Punitive threat: How to respond to an ICO Notice of Intent
Antonis Patrikios and Sabba Mahmood consider how to respond to an ICO Notice of Intent and minimise the financial and reputational impact on your firm
Antonis Patrikios and Sabba Mahmood consider how to respond to an ICO
Notice of Intent and minimise the financial and reputational impact on your firm
The UK's Information Commissioner's Office (ICO)
is one of the most prolific
enforcers of privacy and data protection legislation in Europe and globally.
The regulator is responsible for
enforcing (among others) the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003 (PECR).
The ICO has taken serious enforcement action - including fines - for breaches of privacy and data protection legislation. To date, it has imposed over 60 fines totalling up to a little under £7m. Most of these fines have concerned data security failures. But, increasingly, the regulator is taking enforcement action for other contraventions, such as breaches
of the rules concerning data minimisation or electronic marketing.
This article examines how to manage the issues relating to receipt of an ICO Notice of Intent (NoI) and how to respond to it. An NoI informs data controllers that the ICO intends to serve a monetary penalty notice (MPN), i.e. a notice that imposes a fine.
The ICO's approach
An NoI will not come out of the blue. When the ICO becomes aware of potential breaches of the DPA or PECR (for instance, because the controller self'‘reported the issue or the ICO has received a complaint about the controller), the ICO will initiate
an investigation into the matter.
ICO investigations entail correspondence, as well as telephone calls and possibly meetings, between the ICO and the controller. During these communications, the ICO asks questions about the matter and the controller provides its responses, along with any evidence requested by the ICO or other evidence
that the controller wishes to bring to
ICO's attention (such as relevant
company policies, contracts with suppliers and/or customers, and data protection training records).
At the end of this process, ICO
will decide whether to:
-
close the case on the basis of the explanations provided by the controller in relation to the issue, its causes, its impact, how it was dealt with and any remedial action taken to reduce the risk of a similar issue reoccurring; or
-
take enforcement action. The ICO has several options in its arsenal, including criminal prosecutions and non-criminal sanctions, ranging from voluntary statutory undertakings to change
non-compliant data processing practices, to enforcement notices that require the controller to change such practices, to issuing an MPN that imposes a fine of up to £500,000.
Criminal prosecutions aside, a fine is the most serious form of enforcement action, reserved only for serious breaches that involve negligent or intentional behaviour by the controller that is likely to cause substantial damage or distress to the affected individuals.
In addition to the financial consequences, an ICO MPN brings
with it the stigma of being fined and
the resulting consequences to the controller's reputation, brand and the trust of its customers, business partners and other stakeholders.
Inside the NoI
If the ICO concludes that a fine is the appropriate step in a particular case, before issuing the MPN that officially imposes the fine, it will serve an NoI.
This will inform the controller that the
ICO has decided to impose a fine and invite the data controller to make representations. The NoI should set out:
-
the name and address of the data controller;
-
the grounds on which the ICO proposes to impose an MPN, including the nature of the affected personal data, a description of the contravention, the reasons why the ICO considers the contravention to be serious and likely to cause substantial damage or distress, and whether the contravention was deliberate or caused by the negligent behaviour of the controller;
-
an indication of the amount of the fine the ICO proposes to impose and any aggravating or mitigating factors;
-
the date on which the ICO proposes to serve the MPN (i.e. the date of the fine, on which in turn depends the date on which the fine should be paid); and
-
the period within which the controller can make written representations to the ICO. This period must be reasonable and no less than 21 days from the date of service of the NoI.
Response strategy
The NoI is a crucial step in the ICO enforcement process because it signifies the end of the investigation and it means that the ICO has concluded that a fine is appropriate, subject to any representations made by the controller.
In other words, in most cases, the NoI essentially means that an MPN is likely to follow soon and the controller should now be thinking about how to deal with the fine, including determining the firm's legal position and strategy, as well as its public relations and communications approach.
Crucially, the representations that controllers are entitled to make in response to an NoI constitute the last opportunity to attempt to avoid the fine, reduce its amount and control the information that ICO will publish in the MPN before the matter becomes public and before the only way to overturn the fine or reduce its amount is by appealing the MPN before the First-tier Tribunal (Information Rights).
Although some attempts to challenge the ICO's MPNs on appeal have failed, others have succeeded. For instance, Scottish Borders Council and Tetrus Telecoms succeeded in demonstrating on appeal that the ICO was wrong that its contravention of, respectively, the DPA and PECR, was such that could result in substantial damage or distress to the affected individuals. As a result, the tribunal overturned the fine.
What this tells us is that data controllers who receive an NoI should not necessarily accept that it is the end of the process and that a fine is inevitable. As with any other regulator, the ICO will not always get it right. Making representations to the ICO on the NoI is the last opportunity that a controller has to avoid a fine or reduce its amount without having to go to court. If the controller does not make representations, the ICO will proceed to issuing the MPN, possibly subject to minor variations.
