For non-lawyers trying to navigate their way through the sea of information out there on the web relating to data protection, one thing that can be rather confusing is working out who is who in terms of authorities.
In the field of data protection, there are a few key names you need to know.
The Information Commissioner’s Office
The Information Commissioner’s Office, or ICO, is the UK’s independent authority set up to uphold information rights in the public interest and they have a variety of functions.
Under the Data Protection Act 1998 every organisation that processes personal information has to register with the ICO (unless they are exempt). The ICO publish the name and address of all registered data controllers and provide a description of the kind of processing that they do. They also cover and have various powers under the following pieces of legislation: the Data Protection Act, the Freedom of Information Act, the Privacy and Electronic Communications Regulations, the INSPIRE Regulations, the eIDAS Regulation and the Re-use of Public Sector Information Regulations. They will also be the UK’s lead authority for the purposes of GDPR. Beyond this, they address any concerns raised by members of the public in relation to an organisation’s handling of and practices relating to information rights. They advise organisations on best practices and how to comply with the law, and also have a number of enforcement powers under the above mentioned legislation. Their powers include criminal prosecution, non-criminal enforcement and audits.
The main actions that they can take under the Data Protection Act are as follows:
- serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period;
- issue undertakings committing an organisation to a particular course of action in order to improve its compliance;
- serve enforcement notices and ‘stop now’ orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law;
- conduct consensual assessments (audits) to check organisations are complying;
- serve assessment notices to conduct compulsory audits to assess whether organisations processing of personal data follows good practice;
- issue monetary penalty notices, requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act occurring on or after 6 April 2010 (when the GDPR comes into force this maximum potential fine will increase to 20M euros or 4% of total worldwide annual turnover (whichever is greater))
- prosecute those who commit criminal offences under the Data Protection Act; and
- report to Parliament on issues of concern
The powers they have under the Privacy and Electronic Communications Regulations include:
- issuing an undertaking committing an organisation to a particular course of action in order to improve its compliance;
- conducting an audit to check a service provider is complying with its security obligations, and make recommendations;
- serving an enforcement notice or ‘stop now’ order where there has been a breach, requiring an organisation to take specified steps to comply with the law. Failure to comply is a criminal offence;
- issuing a Monetary Penalty Notice, requiring an organisation to pay up to £500,000 for serious breaches;
- imposing a fixed penalty of £1,000 on a service provider who fails to notify us of a security breach;
- applying to the court for an order under section 213 of the Enterprise Act 2002 requiring a person to cease conduct harmful to consumers;
- prosecuting if the breach also involves a criminal offence under the Data Protection Act, or if an organisation fails to comply with an Enforcement Notice (except in Scotland, where the Procurator Fiscal brings prosecutions); and
- reporting to Parliament on issues of concern.
They also have a big role to play in relation to follow the Freedom of Information Act, Environmental Information Regulations, INSPIRE Regulations, Re-use of Public Sector Information Regulations and associated codes of practice.
Specifically, where authorities or public sector bodies repeatedly or seriously fail to meet the requirements of the legislation, or conform to the associated codes of practice, the ICO can take action.
The Article 29 Working Party
The Article 29 Data Protection Working Party was established by the Data Protection Directive in 1996. It is an independent European advisory body on data protection and privacy, whose main tasks are to:
- Provide expert advice to the Member States regarding data protection
- Promote the consistent application of the Data Protection Directive in all EU state members
- Give to the Commission an opinion on community laws affecting the right to protection of personal data
- Make recommendations to the public on matters relating to the protection of persons with regard to the processing of personal data and privacy in the European Community
It is composed of:
- a representative of the supervisory authority (ies) designated by each EU country;
- a representative of the authority (ies) established for the EU institutions and bodies; and
- a representative of the European Commission.
The European Data Protection Board
The European Data Protection Board (EDPB) will replace the Article 29 Working Party under the GDPR. The European Data Protection Board has a more enhanced status than the Article 29 Working Party, and has instead the status of an EU body with legal personality and extensive powers to determine disputes between national supervisory authorities, to give legal advice and guidance and to approve EU wide codes and certification. It will be similarly be made up of the heads of national supervisory authorities, or their representatives, and the European Data Protection Supervisor.
The independence of the EDPB has very much been emphasised. It will adopt its own rules of procedure and organise its own affairs. It will have its own Secretariat provided by the EDPS, but which acts solely under the direction of the chair of the EDPB (in comparison to the Article 29 Working Party whose Secretary was a Commission official).
It will have a variety of tasks with the main one being to contribute to the consistent application of the GDPR throughout the European Union. Other tasks will include advising the Commission, in particular on the level of protection offered by third countries or international organisations, and promoting cooperation between national supervisory authorities. Furthermore it will issue guidelines, recommendations and statements of best practice.
A new function for the EDPB will be to conciliate and determine disputes between national supervisory authorities. Notably, it will be required to consult interested parties “where appropriate” which should benefit those who may be affected by opinions, guidelines, advice and proposed best practice.