While the tragic human consequences of COVID-19 have played out on nightly news bulletins, regulators across Europe have scrambled to adjust their approach to minimise its immediate and longer-term economic consequences. Early on, the UK’s Information Commissioner (‘ICO’) declared its reasonableness and pragmatism in the face of the health emergency and, on 15 April, it fleshed this out in a publication setting out its regulatory approach during the coronavirus pandemic. The ICO’s document is one of a series issued by the data watchdog in recent weeks and will be welcomed by data controllers and processors under exceptional pressure. Nevertheless, those seeking dispensation from data security obligations at this time will look in vain, and risks remain for the unwary.
Three factors lie behind the ICO’s temporary regulatory approach during the pandemic: regulated organisations face staff and operating shortages; public authorities are pre-occupied with meeting front-line service demands; and acute financial constraints are restricting finances and cashflows. As the regulator acknowledges, these factors may impact on data controllers’ ability to comply with data legislation. Rather than appearing ‘tin eared’, the ICO, like the European Data Protection Supervisor and national data supervisory authorities across Europe, has chosen to highlight the flexibility built into the GDPR, and to reassure those it regulates by giving a steer on how data rules will be applied during this exceptional situation.
ICO’s Approach During Health Emergency
Amongst the high-level indications set out on the ICO’s document are that the regulator will suspend data audit work to focus instead on the most serious challenges to the public, use its formal powers to require information sparingly and allow greater time to respond, and will conduct fewer investigations to concentrate on circumstances suggesting serious regulatory non-compliance. In fact, on 1 April, the First Tier Tribunal, which hears appeals from ICO notices, had already granted the Information Commissioner’s request for a 28-day general stay on all proceedings as a result of the pandemic. While the ICO’s stay application was made for technical reasons, it is a clear example of the ICO’s modified regulatory approach. Its practical effect will be that compliance with information, assessment, enforcement and penalty notices will also be placed on hold, granting recipients temporary ‘breathing space’.
As part of the ICO’s approach during the pandemic, enforcement action is unlikely where Freedom of Information Act and data subject access requests are not satisfied within normal timescales Breach notification required under GDPR Article 33 should still be notified to the regulator within the requisite 72 hour period. However, even here, the watchdog hints at flexibility where the reporting deadline is affected by the current crisis. That said, any organisation breaching data protection laws to take advantage of the situation is likely to face serious consequences.
In terms of COVID-19’s impact on GDPR penalties, much media attention has focused on the ICO’s agreement with British Airways and Marriott to extend until later in the summer its disciplinary process for high profile data breaches involving thousands of customers’ personal and financial data which came to light during 2018. This deferral giving rise to speculation that the pandemic was the cause. In fact, earlier extensions had been granted in January, weeks before the pandemic was declared, indicating that other factors are at work in the resolution of those investigations. Nevertheless, the ICO’s established Regulatory Action Policy had always included ability to pay as a factor in determining the amount of any penalty, and the data watchdog has now openly acknowledged the current situation is likely to reduce fines. Given the financial ‘hit’ suffered by the airline and hospitality industries since the pandemic was declared, it would be surprising indeed if this was not a key consideration when determining any sums ultimately paid by the two stricken corporate giants.
A False Sense of Security?
While the speed at which COVID-19 spread left legislators and regulators with little choice but to relax regulation, this brings with it significant compliance risks.
Where regulation tries to adapt too quickly to novel and rapidly developing circumstances, there is a risk of oversimplification. For example, in its well-intentioned guidance to the many community support groups which have grown up during the pandemic, the ICO ostensibly reduces to a single sentence the finely balanced three-part GDPR test of the legitimate interests basis for data processing. This demonstrates the risk that urgent regulatory guidance issued in the wake of the pandemic could lead the unwary into inadvertent error.
Similarly, as traditional office-based working patterns have been suddenly upended, criminals have stepped in to seize opportunities provided by homeworking infrastructure using phishing techniques, hijacking online meetings, and exploiting vulnerabilities in desktop virtualisation technologies. On reading of the ICO’s approach during the pandemic, a ‘forgiving’ attitude might initially be assumed towards data breaches. In fact, though, the ICO elsewhere makes clear that those responsible for data security should consider the same measures for homeworking that would be considered in normal circumstances. Lax security exposing data subjects to significant risk – particularly after general warnings of heightened danger from the National Cyber Security Centre, the National Crime Agency and the ICO itself – may still precipitate a costly and reputationally damaging regulatory investigation if not now, later down the line.
While data controllers and processors will welcome the reassurance provided by the ICO at the present time, the regulatory approach remains principle-based; certainty of what is required will remain elusive. Businesses and organisations may draw some comfort from the ICO’s position during the current health emergency, but they would be wise to maintain data protection standards wherever possible and not to see the regulator’s approach as a ‘free pass’.