U.K. Privacy Chief Says New EU Regime Massive Fines Won’t Be Norm

George Lynch

Companies doing business in the U.K. shouldn’t worry that massive fines available
under the European Union’s upcoming privacy regime will become a routine sanction,
U.K. Information Commissioner Elizabeth Denham said in an Aug. 9
blog post.

The U.K. privacy regulator said that the availability of fines under the EU General
Data Protection Regulation (GDPR) of up to the greater of 20 million pounds ($23.47
million) or 4 percent of a company’s global revenue has grabbed headlines. But when
the law takes effect in May 2018, the Information Commissioner’s Office doesn’t intend
to make examples of organizations by issuing maximum fines for privacy violations.

The message may lower the risk temperature for companies concerned about facing huge
fines under the GDPR.

The post is the first in a series in which Denham said she will attempt to correct
“myths” that have arisen about the GDPR. Myth #1, according to Denham, is that, “The
biggest threat to organisations from the GDPR is massive fines.”

However, “This law is not about fines,” she said. “It’s about putting the consumer
and citizen first.”

Steven Farmer, privacy counsel at Pillsbury Winthrop Shaw & Pittman LLP in London,
told Bloomberg BNA Aug. 9 that “the blog is a welcome development,” even though the
ICO’s final position still isn’t clear on some important aspects of GDPR. “It is important
to remember that this blog represents the view of only one of the key EU regulators
so it does come with those caveats,” he said.

The U.K. recently released a statement of intent that it will largely implement the
GDPR into U.K. law even after it formally leaves the EU under Brexit.

Preparing for Compliance

Denham said the ICO prefers the carrot to the stick, and will maintain its commitment
to “guiding, advising and educating organisations” about the GDPR as announced in
its recently released
Information Rights Strategy.

Nicola Cain, legal director at Reynolds Porter Chamberlain in London, told Bloomberg
BNA Aug. 9 that large fines are “likely to be exercised only for large scale reckless
and egregious breaches.”

Victoria Hordern, privacy and information law counsel at Hogan Lovells LLP in London,
told Bloomberg BNA Aug. 9 that, “Denham is seeking to reassure companies about the
ICO’s approach but also firmly underlying the point that they will need to comply
with the law.” That is important because many U.K. companies haven’t started to prepare
for the GDPR, Hordern said.

To contact the reporter on this story: George Lynch in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Leave a Reply

Your email address will not be published.

14 − seven =