There are conceivably three positive outcomes that controllers can aim for through their representations:
-
convince the ICO to cancel the NoI. This is possible, in which case the ICO will issue a Cancellation Notice, but in practice it will only be achievable in rare circumstances, such as when significant mitigating facts become known after the NoI or the controller convinces the ICO that its assessment of the case has serious flaws; or
-
convince the ICO to reduce the amount of the fine. In most cases, this will be a more realistic objective; and
-
control the information that the ICO will make publicly available in the MPN. The ICO should redact from the public version of the MPN any information that is confidential or commercially sensitive.
The key questions that data controllers should consider when preparing their representations include the following.
1. Is the ICO right to impose a fine?
This entails an analysis of whether the conditions precedent for a fine have been met, i.e. whether there is a contravention that is:
(i) serious;
(ii) likely to cause substantial damage or substantial distress; and
(iii) the result of the deliberate or negligent behaviour of the controller.
To date, controllers who have been able to demonstrate that an otherwise fineable contravention was unlikely to cause substantial damage or substantial distress have successfully avoided fines, including on appeal in the cases mentioned above.
2. Is the proposed amount of the
fine appropriate?
The key considerations here are whether:
(i) the fine is proportionate in
the circumstances;
(ii) the proposed amount is consistent
with fines that ICO has imposed in similar cases;
(iii) the ICO has properly assessed the financial situation of the controller, the economic impact of the fine on the controller; and
(iv) the fine will constitute an undue
financial influence on an otherwise responsible controller.
Other considerations that may be relevant in particular cases include:
(i) whether the ICO has properly taken into account the supporting information provided by the controller during the investigation - in particular, whether the ICO has placed appropriate weight on any mitigating factors invoked by the controller; and
(ii) possibly the impact that the fine
would have on the controller's
future investment on improving
data protection.
3. Did the ICO exercise its discretion properly?
Even in cases where the conditions precedent for a fine have been met, the imposition of a fine is discretionary. The ICO is not obliged to impose a fine and may decide to exercise its discretion differently, for instance by issuing an Enforcement Notice.
Although an erroneous exercise of discretion may be difficult to demonstrate, in some cases it may be possible to show that the ICO ought to have exercised its discretion differently.
For instance, although one of the conditions precedent for fining is whether the contravention is 'likely' to cause substantial damage, did the ICO exercise its discretion correctly in imposing a fine for a contravention which, although likely to have caused such damage or distress, in the end it can be shown that it didn't, for instance because the affected individuals have said so?
4. What information should be redacted from the MPN?
Some of the information in the NoI will concern confidential aspects of the controller's business, such as data security processes that, if made publicly available, may expose the controller to data security risk or commercially-sensitive information which, if disclosed, could jeopardise the business interests of the controller.
Controllers should clearly state which parts of the NoI should be redacted in the MPN that the ICO will publish on its website.
What happens next?
In rare circumstances, the ICO may decide to cancel the NoI, in which case it will issue a Cancellation Notice. In most cases, the ICO will issue an MPN imposing a fine which should be substantially the same as the amount proposed in the NoI, unless the ICO considers that the representations made by the controller justify a reduction.
The MPN will be published on the ICO's website, with any confidential or commercially-sensitive information redacted. The controller should then decide whether to appeal the MPN or pay the fine. There is a 20 per cent discount if the fine is paid within 28 days of the MPN being served.
Minimising the impact
The NoI is a crucial step in the ICO enforcement process and means that a fine is imminent. Controllers who receive an NoI should carefully consider how to respond. This is the time to ensure that the controller's specialist lawyers are on the case, if that has not already happened during the investigation.
We now have a growing body of law, Information Tribunal decisions, ICO fines and other enforcement action and regulatory guidance which should be taken into account in determining the controller's strategy regarding how to respond to the NoI and the MPN that is likely to follow.
The Information Tribunal decisions overturning ICO fines clearly show that fines are beatable in certain cases, but it takes skill and a solid understanding of the law and ICO practice to ensure that the controller's submissions focus on the things that really matter and to make the best possible case against the fine. Experience also shows that it is difficult to avoid a fine after an NoI has been served.
In most cases, it is likely to be too late and it may make better sense to focus on trying to reduce the quantum and control the information that will be published in the MPN. Controllers stand a much better chance of avoiding a fine in the course of the ICO investigation by:
-
making sure that they demonstrate to the ICO the right behaviours and that they take the matter seriously; and
-
presenting their case and mitigating factors in the best possible way, with reference to the conditions precedent for fines and the factors that might convince the ICO to exercise its discretion favourably.
For those who think that a maximum fine of £500,000 is not such a great concern compared to other risks that their organisation is facing, the reputational and brand damage that an ICO fine could result in should not be underestimated.
We should also not forget that the ICO (as well as all other EU data protection regulators) may soon have fining powers of up to five per cent of annual worldwide turnover if the fairly-advanced process of EU data protection law reform produces a new EU Data Protection Regulation.
Therefore, now is the time for controllers to address the concerns that they have about their organisation's data protection and security compliance processes.
Antonis Patrikios is a legal director and Sabba Mahmood is a solicitor in the privacy and information law group at Fieldfisher (www.fieldfisher.com)