In 2020 the Information Commissioner’s Office (the ICO) collected approximately £39.7 million in fines. These fines were due to companies breaching the General Data Protection Regulations and not complying with their data protection obligations but these fines were from only three cases which means that the ICO was not actually very active in fining companies for data breaches at all on a regular basis. Those three cases were a £20 million fine for British Airways, £18.4 million for a data breach which took place in 2014 and a £1.25 million fine for Ticketmaster.
So does this mean the ICO is ineffective?
The ICO upholds information rights in the public interest and promotes openness by public bodies and data privacy for individuals. Fines issued by the ICO aim to act not only as a punishment/consequence for not up hold data protection obligations but also to act as a warning/reminder to other companies to ensure they are complying with their own data protection obligations and have the appropriate systems/processes in place.
The ICO is an exceptionally busy authority with a significant backlog of complaints to investigate; the majority of complaints/data breaches are quite minor and could easily be prevented if organisations change their processes. The ICO provides guidance to try and ensure companies do not fall in to a repeated pattern of behaviour.
So did any country collect more?
Yes Italy collected approximately £52.6 million in fines, whilst most countries did collect less money in fines than the UK, most countries issued far more fines that the UK. Estonia, Latvia, Iceland and the Isle of Man issued less than three fines each, Germany, the Netherlands and Austria collected fines from three cases too. Ireland (the supervisory authority for European customers of several US technical companies including Facebook) issued four fines. The two European countries who issued the most fines for breaches of data protection were Italy (as mentioned above) who issued 34 fines and Spain who issued 128 fines. The number of fines issued by the ICO is not that dissimilar to the number of fines issued by other European Countries though.