ICO Action Review: Q2 2022

Posted by: Mike Clarke

Across Q2 we saw a reduction in the overall number of monetary penalties issued by the Information Commissions Officer (ICO). Despite more than a 50% reduction in the number of penalties issued the cumulative value of these penalties has increased by over 800%, although this has been skewed significantly by a single fine issued to a large US firm. Removing this from the picture, the average value of fine would have fallen substantially compared to Q1.

Enforcement This Year

Smaller Penalties

All three of these fines were related to unsolicited marketing, both via email and SMS governed by the Privacy and Electronic Communications Regulations (PECR). Throughout the investigations we can see two clear trends that the ICO has focused on.

The first is that marketing consent opt-ins need to be clear to the end user. You cannot assume that accepting general T&Cs, agreeing to a privacy policy, or that purchasing a service implies that the customer also accepts to receive marketing material from you. As was pointed out by the ICO, due to the more intrusive nature of automated marketing messages, the need for direct, informed consent is held to a higher standard. You need to separate any marketing opt-ins clearly from other forms of agreement.

The second point, raised specifically to Finance Giant Limited, is that you are responsible for the technology you use to conduct marketing campaigns. Finance Giant Limited led the ICO to believe the technology they were using included a clear option for recipients to unsubscribe from their marketing email and SMS messages. However, this was not enabled by default which led to marketing messages being dispatched without a clear method to unsubscribe for the end user.

The ICO acknowledged that training had been provided to the staff across the businesses and that there was no clear intent to act dishonestly. However, ignorance of how their chosen technology platform worked was not seen as a valid excuse, and the business owners were held responsible for the technologies they choose to work with.

Larger Penalties

Both remaining fines were issued due to a breach of GDPR. The penalty issued to The Tavistock & Portman NHS Foundation Trust has a lower fine, but the ICO monetary penalty notice clearly states this fine could have been ten times the amount at £784,000 but this was reduced to £78,400 due to its role in the public sector. It also made a declaration that this does not signify that all penalties issued to government bodies would be reduced in this manner.

The penalty issued towards this NHS trust was due to sensitive patient email addresses being shared by a staff member sending a competition email by copying and pasting hundreds of email addresses into the To field of the email client. During the investigation they found that they had access to technology to properly undertake an email marketing campaign but through negligence they did not take advantage of this. It was this failure to use the correct technology that led to the breach. The ICO agreed that the actions were not intentional, but that further training was required to ensure future breaches like this did not occur.

Much, Much Larger Penalties

The largest penalty of the year to date was issued to Clearview AI Inc. This business is based in the United States and had offered its facial recognition services to UK public bodies for a trial period. These services included obtaining large quantities of publicly shared images (such as on social media) which were then stored in a database which could then be searched using another image to match facial features using an AI algorithm.

An investigation into Clearview AI’s behaviour was undertook by multiple government bodies around the world. They determined that the actions of Clearview were a clear breach of both EU and UK GDPR regulations. The ICO identified that Clearview AI had breached articles 5, 6, 9, 14, 15, 16, 17, 21, 22 and 35 of the UK GDPR. These significant breaches are related to having a reason to obtain and store data and doing so in an unfair manner (without public consent). The biometric data they were using for the facial recognition also falls under the higher data protection standards as “special category data”.

Upon raising these concerns with Clearview AI Inc, they claimed they had not breached GDPR regulations as they operated out of the United States, they felt they did not have to abide by those regulations. It is worth noting that Clearview AI did not employ any staff or store any of the data within the United Kingdom at this point. The ICO concluded that as the information originated within the UK and related to people who resides within the UK, they were liable for all UK based regulations.

When settling on a monetary value, the ICO had to factor in that Clearview AI were operating on a trial basis within the UK, they were not paid for the service they provide. The ICO decided that any monetary penalty needed to ensure Clearview AI did not make any financial gain from the breach and that it would be an effective deterrent.

Final Thoughts

Reviewing the monetary penalties throughout Q2 gives us a stark reminder of our responsibilities when running a business. It is the duty of the business to ensure it is fully aware of all applicable regulations and that it operates in a compliant manner. This includes taking responsibility for the technology we employ to support our operations, regular data protection training for staff, and written policies that are regularly reviewed.

The ICO have time and again had to explain that ignorance of these regulations is no defence. And as Clearview AI found out, operating outside of the UK does not make your business immune to prosecution by the ICO if your business uses data relating to UK citizens.

If you want to avoid receiving an ICO penalty notice in the post, as always we highly recommend that you invest the time to ensure you are always operating in a compliant manner.