These slides show that, although the (UK) GDPR mandates strong enforcement and a prioritisation of this by the regulator including through the handling of data subject complaints, severe limitations exist in practice. Indeed, in 2022-23 the Information Commissioner’s Office (ICO) did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only 4 GDPR fines totalling (after later adjustment) less than £0.2M. The Tribunal has removed any substantive bite to the individual order to progress complaints remedy and the Parliamentary Committees have failed to provide effective holistic scrutiny. There is a case for some of the legislative reforms now proposed including reconstituting the ICO as a corporate board and increasing transparency. However, others risk providing a de jure entrenchment of the ICO’s positioning away from being a comprehensive upholder of core data protection rights. None directly address the serious challenges present here but a two-fold approach would do so. The order to progress complaints should police the appropriateness of the ICO’s substantive as well as procedural response and not-for-profit representative complaints should be permitted even without the mandate of data subjects in order to encourage well-argued, strategically important cases. Second, and at least as importantly, the Equality and Human Rights Commission should be obliged to periodically provide holistic scrutiny of the ICO’s enforcement track-record from a human rights perspective within which data protection rights must ultimately sit. These slides are based on a full Working Paper which may be viewed here: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4284602

1. Professor David Erdos
Faculty of Law
University of Cambridge

2. Overview
1. Formal Framework
2. ICO, Tribunal & Parliamentary Actions
3. DPDI Bill Proposals
4. Possible Ways Forward

3. Timeline
 May 2018: General DP Regulation 2016/679 and DP Act 2018 applies;
Privacy & Elec Comms Regs (PECR) supervision system unchanged.
 Jan 2021: End of Brexit Implementation Period. EU GDPR One-Stop-
Shop ceases to apply to UK. UK GDPR.
 Jan 2022: DP & Digital Information Bill published.

4. Overview
GDPR/PECR Demarcation:
 GDPR: Most (private sector) processing of personal data
 PECR: Rules on (i) electronic direct marketing and (ii)
confidentiality of e-communications including re cookies
Key Commonalities:
 Requests for ICO Action
 Information Notices
 Enforcement Notices
 Fines for Breach
Key UK GDPR additions:
 Requests are Complaints
 Assessment Notices etc.
 Enforcement Obligatory
 Fines are Significant
 Some criminal offences

5. GDPR Fines: ≤£17.5M/4% & ≤£8.7M/2% (A. 83)
Personal
Data
Processing
DP Principles
• Fair, lawful,
transparent
• Purpose quality &
limits
• Information
quality & limits
• Integrity &
confidentiality
Legitimation
• Legitimating
Criteria
Sensitive Data
• Criminal data
• Other data
Transparency &
Control
• Proactive Direct
• Proactive Indirect
• Retroactive
• Control Rights
Discipline
• Demo compliance
• Security
• DP by design &
default
• Joint controllers
• Personal data
breaches
• Processor
engagement
• Recording keeping
• DP Officer
• Impact Assess
• Export Control
 ICO must impose “effective, proportionate & dissuasive” fines

6. ICO’s Main GDPR Responsibilities
 Enforcement = (In General) Fines/Formal Enforcement:
 Core ICO Duty = Enforcement (including after Complaint)
“the supervisory authorities’ primary responsibility is to monitor the
application of the GDPR and ensure its enforcement … must handle … a
complaint … with all due diligence … following an investigation … it is
required … to take appropriate action in order to remedy any findings of
inadequacy” (Court of Justice Grand Chamber in Schrems II (2020))
“penalties including administrative fines should be imposed for any
infringement of this Regulation, in addition to, or instead of appropriate
measures … In a case of a minor infringement or if the fine likely to be
imposed would constitute a disproportionate burden to a natural person, a
reprimand may be issued instead of a fine.” (GDPR recital 148)

7.  Annual Report Numbers:
 Cross-Cutting Analysis:
 ‘Complaints’ Average: GDPR/DP 37,279; PECR 109,254
 2019/20 Report stated c. 75% budget on “proactive engagement”
 Asserted great impact to soft approach e.g. California 2020 visit:
ICO: 5 Year Analysis (2018-23)
Year DP Fines (at £ 2022) DP Notices PECR Fines (at £ 2022) Income (at £ 2022)
18/19 22 (£3.5M) 0 23 £46M
19/20 15 2 7 (£2.6M) £56.1M
20/21 3 (£44.4M) 1 35 £59.8M
21/22 4 (£0.2M) 0 33 (£3.2M) £67.4M
22/23 2 or 3 (£7.6M or £13.4M) 1 19 (£1.88M) £67.4M
“The reception was universally warm and welcoming and helped us build strong
relationships with key stakeholders. The UK’s brand of pragmatic and proportionate
regulation was widely praised by businesses and lawmakers, as was our willingness to
find new regulatory solutions to problems.”

8. DP Scrutiny Record: Tribunal & Parliament
 Individual Scrutiny by Tribunal:
 Order to Progress Complaints remedy ruled non-substantive:
 Holistic Scrutiny by Parliamentary Committees:
 No systematic scrutiny of ICO track-record at all.
“The Commissioner is the expert regulator. She is in the best position to
consider the merits of a complaint and to reach a conclusion as to its
outcome. In so far as the Commissioner’s judgments would not and cannot be
matched by expertise in the Tribunal, it is readily comprehensible that
Parliament has not provided a remedy in the Tribunal in relation to the merits
of complaints.” (Upper Tribunal in Killock, Veale et. al. 2021)
“[I]n practice [the DCMS] committee has been focused on newsworthy
campaigns that accord with the particular interests of members, rather than
more prosaic scrutiny of the ICO’s performance against its statutory
functions and own stated objectives.” (Heuston & Tumbridge, 2020)

9. DPDI Bill: Decentering DP Supervision?
Structural Changes
 ICO to be reestablished as a Board.
 ICO’s PECR powers to be brought into line with GDPR.
Objectives and Priorities
 New public trust, innovation, competition, crime, security duties.
 SoS to set out Strategic Priorities; ICO must have regard to these.
Complaints and Scrutiny
 Complaints: No need to act where “vexatious” or where controller not had
45 days to act; must be guidance & right of appeal before Tribunal.
 (Wider) Scrutiny: Must publish forward-looking strategy,
Key Performance Indicators and annual regulatory action report.

10. DP Enforcement: New Ideas
 Improving Individual Scrutiny:
 Require Tribunal to oversee appropriateness of ICO’s substantive
response at least as regards “public interest” complaints.
 Enable NGOs to bring such complaints without specific mandate.
 Improving Holistic Scrutiny:
 Require EHRC to periodically scrutinize ICO from rights viewpoint.
 Report to be published & sent to scrutinizing Select Committee, as
well as Parliament generally and also Government.