On December 17, 2019, the ICO issued an enforcement order against Doorstep Disparensee Limited (“DDL“).
DDL appealed both elements of the enforcement actions taken by the ICO, which was recently resolved and provides useful guidance from the First-Tier Tribunal on the type of evidence required and the expectations of both the regulator and controllers.
The fine was waived before the UK left the EU (on January 31, 2020) under the EU GDPR regime. Tier Tribunal is also relevant for calculating fines under the UK GDPR.
On July 24, 2018, the Medicines and Health Products Regulatory Authority (‘MHRA ‘) carried out a search warrant in premises where personal data were stored for which DDL was the controller. The premises belonged to a waste disposal company that, as the processor of this personal data, was commissioned to destroy the material.
The MHRA confiscated at least 73,000 pieces of paper in unlocked boxes, boxes and bags. Some of them contained personal data and data of a special category (health). The MHRA informed the ICO of the position and the ICO requested information from DDL to clarify the position.
DDL did not comply with this request, and so the ICO issued an information notice in accordance with Section 142 of the Data Protection Act 2018 (“DPA18“). In January 2019, DDL appealed against the terms of the notification to no avail.
The investigation continued until the ICO issued a letter of intent to fine DDL £ 400,000 and a preliminary enforcement notice referring to section 149 of the DPA18 to compel DDL to put in place adequate privacy policies.
DDL submitted written petitions to the ICO to prevent them from completing the unsuccessful actions as the ICO on 17th £ 275,000; and (2) an enforcement notice.
DDL appealed both the fine and the notice of enforcement to the First-Tier Tribunal. The resolution was passed on August 9, 2021 and announced on August 18, 2021.
Topic 1 – Analysis of the reasonable burden of proof in data protection matters
The court was asked to consider whether the burden of proof for the allegation of non-compliance with the GDPR rests with the controller or the regulatory authority. The question therefore arose as to whether the ICO had to prove non-compliance by a responsible party or whether it was sufficient for the ICO to claim non-compliance and the burden of proof would then fall on the responsible party to prove compliance?
The tribunal ruled that the initial burden of proof should be placed on the ICO, which must provide evidence of an infringement. This burden of proof is then of course transferred to the other party as soon as the ICO has submitted evidence of the violations, i.e. the controller or processor against whom the ICO has made a violation determination must then prove that, contrary to the ICO’s findings, he has not violated and Provide evidence to support this.
Problem 2 – What is the appropriate standard of evidence when imposing fines: weighing the probabilities or unequivocal?
It was accepted that the standard of evidence in relation to an enforcement order was the civil law standard of evidence, namely whether the party could prove their case by weighing the odds. For the tribunal, the question was whether the standard of proof for a fine was the civil law standard or the higher burden of proof of the criminal law standard, namely whether the allegations had to be proven “beyond doubt”.
The Tribunal examined the Hackett -v- HMRC case  UKUT 0212 (TCC), in which the Higher Court had recognized that appeals against tax sanctions were to be presumed to have a civil law standard of proof and had established that the various factors set out in this case also applied in the present case and to the application of a civil law standard of proof . The court also found that the DPA18 provides for two different sanction systems: (a) the fine system against which a civil court is challenged and follows the same legal provisions as civil appeals against other notices under Section 155 (1) (such as notices and enforcement notices ); and (b) those formulated with reference to criminal proceedings under Sections 196 to 200 of the DPA18. It was therefore found that the standard of proof for both the fine and the writ of execution violated the standard of civil law: namely, whether the case is proven after weighing the probabilities.
Topic 3 – Analyzing whether a fine was appropriate
On behalf of DDL, it was asserted that the amount of the fine was disproportionate to the severity of a proven violation and that DDL’s financial distress and solvency were not taken into account. It was also alleged that the ICO relied on a false statement by the MHRA regarding the number of documents found.
The MHRA suspected that there were 500,000 documents, and in fact, a DDL review of the material found that only 73,719 documents were recovered from the property, of which:
- 7,351 did not contain any personal data;
- 6,229 contained only one name;
- 6,268 contained only one name and one address; and,
- approx. 53,871 contain special category data.
The tribunal accepted this evidence and found that it undermined the position of the ICO, which had referred to “over 500,000” documents used to justify the amount of the fine.
The court also came to the following conclusion:
- The methods of data storage used by the waste management industry were not sufficiently secure and did not offer sufficient protection against accidental loss or destruction. This was found to be a violation of the integrity and confidentiality requirements of Article 5 (1) (f).
- DDL’s failure to develop adequate data processing policies contributed to the violations of relevant data processing requirements and adequate procedures were not provided to the waste management business.
- DDL has failed to take appropriate measures to ensure that the processing is carried out in accordance with Article 24 (1) of the GDPR and against the requirements of Article 32, in that DDL has not taken appropriate measures to ensure security appropriate to the risks.
Taking all these matters into consideration, the Tribunal decided that a fine was warranted in the circumstances but reduced the amount to £ 92,000, a reduction of approximately two thirds. In making this conclusion, the court found in particular:
- That the ICO wrongly concluded in the original fine that a violation of Art. 24 Paragraph 1 GDPR constitutes an infringement for which a fine can be imposed. Even so, as noted above, the Tribunal concluded that DDL had violated various other articles of the GDPR that could be fined.
- The Tribunal placed particular emphasis on the fact that, in contrast to the “over 500,000” compromised documents referred to in the ICO’s original fine, only 66,638 documents with personal data were seized and only 53,871 of these contained more sensitive persons of the special category Dates – just over 10% of the number the ICO relied on to issue the original fine.
- The tribunal otherwise agreed with the ICO’s assessment of the factors referred to in Article 83 (2) GDPR and adopted them when assessing the amount of the fine to be imposed. In particular, the Tribunal took note of the ICO’s conclusions regarding the gravity of the breach and the risk of significant emotional distress to a vulnerable group of data subjects if they learn of the breaches.
The court also concluded that a person responsible for a serious violation of the GDPR should not avoid a fine based on their financial situation alone and that the financial hardship of DDL has already been adequately taken into account.
Problem 4 – Analysis of whether a writ of execution was appropriate
This is an important decision that adds color to the sheer framework of the GDPR and the enforcement elements of the DPA18. Issues of burden and standard of evidence are absolutely fundamental and it is important to properly define and elaborate these concepts.
The ICO’s reliance on the information provided by the MHRA appears to have been out of place under the circumstances, although it may have been justified at the time. One of the most important factors on which the Tribunal relied in significantly reducing the original fine was clearly that instead of 500,000 documents, only 53,871 recovered documents contained sensitive special category data.
The sharp reduction in the fine could fuel further criticism of the ICO’s enforcement record after the ICO made significant cuts in both Marriott and British Airways’ fines. Apart from the critical factual discrepancy in the number of documents endangered by the violation, the decision of the tribunal largely supports the ICO’s original decision on fines.