- The Information Commissioner has wide-ranging functions and powers. They are not always parameterised correctly in the relevant legislation;
- There is little evidence that objectives are being met – or even measured;
- The current data protection regime is not working as had been foreseen by the European Commission in its impact assessment for the General Data Protection Regulation (GDPR);
- Not only have costs to businesses been far greater than expected, it also appears to have had a negative impact on competition and investment;
- In addition to direct compliance costs, the cost of foregone innovation and investment indicate that the GDPR is operating in opposition to the policy priorities of the UK and EU when it comes to innovation and competition in the digital economy;
- There is insufficient oversight of fines and enforcement actions. The Information Commissioner’s Office (ICO) is a prime example of “inequality of arms”: it can be more costly to argue than to accept a fine;
- The Information Commissioner can issue guidance that is of uncertain legal effect but has serious consequences – and does so without producing impact assessments. This can have negative consequences for the rule of law and accountability;
- A new briefing paper from the Institute of Economic Affairs outlines reforms that could improve its accountability and effectiveness, while maintaining its independence.
While the ICO has been praised by business organisations for playing a valuable role in the development of data protection law and policy, there is a strong argument that the Information Commissioner is overseeing a regime that is not meeting its objectives either in fundamental rights or economic terms, says a new briefing paper from the Institute of Economic Affairs.
Who Regulates the Regulator? No 1: The Information Commissioner’s Office suggests that “too often the press, the Parliamentary Select Committees and the courts fail to hold regulators to account or maintain a healthy sceptical scrutiny of the ICO’s actions”. A forum appears to be lacking for detailed examination of its actions at a technical and legal level.
Authored by IEA Head of Regulatory Affairs Victoria Hewson and James Tumbridge, a Partner at Venner Shipley, the briefing paper argues that the current data protection regime is not working as had been foreseen by the European Commission in its impact assessment for the General Data Protection Regulation (GDPR).
The costs to businesses have been much greater than expected and there appear to have been negative effects on competition and investment. Far from stimulating innovation and competition in digital services (other than in data protection consulting) the early signs are that concentration in digital markets has increased, to the benefit principally of Facebook and Google.
Investment in technology startups fell in the aftermath of GDPR coming into effect, which could result in a yearly loss of up to 29,000 jobs in the EU. Combined with the direct compliance costs, the costs of innovation and investment foregone indicate that the GDPR is operating in opposition to the policy priorities of the UK and the EU in respect of innovation and competition in the digital economy.
Further, some firms believe full compliance is not possible, suggesting that the Information Commissioner is not succeeding in its functions of promoting public awareness and understanding, and monitoring and enforcing compliance.
The briefing paper says that there is insufficient oversight and review of fines and enforcement actions taken by the Information Commissioner. Challenging a decision is costly, there are “serious procedural defects and imbalances,” and the fines that can be levied are out of all proportion to the harm or loss caused.
The Information Commissioner can issue guidance that is of uncertain legal effect but has serious consequences – and does so without producing impact assessments. This, the authors argue, has “negative consequences for the rule of law and accountability”.
The paper concludes by outlining options for how the role and functions of the Information Commissioner could be improved, to move towards a data protection framework that, through greater certainty and proportionality, will support economic growth and innovation, while still protecting the rights and interests of individuals.
Victoria Hewson, Head of Regulatory Affairs at the Institute of Economic Affairs and co-author of Who Regulates the Regulators? No 1: The Information Commissioner’s Office said:
“A regulator should not be beyond criticism just because its objectives are broadly supported. The Information Commissioner has wide-ranging functions and powers and needs to be held to account in their exercise. We found that there is little evidence that the Information Commissioner is meeting its objectives, or even properly measuring its performance. Reforms could improve its focus on core compliance matters (instead of issuing legally questionable guidance on subjects like political campaigning and child protection) and procedural fairness in its enforcement actions.”
James Tumbridge, Partner at Venner Shipley and co-author of Who Regulates the Regulators? No 1, said:
“We create regulators, we assume they are always acting in our best interests, but we need to recognise they are human and can let us down. The Information Commissioner is seeking ever expanding scope over our digital lives, and we need to ask if the Commissioner is candid and transparent with those she accuses of wrong doing, because they may be innocent. We need a system that enables a fair review that does not pressure the innocent into accepting fines.”