Asress Adimi Gikay (PhD), Senior Lecture in AI, Disruptive Innovation and Law (Brunel University London)

Photo credit: howtostartablogonline.net 

Online, the phrase “we value your privacy” often rings hollow. Despite promises, businesses lack the motivation to truly prioritize data privacy. This holds true even within the European Union (EU) and its comprehensive data protection law, the GDPR. Businesses frequently disregard these rules while regulators struggle to enforce them or simply overlook infractions.

The UK’s data protection authority, the Information Commissioner’s Office (ICO), seems caught between promoting innovation and upholding data privacy rights. Unfortunately, this has diminished data privacy to a mere talking point, both in the business world and within the ICO itself.

The ICO’s enforcement record doesn’t reflect a commitment to safeguarding the public’s data privacy. Instead, it reveals an inexplicable leniency towards corporations, which suggests a fundamentally flawed enforcement policy.

The ICO’s enforcement track record: Numbers tell the story

From 2021 to 2022, the ICO received 35,558 complaints about data privacy violations, ranging from companies refusing to delete personal data to processing data without consent. The following year saw 27,130 complaints. Yet, out of over 62,000 complaints across two years, the ICO only issued 59 monetary penalties. This means less than 0.1% of complaints resulted in tangible consequences for businesses breaching data protection rules.

The ICO typically closes most complaints, citing insufficient information or lack of evidence. Many cases are resolved through discussions with the infringing companies. In these instances, the ICO acknowledges the violation but takes minimal action beyond “informal action.”

The lack of transparency surrounding these cases fosters a public perception that the ICO favors business interests over protecting data privacy rights. This perception aligns with the available evidence.

A broader perspective

GDPR enforcement has been lackluster throughout the EU, despite the law’s promise to empower individuals in the digital world. The ICO’s performance is particularly weak, even by lenient standards. Between 2018 and 2022, the ICO imposed approximately 50 monetary penalties, while German and Italian authorities issued 606 and 228 penalties, respectively, between 2018 and 2021.

Compared to its European counterparts, the ICO is passive. For example, the French authority (CNIL) fined Meta and Google €60 million and €150 million, respectively, in 2021 for misusing cookies. Despite similar practices in the UK, these companies only modified their behavior in response to the French ruling, facing no repercussions in the UK.

This consistently poor enforcement record erodes public trust in the ICO. The authority’s own 2022 annual report revealed a dismal customer satisfaction score for complaint resolution. Independent reviews echo this sentiment, suggesting the ICO prioritizes business interests over privacy rights.

A flawed enforcement policy: A free pass for corporations

While resource limitations have been cited as a reason for inadequate GDPR enforcement in the EU, the ICO is relatively well-funded. It can also impose substantial fines, suggesting that a lack of resources isn’t the primary issue. The root cause lies within the ICO’s own enforcement policy.

The ICO’s “risk-based approach” favors a softer approach to compliance, reserving enforcement actions for violations deemed to pose the highest risk and harm. Enforcement actions include requiring organizations to cease violations and comply with regulations through enforcement notices or penalties. The ICO weighs factors such as the intent, repetition, degree of harm, and number of individuals affected when deciding on penalties.

In reality, the ICO often exercises leniency even in cases of deliberate, repeated violations affecting millions. One example is the widespread illegal collection of personal data through cookies.

Tracking cookies monitor browsing behavior, gathering enough information to potentially identify individuals. Beyond website visits, they can track searches, purchases, IP addresses, and locations. This data can be used to infer personal details like names, nationalities, religions, sexual orientations, health conditions, and more – much of which is considered sensitive personal data under the GDPR. Processing this data requires explicit consent, with limited exceptions.

While this data could be used for marketing, it also presents risks, such as insurance companies leveraging it to determine premiums without individuals’ knowledge or consent.

Despite the ICO fining one company for using personal data to profile medical conditions without consent, the practice of inferring such data from browsing behavior via cookies continues. This unconsented data collection is illegal and poses a serious threat to the public. Yet, companies in the UK seemingly operate with impunity.

The ICO also demonstrates leniency towards repeat offenders in the tech industry. In a single year (2022/2023), the ICO found Google UK potentially or directly violating data protection laws over 25 times. The ICO’s response? Informal action and advice for improvement.

Google UK’s infractions included refusing or delaying the deletion of personal data upon request, a clear violation of the “right to be forgotten.” Meta, Microsoft, and Twitter also received multiple instances of “compliance suggestions” rather than concrete action.

The ICO’s current approach essentially turns the authority into a legal advisor for tech companies, neglecting its duty to protect the public. While individuals face an uphill battle seeking compensation for privacy violations, requiring proof of harm, the ICO, meant to deter such violations, remains ineffective.

A call for change

The ICO’s reliance on collaboration over effective sanctions to address repeated violations prioritizes the digital economy over data protection rights. While intended to attract businesses and stimulate economic growth, this approach disproportionately benefits big tech companies.

These companies often operate globally, with their presence in the UK primarily focused on its consumer market. Sanctioning them is unlikely to significantly impact their operations. However, firm and measured enforcement actions, considering the importance of the UK market, would compel these companies to comply with the law.

The ICO’s failure to effectively enforce data privacy laws risks not only public trust but also data innovation itself. A lack of trust could lead individuals to withhold data necessary for research and development, ultimately harming the digital economy.