ICO Enforcement Action January – June 2024

During the first half of 2024, the ICO recorded a total of 29 enforcement actions (fines, reprimands or enforcement notices) on its website, brought against 22 organisations - slightly down on the same period last year in which it took 33 actions against 28 parties (27 organisations and one individual).

‍

Of the 22 organisations which incurred enforcement proceedings in 2024, 13 were public bodies and 9 were private companies.  This compares to 15 public authorities enforced against in the first half of 2023 and 13 private sector organisations – so, there was a slightly more even split between public and private entities last year, but with public bodies still forming the majority in both years.

‍

One eye-catching feature of both years’ figures is that, of the 15 public bodies that received enforcement in 2023, 6 (or 40%) were either police forces or other law enforcement agencies.  In 2024, that figure had risen to 7 (54%) of the 13 public authority recipients of action being police or other law enforcement bodies.  It should be noted that the 2024 figure does not include the £750K Notice of Intention to Fine issued by the ICO in May against the Police Service of Northern Ireland for the very serious data security breach it committed last year.

‍

Of the 9 monetary penalties imposed by the ICO in the first half of this year, the overriding majority (7) resulted from infringements of the Privacy and Electronic Communications Regulations (PECR) rules on telemarketing, rather than from infringements of the GDPR.  This very closely mirrors the position last year (when there were 8 fines levied in the first six months, including 7 for breaches of PECR).  Interestingly, the two non-PECR fines in 2024 were applied to a government department (the Ministry of Defence) and a charity (the Central YMCA), notable departures from the ICO’s usual policy of not fining public bodies.  

Also interesting, and probably relevant to the ICO’s decision to fine (and not just reprimand) the organisations, both fines related to data breaches which involved the unauthorised disclosure of highly sensitive information through the inadvertent inclusion of data subjects’ email addresses in the visible ‘CC’ field of multiple-recipient emails, rather than the ‘BCC’ one.  Presumably the ICO wanted to drive home the message regarding the disproportionate harm that can be caused by this simple, recurrent and easily controllable data security lapse.

At £350,000 (reduced from the £1m initially proposed), the MOD’s fine is by far the bigger of the two monetary penalties so far in 2024.  By contrast, last year’s biggest fine – the £12.7m sanction imposed on TikTok – was an anomaly because it was the third largest ever issued by the UK regulator.

The 20 enforcement actions so far in 2024 which were not fines comprised 10 reprimands (all with regard to public sector bodies); and 10 enforcement notices (of which 8 involved private sector organisations and 2 involved public authorities).  In respect of January to June 2023 on the other hand, the 25 non-monetary penalties consisted of 16 reprimands (14 of which were issued to public authorities); 8 enforcement notices (involving 6 private entities and 2 public bodies); and one prosecution of an individual, for illegally obtaining personal information contrary to Section 55 of the Data Protection Act 2018.

‍

There are some trends discernible which are consistent across the first half of 2024 and the same period in 2023:

• Continuing low numbers of fines are being issued by the ICO, with these usually being incurred by private sector organisations for contraventions of PECR;
• Police and other law enforcement bodies are overrepresented among public organisations which receive non-fine enforcement actions (mostly reprimands); and
• The regulator favours reprimanding public sector organisations (and issuing enforcement notices to private sector ones), rather than issuing other forms of enforcement - however it is prepared to fine public bodies when the breaches committed, and damage suffered by the individuals affected, have been particularly grievous.