Respondents provided a range of other comments on the Fining Guidance, including the points set out below.
Summary of responses
One respondent noted that the new Fining Guidance will apply to new cases and ongoing cases where the ICO has not yet issued a notice of intent to impose a fine. They raised the risk of the inappropriate imposition of a retrospective penalty if applying the new Fining Guidance would serve to impose a greater penalty than would have been the case if the old guidance had been applied. It was suggested that this would infringe Article 1 Protocol 1 of the European Convention on Human Rights, as well as the principle of regulatory certainty.
Another respondent suggested that it would be helpful to have greater clarity about how fines will work in cases of joint controllership.
Some respondents requested more information about how previous decisions will be used to determine fines in future cases, noting that it was sometimes difficult to understand why some decisions differed despite apparent similarities in facts between cases.
Finally, another respondent encouraged the ICO to adopt a similar stance on settlement discounts as that set out in the Competition and Markets Authority’s guidance as to the appropriate amount of a penalty for infringements of the Competition Act 1998.
ICO Response
The ICO considers that it is appropriate for the Fining Guidance to apply to all new cases and to those cases where a notice of intent to impose a fine has not been issued. The ICO does not consider that there is a risk that this would lead to the imposition of a retrospective penalty. The statutory basis under which the ICO may impose fines for infringements of UK data protection law has not changed. The Fining Guidance merely provides more detailed guidance about how the ICO decides whether it is appropriate to exercise administrative discretion to issue a penalty notice and, if so, how the ICO determines the amount of any fine imposed.
In relation to the application of the Fining Guidance where there are joint controllers, the ICO notes that it is necessary to consider whether each controller has committed an infringement intentionally or negligently. Where there are two or more joint controllers, the ICO will, before deciding to impose a fine, assess the responsibility of each of the controllers for the infringement to determine whether any or all of them acted intentionally or negligently. The Fining Guidance has been updated to explain this.
As set out in the Fining Guidance (paragraph 149) the ICO intends that the new guidance will help ensure a consistent approach to calculating fines that will develop of time. Although the ICO is not bound by previous decisions, we will have regard to the level of fines set in previous cases, where relevant, and explain the reasons for deciding on the fine amount in each case in order to ensure transparency.
Finally, we welcome the suggestion about introducing a formal settlement policy and offering a reduction in fines on that basis. We note that, in addition to the Competition and Markets Authority, the other regulators who are also members of the Digital Regulation Cooperation Forum (the Financial Conduct Authority and Ofcom) have a formal settlement procedure. Although we have decided not to introduce such a policy in the Fining Guidance at this stage, we will give consideration to the merits of doing so in the future.