Regulating data protection in a crisis: what the ICO is doing now

The Office for Budget Responsibility says the UK may be on course for its biggest economic slump since 1709. The times are intensely challenging for almost all organisations. Here’s what you need to know about he ICO’s approach during the current crisis.

On 16 April 2020, the Office for National Statistics released its business survey on the impact of the coronavirus. A quarter of over 5,000 businesses reported they had temporarily closed or paused trading in the period from 23 March to 5 April 2020. Of those still trading, an average of 21% of their workforces have been furloughed in the same period.

In effect, the ICO is regulating businesses which no longer operate (for now) or which may be substantially understaffed. The world has changed significantly and the ICO has therefore had to adapt.

On 15 April the Information Commissioner, Elizabeth Denham, issued a statement which sets out what businesses can expect from the ICO in the coming months.

Denham says ‘it is right that we must adjust our regulatory approach’, adding that data protection law, such as the GDPR, is ‘not an obstacle to such flexibility’. She says her office will ‘safeguard information rights in an empathetic and pragmatic way that reflects the impact of coronavirus’ and concentrate its efforts on the greatest threats’.

In her statement, the Information Commissioner has an eye to the future too. There has been much talk in recent weeks about finding the right balance between protecting public health and ensuring respect for the principles of data privacy, such as in COVID-19 tracking apps. The answers aren’t easy, but she gives a shot across the bow that data protection should not be sacrificed in this crisis, referring to the ‘continuing importance of privacy protections’ which are ‘a part of modern life we must not lose’.

Further details of the ICO’s regulatory approach are set out in a six-page document. In particular, this says the ICO must take into account:

• staff and capacity shortages;
• the fact organisations are facing acute financial pressures; and
• public bodies redeploying resources to meet severe front-line pressures

The paper goes into detail about what people should expect from the ICO in this period:

• when taking formal action (including issuing fines) it will ‘take into account whether the organisation’s difficulties result from the crisis, and if it has plans to put things right at the end of the crisis’. It may also extend the time periods for breaches to be rectified;
• before issuing any fines, it will take into account the ‘economic impact and affordability’, adding ‘in current circumstances, this is likely to mean the level of fines reduces’. (It will certainly be interesting to see, for example, how this will impact on the deferred fines to British Airways and Marriott. BA has reduced capacity by at least 90% in April and May, compared to 2019, and occupancy in Marriott’s European hotels is currently under 10%, with almost 80% of hotels temporarily closed. Are the large proposed fines of £183 and £99 million now untenable?);
• it will focus its efforts ‘on the most serious challenges and greatest threats to the public’;
• it recognises that responding to subject access requests is challenging at the moment and ‘can take this into account when considering whether to impose any formal enforcement action’;
• it recognises ‘the current reduction in organisations’ resources could impact their ability to comply with aspects of the law’;
• it will also look to be ‘flexible’ in its approach, ‘taking into account the impact of the potential economic or resource burden our actions could place on organisations’;
• the impact of the crisis ‘may mean less use of formal powers’ in terms of the evidence to be given to the ICO or the time periods for responding to it. It also expects ‘to conduct fewer investigations’, instead focussing its attention ‘on those circumstances which suggest serious non-compliance’;
• it has stood down its audit work;
• all formal regulatory action in connection with outstanding information request backlogs ‘will be suspended’.

This is not a licence, however, to slacken off. The ICO has made it clear that it will ‘take a strong regulatory approach against any organisation breaching data protection laws to take advantage of the current crisis’. In other words, this change in approach doesn’t mean that businesses can ignore their data protection obligations, rather it means that the ICO is likely to give them a bit of lee-way should something go wrong.

The ICO’s approach is reflected by the Global Privacy Assembly (of which more than 130 data protection and privacy authorities are accredited as members) and, to a degree, by the Council of Europe which recognises that a fine balance has to be struck during these difficult times. Some countries such as France and the Benelux countries are, however, taking a less flexible approach to data protection during this pandemic. While some supervisory authorities in such jurisdictions haven’t issued specific guidance like the ICO on their regulatory approaches, the COVID-19 guidance they have issued to date certainly suggests that they may be less willing to be particularly flexible if anything goes wrong.