The Information Commissioner has extensive powers but is not being held to account
They can impose huge fines, undertake investigations on business premises, and bring criminal prosecutions. They can issue guidance that is very influential on how firms act.
Yet – as I point out in a new briefing paper, co-authored with James Tumbridge, a partner at law firm Venner Shipley – there appears to be no forum for detailed examination of the ICO’s actions at a technical and legal level.
While the Information Commissioner is formally accountable to the DCMS Committee, and its decisions can be challenged in the courts, in reality both channels are weak. To date, the DCMS Committee has shown little interest in scrutinising the detail of the ICO’s operations.
As James notes:
“The greatest problem with regulators is the view they are always virtuous. Those who work at regulators are no better or worse than any other person, but that means there will always be less than perfect action because some of their staff will make errors. The trouble is the errors go uncorrected, and the accused suffer. Too often the press, the parliamentary select committees and the courts fail to hold regulators to account and fail to maintain a healthy sceptical scrutiny of their actions.”
The second problem with regulators, as James points out, is the inequality of arms. Bodies like the ICO have the backing of the state, which effectively means limitless resources. It is costly to seek good advice and defeat a determined regulator who is using its position and resources to force a concession. The ICO is well aware it can be more expensive to contest than to accept a fine.
The Information Commissioner does not carry out impact assessments on the guidance it produces, even though it has serious costs for business and is hard to challenge in the courts. Yet, as in case of the Age Appropriate Design Code of Practice, much of its content does not appear to have a sound basis in law.
The costs of the General Data Protection Regulation (GDPR), which the ICO is responsible for overseeing and enforcing, were seriously underestimated by the European Commission in its impact assessment. It had projected that the GDPR would be a deregulatory measure, one that would save on compliance costs and stimulate innovation.
Yet studies suggest that, so far, the new regulation has had a negative impact on investment and competition in the technology sector. Reporting from the ICO and the Commission shows little evidence that there have been improvements in security and privacy to justify these costs. What’s more, the actions of the Information Commissioner in gold-plating the GDPR, and the procedural unfairness that pervades its enforcement actions, exacerbate these costs.
Last week the CMA, in its study on the digital advertising market, acknowledged that digital giants Facebook and Google have benefited from the GDPR as it gave them the opportunity and justification to prevent competitors from accessing vital data. Alarmingly, their proposed solution was to introduce yet more regulation and greater powers for the Information Commissioner.
In 2012, while the GDPR was proceeding through the EU legislative process, the Ministry of Justice in the UK carried out its own impact assessment. It was sceptical of the claims made by the European Commission. It recommended seeking changes to the EU approach towards “a data protection framework that will stimulate economic growth and innovation, while providing data subjects with a proportionate level of protection”.
Next year, after the end of the transition period, the government will be in a position to reform some of the workings of the Information Commissioner to bring greater legal certainty and proportionality, and support investment and innovation in technology. This opportunity will arise at a time when the UK will need it more than ever before: let us hope the government seizes it.
This article was originally published on CapX.