Consultation on ICO Powers Shows the Breadth of the Regulator’s Powers

31 January 2022

On 20 December 2021 the ICO launched a consultation seeking views on three documents, which together demonstrate its wide-ranging powers to undertake investigatory, regulatory and enforcement action.  

The three documents consist of:

  1. The “Regulatory Action Policy”;
  2. The “Statutory guidance on our regulatory action”, which covers the ICO’s obligations under s.160 of the Data Protection Act 2018; and
  3. The “Statutory guidance on our PECR [Privacy and Electronic Communications Regulations] powers”, which covers the ICO’s obligations with respect to the imposition of Monetary Penalty Notices for breaches of PECR under s.55C of the Data Protection Act 1998.

Following the implementation of the GDPR and the Data Protection Act 2018, the ICO’s data protection powers became well known. The public’s awareness of data protection grew as their inboxes filled with updated privacy notices, and the press ran headlines about the huge fines imposed on organisations. The draft “Statutory guidance on our regulatory action” is an updated policy on the ICO’s use of its powers to investigate and assess whether data breaches have occurred, provide guidance on how organisations can comply with data protection laws, and enforce such laws in the event of non-compliance. It builds on pre-existing guidance, giving more comprehensive information about when various powers will be used.

The draft “Statutory guidance on our PECR powers” covers how the ICO will use its powers to issue monetary penalties for breaches of the Privacy and Electronic Communications Regulations. The Regulations cover many of the issues associated in the public mind with GDPR including, marketing calls, emails, and texts; and cookies.

Kingsley Napley analysed the current iteration of the Regulatory Action Policy when it was launched in 2018 here. The draft Regulatory Action Policy under consultation deals with the ICO’s full plethora of powers and responsibilities under various pieces of legislation, including those mentioned above and:

  • the Freedom of Information Act 2000 (FOIA);
  • the Re-use of Public Sector Information Regulations 2015;
  • Environmental Information Regulations 2004 (EIR);
  • the Environmental Protection Public Sector Information Regulations 2009 (INSPIRE Regulations);
  •  the Network and Information Systems Regulations 2018 (NIS);
  • the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (eIDAS);
  • The  Enterprise Act 2002; and
  • The Investigatory Powers Act 2016.

It covers the ICO’s role as a regulator dealing with enforcement matters in the UK; and lists what will be considered aggravating and mitigating factors when information rights breaches occur. The 2018 Regulatory Action Policy set regulatory co-operation as an objective for the ICO. The new draft policy sets out in greater detail how the ICO co-operates with other UK regulators and agencies; and with data protection and information access regulators around the world. Detail is provided for the first time about how the ICO meets its obligations to support economic growth; and new approaches to helping businesses with compliance, such as the SME Hub and the Regulatory Sandbox, are detailed.

The ICO’s three draft policies, and the draft Regulatory Action Policy in particular, show the breadth and depth of the regulator’s powers. It has extensive powers to undertake investigatory, regulatory and enforcement action for breaches of a range of legislation; and has obligations to support economic growth. The ICO has grown considerably since its inception and rapidly in recent years. In 2018 it had more than 500 members of staff. As of March 2021 this number stands at 822. However, given its range of responsibilities, there are still questions about whether it is sufficiently resourced to deal with the challenges of regulating data protection and access to information.

Further information 

If you have any questions regarding this blog, please contact Fred Allen in our Public Law team.

About the author

Fred is a senior associate within the Public Law Department and International Crime Group. His clients have included businesses, trade associations, religious institutions, schools, education providers, charities, and private clients including high net worth individuals, and senior political and business figures.  

Share insightLinkedIn Twitter Facebook Email to a friend Print

Email this page to a friend

We welcome views and opinions about the issues raised in this blog. Should you require specific advice in relation to personal circumstances, please use the form on the contact page.

Leave a comment

You may also be interested in:

Skip to content Home About Us Insights Services Contact Accessibility