The Open Rights Group describes itself as “a UK-based digital campaigning organisation working to protect our rights to privacy and free speech online”. Although its campaigns are varied, there has definitely been an emphasis in recent months on the work of the ICO, culminating in a fiery call by the organisation’s Executive Director Jim Killock to the Commons DCMS committee to hold the Commissioner to account when she next appears before it. Regular readers of this blog might expect I would be in favour of this kind of thing. I’ve never been a fan of the ICO and I agree that Denham’s tenure has been embarrassingly light on enforcement, especially in the GDPR era.

I agree with some of ORG’s complaints – the ICO often misses opportunities to take action. Killock cites the A-Level algorithm scandal as an example and I agree that even in a pandemic, ICO should have intervened. But I think the following statement is ridiculous: “For us at ORG, the greatest of these failures is their work on Adtech”. Not the catastrophic mishandling of personal data in the Windrush scandal, not the craven approach to Google’s encroachment into the NHS, not even the secretive profiling of most UK adults by political parties (which ORG definitely knows about because they’re campaigning against it). No, ORG’s biggest concern is adverts. In my opinion, if the ICO was only going to enforce on one thing, security would be the area I’d pick, and I wouldn’t put adverts in the top ten.

It gets worse. The first of the crucial questions ORG wants answered is “Why do the ICO’s fines only target data leaks, spam, and robocalls?” The answer to this is that they don’t. In recent years, the ICO fined Bounty and Emma’s Diary for consent and transparency issues, as well as the TV company Tru Visions for their opaque and unfair filming of women in a neo-natal unit. The ICO’s fines on transparency against leading charities turned the sector upside down not so very long ago. The have also enforced on HMRC’s use of voice recognition and the Met Police’s woeful handling of the Gangs Matrix.

Admittedly, these were all under the 1998 DPA, but the problem with the ICO’s enforcement under GDPR is that Denham hobbled the organisation by pouring staff and resources into the pointless Operation Cederberg investigation into political analytics. Given ORG’s obsession with politics and online ads, they were probably in favour of that, despite its meagre outcomes, most notably the hilarious conclusion that Cambridge Analytica weren’t involved in the Brexit referendum.

Killock’s article describes PECR breaches as “very simple abuses”. I’m assuming he’s never read a PECR penalty notice because if he had, he would know that they are committed by dodgy organisations who are often involved in exploiting and defrauding vulnerable people, and whose efforts to evade detection require complex investigations and sometimes dawn raids. When Killock dismisses action on “spam and robo calls”, he’s also ignoring the fact that the ICO receives more than 100,000 complaints about live and recorded calls every year. How dare the regulator use its enforcement powers on intrusive and sometimes abusive calls when a pressure group knows better. It’s worth noting that ORG’s membership is less than 20% of the people who made PECR complaints.

Of course, there are very few PECR fines on ‘spam’, so the assertions about the ICO’s suggests to me that ORG is reacting to a single recent case rather than an accurate analysis of PECR enfrocement. Given that Killock is explicitly writing about GDPR enforcement, it’s also odd that a major part of his complaint is about PECR.

Elsewhere he makes the wholly inaccurate claim that the ICO “only recently acquired enforcement powers”. The ICO received powers to issue enforcement notices in the 1998 Data Protection Act, and the penalty followed in 2009, coming into force in 2010. One of the problems he identifies with the Experian Enforcement Notice is that they can appeal it, seemingly oblivious to the fact that the fines he’s demanding can also be appealed via the same process. If nobody at ORG understands these things, how can they competently campaign in this area?

Fines are plainly an important part of regulation. Some situations require a punishment rather than negotiated or enforced remedial work – interestingly, several of the ICO’s PECR actions combine both a penalty and an enforcement notice and I hope that this combination keeps happening. Nevertheless, the ORG view seems to be that Experian have somehow got off the hook. It’s true that Experian have been profiting from opaque data processing for many years (their antecedents first started circulating lists of undesirable customers in 1827), but moaning about the absence of a penalty is dumb. Unless the ICO picked a ludicrous figure, Experian could afford to pay it. It would be the price of doing business. The ICO’s enforcement notice is directed at the heart of Experian’s non-credit related business. It forces them to change an entire business model. It is unquestionably more effective than a fine, but the Open Right’s Group’s Director seemingly doesn’t understand what the ICO has done:

The ICO’s decision to hold back from issuing fines sends a clear message. No matter how bad your reasoning is, no matter how rich your company is, and no matter how much money you make from data misuse, the ICO will not issue a financial penalty, so please feel free to carry on ignoring GDPR.

Saying this in the context of action that *stops* Experian (one of the biggest data based companies in the world) from misusing data is so wrong-headed, I don’t understand how someone who claims to understand data rights could type the words. A fine stops nothing in itself. An enforcement notice does. What is he talking about?

ORG wants your money. Their activities are funded by donations, and I think it’s important to ask whether an organisation that is happy to dismiss the importance of action on data security and intrusive, harmful and unwanted marketing, is the right place for your money to go. I’ve written before about their opaque and inaccurate style of campaigning, and in the particular campaign I mentioned, ORG were obliged to admit that the supposedly diabolical profiling they were complaining about turned out to be almost completely ineffective. ORG is currently attempting to persuade the Tribunal to change the entire Data Protection appeal process on the basis of a specific interpretation of one phrase, despite the Tribunal having already clearly disagreed with that interpretation.

You have to understand laws before you try to change them, and if your group is disdainful towards the concerns of ordinary people who actually bother to complain, I’d argue that you’re not operating in the public interest, but on the basis of private and elitist concerns.