UK: First-Tier Tribunal considers first fine imposed by the ICO under the GDPR and slashes the amount by two thirds

On 17 December 2019, the ICO issued the first administrative fine under the GDPR (known as a monetary penalty notice in the UK), alongside an Enforcement Notice, against Doorstep Disparensee Limited (“DDL”).

DDL appealed against both elements of the  enforcement action taken by the ICO which has recently been decided and provides useful guidance from the First-Tier Tribunal as to the nature of evidence required and expectations of both the regulator and of controllers.

The administrative fine was issued under the EU GDPR regime prior to the date that the UK left the EU (on 31 January 2020) but as the UK GDPR provisions concerning administrative fines are virtually identical to the EU GDPR provisions, this decision of the First-Tier Tribunal is equally relevant to the calculation of administrative fines under the UK GDPR.

Background

On 24 July 2018, the Medicines and Healthcare Products Regulatory Agency (‘MHRA’) executed a search warrant at premises at which personal data was held for which DDL was the controller.  The premises belonged to a waste disposal business, tasked with destroying the material in the guise of processor of that personal data.

The MHRA seized at least 73,000 pieces of paper stored in unlocked crates, boxes and bags.  Some of these contained personal data and special category (health) data.  The MHRA informed the ICO of the position and the ICO requested information from DDL in order to clarify the position.

DDL failed to comply with that request and so the ICO issued an Information Notice under section 142 of the Data Protection Act 2018 (“DPA18”).  DDL unsuccessfully appealed against the terms of the Information Notice in January 2019.

The investigation continued until the ICO issued a Notice of Intent to issue a monetary penalty to DDL in the sum of £400,000 and issued a preliminary Enforcement Notice with reference to section 149 of the DPA18 in order to compel DDL to prepare adequate data protection compliance policies.

DDL provided written submissions to the ICO in an attempt to dissuade them from finalising those actions which were unsuccessful as, on 17 December 2019, the ICO then issued: (1) a formal Monetary Penalty Notice under section 155 of the DPA18 imposing a fine of £275,000; and, (2) an Enforcement Notice.

DDL appealed both the fine imposed by the Monetary Penalty Notice and the Enforcement Notice to the First-Tier Tribunal.  The decision was issued on 9 August 2021 and promulgated on 18 August 2021.

Issue 1 – Analysis of the appropriate burden of proof in data protection matters

The Tribunal was asked to consider whether the burden of proof lay with the controller or the regulator with respect to allegations of non-compliance with the GDPR.  The question was therefore whether the ICO has to prove non-compliance by a controller or whether it is sufficient for the ICO to assert a failure to comply and for the burden of proof to then fall to the controller to prove compliance?

The Tribunal held that the initial evidential burden is imposed upon the ICO, which is required to prove that an infringement has taken place.  That evidential burden then naturally shifts to the other party once evidence of the infringements has been introduced by the ICO, i.e. the controller or processor against whom the ICO has made an infringement finding is then required to prove that contrary to the ICO’s findings they are not infringing and bring evidence to support this.

Issue 2 – What is the appropriate standard of proof when imposing administrative fines: balance of probabilities or beyond reasonable doubt?

It was accepted that the standard of proof with respect to an Enforcement Notice was the civil standard of proof, namely whether the party can prove its case on the balance of probabilities.  The issue for the Tribunal was whether the standard of proof for an administrative fine was the civil standard or the higher burden of the criminal standard of proof: namely whether the allegations were required to be proven “beyond reasonable doubt”.

The Tribunal considered the case of Hackett -v- HMRC [2020] UKUT 0212 (TCC) in which the Upper Tribunal had recognised that there is a presumption in appeals against tax penalties that a civil standard of proof will apply and determined that the various factors outlined in that case applied in the current matter too and pointed towards the application of a civil standard of proof.  The Tribunal also noted that the DPA18 sets out two distinct penalty regimes: (a) the monetary penalty regime for which appeal is to a civil tribunal and follows the same statutory provisions as civil appeals against other section 155(1) notices (such as Assessment Notices and Enforcement Notices); and, (b) those framed by reference to the criminal process under sections 196 to 200 of the DPA18.  It was therefore determined that the standard of proof for both monetary penalty and Enforcement Notice is against the civil standard: namely whether the case is proven on the balance of probabilities.

