U.K. Privacy Chief Says New EU Regime Massive Fines Won’t Be Norm

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Companies doing business in the U.K. shouldn’t worry that massive fines available under the European Union’s upcoming privacy regime will become a routine sanction, U.K. Information Commissioner Elizabeth Denham said in an Aug. 9 blog post.

The U.K. privacy regulator said that the availability of fines under the EU General Data Protection Regulation (GDPR) of up to the greater of 20 million pounds ($23.47 million) or 4 percent of a company’s global revenue has grabbed headlines. But when the law takes effect in May 2018, the Information Commissioner’s Office doesn’t intend to make examples of organizations by issuing maximum fines for privacy violations.

The message may lower the risk temperature for companies concerned about facing huge fines under the GDPR.

The post is the first in a series in which Denham said she will attempt to correct “myths” that have arisen about the GDPR. Myth #1, according to Denham, is that, “The biggest threat to organisations from the GDPR is massive fines.”

However, “This law is not about fines,” she said. “It’s about putting the consumer and citizen first.”

Steven Farmer, privacy counsel at Pillsbury Winthrop Shaw & Pittman LLP in London, told Bloomberg BNA Aug. 9 that “the blog is a welcome development,” even though the ICO’s final position still isn’t clear on some important aspects of GDPR. “It is important to remember that this blog represents the view of only one of the key EU regulators so it does come with those caveats,” he said.

The U.K. recently released a statement of intent that it will largely implement the GDPR into U.K. law even after it formally leaves the EU under Brexit.

Preparing for Compliance

Denham said the ICO prefers the carrot to the stick, and will maintain its commitment to “guiding, advising and educating organisations” about the GDPR as announced in its recently released Information Rights Strategy.

Nicola Cain, legal director at Reynolds Porter Chamberlain in London, told Bloomberg BNA Aug. 9 that large fines are “likely to be exercised only for large scale reckless and egregious breaches.”

Victoria Hordern, privacy and information law counsel at Hogan Lovells LLP in London, told Bloomberg BNA Aug. 9 that, “Denham is seeking to reassure companies about the ICO’s approach but also firmly underlying the point that they will need to comply with the law.” That is important because many U.K. companies haven’t started to prepare for the GDPR, Hordern said.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security