The Information Commissioner’s Office might not be a pop-culture term, but it’s certainly well known to anyone following privacy and data protection. That’s because it’s the U.K.’s data protection authority, and changes in global and local laws in recent years have allowed it to take actions garnering headlines in local and global newspapers.
It’s also one of the most active data protection authorities, and it gained a bit of mainstream fame when its enforcement officers raided the offices of Cambridge Analytica, the infamous data analytics firm behind Facebook’s data breach in 2014. The pictures of the ICO team entering the London-based firm won’t soon be forgotten; The Guardian spread featured a shot of enforcement agents, back-to the camera, their company jackets bearing “ICO Enforcement” in bright white letters across the shoulders. It was like seeing the FBI invade a drug ring. In fact, agents searched the firm for seven hours straight.
It was an image that said to the world: the U.K ICO, led by Commissioner Elizabeth Denham, is serious about enforcement.
Despite the optics, ask the question generally among those informed, "Is the ICO the most effective data protection authority?" and you're bound to get a split vote.
That’s because “effective” is a relative term.
In the last year, the ICO has taken up 1,039 decision notices. Though the ICO has taken up enforcement actions against companies like Cambridge Analytica, U.K. Ticketmaster, British Airways and Marriott International, the general complaint from privacy advocates is typically that the ICO sticks to enforcing data breaches and isn’t as active in privacy enforcement more broadly.
To be fair, the ICO enforcement actions were big newsmakers. Under its mandate to enforce the EU General Data Protection Regulation, the data protection authority fined Ticketmaster £1.25 million for failing to protect customer payment data. More significantly, it fined British Airways £183 million and Marriott International £18.4 million for their respective data breaches.
But there are always going to be folks who disagree on enforcement actions. When the Federal Trade Commission settled with Facebook for $5 billion last year, half of the pundits would cite its record-breaking fine, and half would be quick to note that $5 billion is nothing to a tech giant like Facebook.
For those who can’t agree on whether the ICO is the most “effective” regulator, there’s likely more consensus over whether the ICO is one of the most active regulators. It issues guidance on how to follow data protection laws prolifically. Anyone following the topic will notice releases from the commissioner’s office almost weekly. Its 2019 guidance on deploying cookies under the GDPR was highly anticipated, for example, as cookies were increasingly facing scrutiny for controversy over the technology's legality once the GDPR came into force in 2018.
And no story about the U.K. would be complete without mentioning Brexit. The ICO has an important role guiding organizations through the transition period. The once free-flowing data allotment from member states to the U.K. will change. There was great fear that the U.K. would immediately be deemed "inadequate," a designation given to countries whose standards don't meet the high standard of the GDPR. But this week, a crises was averted when U.K. lawmakers signed a post-Brexit deal with the EU. It allows the European Commission to take an additional six months to evaluate the U.K.'s adequacy.
That’s important, because while the laws the ICO enforces, including the EU General Data Protection Regulation and the U.K. Data Protection Act, can be complicated, nuanced, and situation-specific. There’s no shortage of privacy professionals and corporate lawyers scrambling for answers on how regulators might view and then enforce various provisions of both laws.
Luckily for the ICO, it has a healthy team of more than 500. It's funded mainly by a provision in U.K. data protection law requiring organizations to pay a data protection fee. That accounts for 85 to 90 percent of the ICO’s budget. Additionally, the agency receives supplemental grants-in-aid from the U.K. government to fulfill freedom-of-information requests. In fiscal year 2019 to 2020, the ICO estimates it collected roughly £46,560,000 through the data protection fee and £4,626,000 from that supplemental income.
The ICO is a member of the European Data Protection Board, the group of EU data protection authorities charged with enforcing the EU GDPR. The board works together to try and harmonize enforcement across member states and also acts as a dispute resolution body in cases where a problem can't be resolved by a specific DPA.
While Brexit will surely shake up the regulatory stage slightly — the ICO will no longer take part in the European Data Protection Board as it leaves the EU — there's no indication the regulator has any plans to slow its role as a leader as an enforcer of data privacy and data protection law. And as the ICO generates headlines and issues fines, its global counterparts are incentivized to "keep up with the Joneses." And that's good news for data subjects everywhere.