The UK’s data protection regulator has welcomed a court ruling dismissing an appeal against a historic GDPR fine, arguing that it will provide much-needed clarity for future cases.
The Information Commissioner’s Office (ICO) issued Doorstep Dispensaree with a monetary penalty notice of £275,000 back in 2019.
That followed a tip-off by the Medicines and Healthcare Products Agency, which said the online pharmacy had been storing unlocked boxes of sensitive personal information in a publicly accessible location.
A subsequent appeal by the firm resulted in the fine being reduced to just £92,000 after Doorstep Dispensaree was able to prove that less personal information was actually being stored in the containers.
However, it raised a another appeal on a further two grounds, which the Court of Appeal heard on November 21.
The firm argued that:
- The judge in the previous appeal hearing failed to recognize that the burden of proof should have been on the ICO
- The judge “wrongly afforded weight” to the ICO’s reasons for imposing and setting the penalty
The Court of Appeal dismissed both grounds for appeal. It ruled that the burden of proof in an appeal lies with the appellant, and that any subsequent tribunals and appeals are not required to ignore the original monetary penalty notice when making their decisions.
Read more on ICO fines: ICO Prepares £6m Fine for NHS Supplier Advanced
The ICO praised the decision as one of considerable importance in terms of appeals against future penalties. It should help to reduce the opportunities for firms issued with monetary penalty notices to argue their way out of them in the courts.
“I welcome the Court of Appeal’s judgment in this case as it provides clarity for future appeals. We defended our position robustly and are pleased that the court has agreed with our findings,” said information commissioner, John Edwards, in a brief statement.
ICO Fines Trail Off
However, ICO fines for GDPR/Data Protection Act 2018 infringements have become few and far between over the past two years.
According to one analysis, the regulator issued just one GDPR fine in 2023, versus 16 under the Privacy and Electronic Communications Regulations (PECR), which regulates nuisance marketing. The previous year, it issued 29 PECR fines and five GDPR fines.
The trend appears to be continuing. In the first half of 2024, the ICO issued seven PECR fines and just two GDPR monetary penalty notices.
One of these was a £350,000 fine levied against the Ministry of Defence (MoD) , struck down from an original sum of £1m due to the regulator’s controversial Public Sector Approach.
Edwards recently confirmed that the two-year trial run of this approach would be extended. It will see public bodies likely escape the worst of the ICO’s fines, while private sector organizations remain in the crosshairs.