Towards Effective Supervisory Oversight? Analysing UK Regulatory Enforcement of Data Protection and Electronic Privacy Rights and the Government’s Statutory Reform Plans

37 Pages Posted: 12 Dec 2022

See all articles by David Erdos

David Erdos

University of Cambridge - Faculty of Law; Trinity Hall

Date Written: November 28, 2022

Abstract

This paper finds that although the (UK) GDPR mandates strong enforcement and a prioritisation of this by the regulator including through the handling of data subject complaints, severe limitations exist in practice. Indeed, in 2021-22 the Information Commissioner’s Office (ICO) did not serve a single GDPR enforcement notice, secured no criminal convictions and issued only 4 GDPR fines totalling just £633k (later reduced to £183k - see note 1 of paper). The Tribunal has removed any substantive bite to the individual order to progress complaints remedy and the DCMS Committee has failed to provide effective holistic scrutiny. There is a case for some of the legislative reforms now proposed including reconstituting the ICO as a corporate board and increasing transparency. However, others risk providing a de jure entrenchment of the ICO’s positioning away from being a comprehensive upholder of core data protection rights. None directly address the serious challenges present here but a two-fold approach would do so. The order to progress complaints should police the appropriateness of the ICO’s substantive as well as procedural response and not-for-profit representative complaints should be permitted even without the mandate of data subjects in order to encourage well-argued, strategically important cases. Second, and at least as importantly, the Equality and Human Rights Commission should be obliged to periodically provide holistic scrutiny of the ICO’s enforcement track-record from a human rights perspective within which data protection rights must ultimately sit.

Keywords: AdTech, Brexit, DCMS Committee, data protection, Data Protection and Digital Information Bill, e-privacy, Equality and Human Rights Commission, fines, Information Commissioner’s Office, Parliamentary and Health Services Ombudsman, National Audit Office, Real Time Bidding, tribunals, UK GDPR

Suggested Citation

Erdos, David, Towards Effective Supervisory Oversight? Analysing UK Regulatory Enforcement of Data Protection and Electronic Privacy Rights and the Government’s Statutory Reform Plans (November 28, 2022). University of Cambridge Faculty of Law Research Paper No. 16/2022, Available at SSRN: https://ssrn.com/abstract=4284602 or http://dx.doi.org/10.2139/ssrn.4284602

David Erdos (Contact Author)

University of Cambridge - Faculty of Law ( email )

10 West Road
Cambridge, CB3 9DZ
United Kingdom

HOME PAGE: http://www.law.cam.ac.uk/people/academic/d-o-erdos/5972

Trinity Hall ( email )

University of Cambridge
Trinity Lane
Cambridge, CB2 1TJ
United Kingdom

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
568
Abstract Views
2,067
PlumX Metrics