Issue 3 – Analysis of whether a monetary penalty was appropriate

It was submitted on behalf of DDL that the level of the penalty was disproportionate to the seriousness of any proven breach and failed to consider DDL’s position of financial hardship and ability to pay. It was also submitted that the ICO had relied on an incorrect assertion by the MHRA as to the number of documents found.

The MHRA suggested that there were 500,000 documents and, in fact, an audit of the material undertaken by DDL identified that only 73,719 documents were recovered from the property and, of these:

  • 7,351 contained no personal data;
  • 6,229 contained a name only;
  • 6,268 contained a name and address only; and,
  • approximately 53,871 contain special category data.

The Tribunal accepted this evidence and that it was found to undermine the position of the ICO which had referred to “over 500,000” documents upon which it had based the level of the monetary penalty imposed.

The Tribunal also concluded that:

  • The methods of data storage used by the waste disposal business had not been appropriately secure and did not afford sufficient protection against accidental loss or destruction. This was determined to be a breach of the integrity and confidentiality requirements of Article 5(1)(f).

  • DDL’s failure to devise adequate data processing policies contributed to the breaches of relevant data processing requirements and the waste disposal business had been provided with no appropriate procedures to follow.

  • DDL failed to implement appropriate measures to ensure that the processing was performed in accordance with the GDPR under Article 24(1), as well as a breach of the requirements of Article 32, in that DDL failed to implement appropriate measures to ensure a level of security appropriate to the risks.

  • DDL accepted that it breached the requirements of Articles 13 and/or 14 in relation to the provision of information in its Privacy Notice.

Having taken all of these matters into consideration the Tribunal decided that a monetary penalty was justified in the circumstances, but reduced the amount to £92,000, which is a reduction of approximately two thirds.  In reaching this conclusion, the Tribunal noted in particular:

  • That the ICO was wrong to conclude in the original monetary penalty notice that a breach of Article 24(1) of the GDPR was a contravention for which a monetary penalty notice may be imposed. That said and as noted above the Tribunal did conclude that DDL had breach various other Articles of GDPR for which a monetary penalty could be imposed.
  • The Tribunal placed particular weight on the fact that in contrast to the “over 500,000” documents compromised which was referred to in the ICO’s original monetary penalty notice, only 66,638 documents containing personal data were recovered and only 53,871 of these included more sensitive special category personal data – so just over 10% of the figure relied upon by the ICO when issuing the original monetary penalty notice.
  • The Tribunal otherwise agreed with and adopted the ICO’s assessment of the factors set out in Article 83(2) GDPR when assessing the amount of fine to impose. The Tribunal noted in particular the ICO’s conclusions as to the gravity of the breach and the risk of significant emotional distress being caused to a vulnerable group of data subjects were they to become aware of the contraventions.

The Tribunal also concluded that a person responsible for a serious contravention of the GDPR should not avoid a monetary penalty solely on the basis of their financial position and that the financial hardship of DDL had already been taken into account in an appropriate manner.

Issue 4 – Analysis of whether an Enforcement Notice was appropriate

In relation to the Enforcement Notice, DDL submitted that it was inappropriate and unnecessary to issue a coercive notice in circumstances where the data protection policy breaches identified at an earlier stage had largely been remedied.

The Tribunal disagreed with that and found that it was proportionate and reasonable for the ICO to issue an Enforcement Notice in relation to DDL’s data protection policies because the ICO had repeatedly pointed out the issue to DDL, and, despite numerous attempts to satisfy the ICO of its compliance position, DDL had failed to demonstrate adequate data protection policies more than a year after serious concerns were drawn to its attention.

Comment

This is an important decision that begins to give colour to the bare framework structure of the GDPR and the enforcement elements of the DPA18.  Issues of burden and standard of proof are absolutely foundational and it is vital to get those concepts properly defined and drawn out.

The reliance of the ICO on the information provided by the MHRA looks to have been misplaced in the circumstances, although perhaps justifiable at the time.  Clearly one of the most significant factors relied upon by the Tribunal in their significant reduction of the original monetary penalty notice was that rather than 500,000 documents being affected, in fact only 53,871 documents recovered contained sensitive special category data.

The significant reduction in the monetary penalty may fuel further criticism of the ICO’s enforcement record, following on from the very significant reductions agreed by the ICO to the Marriott and British Airways fines.  However, save for the critical factual discrepancy of the number of documents compromised by the infringement, the Tribunal’s decision is otherwise largely supportive of the ICO’s original monetary penalty notice.