitigate the violation, and whether the fine could be reduced as a result. The Guidance states that they are more likely to take into account mitigating factors that arise before the Commissioner is made aware of the breach.
They do caveat this though to say that they do not automatically discount actions done after the Commissioner is made aware of the breach, but just that they are less likely to consider them.
The ICO are required to take into account the degree of cooperation with supervisory authorities under the UK GDPR when deciding on the amount of the fine. They have further stated that repeated delays, for example not engaging with the Commissioner during the investigation or repeatedly failing to meet deadlines set by the Commissioner, may be considered an aggravating factor. In the TikTok Penalty Notice, the Commissioner did refer to the fact that they had to send repeated notices to TikTok requesting certain documents, however, in this case, this did not result in an increase of the fine.
The ICO lists additional mitigating factors that they may consider when levying a fine, beyond the ones they are required to consider by law. One of these additional factors includes whether there were any pro-active steps to report a cyber security incident to other appropriate bodies (such as the National Cyber Security Centre (NCSC)) and whether it followed any advice or guidance provided. It is not a legal obligation to report a cyber security incident to the NCSC, but it may help in the event an organisation is investigated by the ICO.
In June 2023 the EDPB also published their own guidance on the calculation of administrative fines under the EU GDPR. In their guidance they provided a table which outlined the ranges of the starting fine which is adjusted based on whether the organisation in violation is small, medium or large. The ICO have adopted a similar table in their guidance, giving UK businesses further clarity as to the amount they will begin at. This also highlights the convergence between the UK and EU on some key areas of the law and its interpretation.
This Guidance is useful and provides some key clarifications that will help businesses with understanding risk. The ICO provide practical tables for businesses to work out the starting and maximum amount of a potential fine, as well as helping to clearing up any regulatory confusion on parent company liability when calculating global annual turnover. Furthermore the guidance gives businesses practical examples setting out ICO thinking.
However, the ICO continue to emphasise throughout the guidance that they will continue to treat each infringement on a case-by-case basis and not in a mechanistic way, and they aim to maintain broad discretion when deciding on, and calculating, fines. So in this sense the guidance does not act as a formula for predicting precise fine amounts for specific infringements, but instead gives a view into the ICO’s position on how they interpret what are the most important factors when an infringement has taken place.
Authored by Nicola Fulford and Kathleen McGrath.
This article was first published in Privacy Law & Business UK Report, May Issue in 2024.