Between 10 January and 3 March 2023, SkyBet’s website dropped third-party AdTech cookies to visitors’ browsers before visitors could accept or reject them via a cookie banner. As a result, the visitors’ personal data (e.g., device information and unique identifiers) was shared automatically with third-party AdTech companies without visitors’ consent or a lawful basis. The cookies were deployed to allow advertising to be placed on other websites viewed by the visitor.

Whilst the ICO found no evidence of deliberate misuse of personal data to target vulnerable gamblers, it reprimanded SkyBet because it processed personal data in a way that was not lawful, transparent or fair.

This reprimand forms part of the ICO’s wider strategy to ensure that individuals’ rights and freedoms are respected. The ICO has recently reviewed the UK’s most-visited 100 websites and contacted more than half to warn of enforcement action. Many are reported to have implemented improvements, such as displaying a “reject all” button or presenting “accept all” and “reject all” options on an equal footing.

The ICO intends to assess the next 100 most-frequented websites and urges all organisations to assess their cookie banners to ensure freely given consent may be given. The ICO also intends to publish guidance on cookies and tracking technology before the end of the year.

DLA Piper advises all businesses on cookie compliance and is currently engaged by several businesses operating in the AdTech ecosystem, on assessing risk exposure and responding to ICO engagement. Should you wish to discuss this further, please reach out to your regular DLA Piper contact, or the authors of this blog.

The publication of the Information Commissioner Office’s new fining guidance offers some clarity on this question; including a published methodology the ICO will use to calculate any fine to impose.

We are pleased to have contributed to the shaping of aspects of the new guidance following our consultation submission, which has been published here.

About the guidance

In accordance with its statutory duty, the Information Commissioner’s Office (“ICO“) has published new data protection fining guidance (the “Guidance“) with the intention of mapping out how regulatory enforcement fines are to be calculated going forward. Whilst the headline fines under the GDPR are well understood by the market, the methodology previously deployed by the ICO was less clear and it is only following the passage of time that trend analysis could be undertaken on the ICO’s enforcement actions.

The new guidance provides welcome detail to help organisations place more confidence in their actions and the potential consequences of data protection risk decisions that may be taken.

When would a fine be considered?

The ICO has confirmed that when deciding whether to issue a penalty notice, it will review the facts of each case and consider:

1. the seriousness of the infringement or infringements;
   
2. any relevant aggravating or mitigating factors; and
   
3. whether imposing a fine would be:
   1. effective;
   2. proportionate; and
   3. dissuasive.

Further details on each circumstance are set out below.

A. Seriousness: this is determined by a consideration of a number of factors broken down as follows.

1. The nature (e.g. whether the standard or higher maximum fine is applicable?), gravity (i.e. the nature, scope and purpose of processing, the number of data subjects involved, and level of damage suffered) and duration of the infringement.
   
2. Whether it was intentional or negligent.
   
   
   • Intentional: senior management authorised the unlawful processing; or the processing was undertaken despite advice about the risks involved, or with a disregard of its internal policies.
     
   • Negligent: whether a controller/processor has breached the duty of care required by law. Any assessment of a breach would include assessing evidence of the following factors:
     
     
     • failing to create data protection policies;
     • failing to read and abide by its existing data protection policies (or, where relevant, with a code of conduct or certification applicable);
     • human error, particularly where the person (or people) involved had not received adequate training on data protection risks;
     • failing to check for personal data in information that is published or otherwise disclosed; or
     • failing to apply technical updates in a timely manner.
       
3. The categories of personal data affected. The ICO will consider infringements relevant to the processing of special category data, criminal convictions and offences data, and personal data falling within the definitions of ‘sensitive processing’, as particularly serious. The ICO also considers data categories likely to cause damage or distress to data subjects as particularly serious, such as: location data, private communications (intimate or confidential information), passport or driving licence details, or financial data.

The ICO acknowledges that assessing these various factors involves a degree of repetition, which it believes reflects the way the legislation is drafted and the fact that it needs to consider all relevant factors when: (i) deciding whether to impose a fine; and (ii) determining the amount of the fine.

B. Relevant aggravating or mitigating factors: Once the ICO has assessed the seriousness of the infringement, it will then consider whether there any aggravating or mitigating factors.

• Mitigation – the ICO will be looking for evidence of the controller/processor having tried to effectively mitigate the harmful consequences of the infringement on the data subjects involved and the level of impact which that action had on the data subjects. The ICO will also give due consideration to measures in place prior to any investigation or the ICO otherwise becoming aware of the infringement.
  
• Degree of responsibility – the ICO will consider the extent of what the controller/processor did considering its size and resources; and the nature and purpose of the processing. The ICO will be assessing any shared responsibility between controllers or between controllers and processors.
  
• Previous infringement or measures previously ordered – the ICO will give greater weight to infringements which have been of a similar nature or infringements which occurred recently. The ICO will also have regard for compliance measures it has previously ordered concerning the same subject-matter.
  
• Cooperation with the ICO – the starting point for cooperating is that controllers/processors are expected to cooperate with the ICO and should respond to requests for information where possible, therefore, performing the minimum is unlikely to be seen as a mitigating factor by the ICO. However, cooperating in a way that enables the enforcement process to be concluded more effectively; or significantly limits the harmful consequences for people’s rights and freedoms, will be viewed favourably.
  
• How the ICO became aware – to what extent did the controller or processor notify the ICO about the infringement, this may be regarded as a mitigating factor if of its own volition and the ICO was previously unaware. This does not apply to statutory obligations to notify (e.g. Art. 33 UK GDPR). If the ICO finds out about an infringement from a complaint, the media or its own intelligence, this will usually be considered as a neutral point.
  
• Codes of conduct or certification mechanisms – Adhering to approved codes of conduct or approved certification mechanisms will be given due regard. However, failure to meet the standards signed up to may be considered an aggravating factor.
  
• Other aggravating or mitigating factors – economic or financial benefit obtained, or losses avoided as a result of the infringement. Also, and any action the controller/processor took pro-actively to report a breach to other appropriate bodies, such as the National Cyber Security Centre and whether any subsequent advice issued was followed.

We unsuccessfully argued in our submission to the ICO that the Guidance reads like there is an imbalance between aggravating and mitigating factors. For example, a demonstrable history of compliance (an unblemished record supported by evidence) was not accepted to be a mitigating factor, despite previous infringements being considered as an aggravating factor. Nevertheless, proactive technical and organisational measures in place would factor into other mitigating measures set out above.

C. Effectiveness, proportionality and dissuasiveness:

1. To be effective, the fine should help ensure compliance with data protection legislation and/or providing appropriate sanctions for infringement;
   
2. Proportionate means the fine does not exceed what is appropriate and necessary. It shows that the Commissioner has considered all the relevant circumstances, including:
   
   
   • the seriousness of the infringement,
   • the harm or other impact on data subjects, and
   • the size and financial position of the controller/processor; and

3. To be dissuasive the fine should be a genuine deterrent to future non-compliance (both specific to the infringing controller/processor and generally as a message to the market).

For reasons of certainty, it is potentially unhelpful that the ICO has expressed its desire to maintain a significant degree of discretion at this stage of the fine setting process (both with respect to whether to impose a fine and the calculation of the level of the fine). Whilst the ICO states it will seek to ensure there is broad consistency, it remains to be seen how well this works in practice. Further, we have highlighted that the Guidance sets out that proportionality is a secondary analysis and only considered after it has been confirmed that the penalty would be effective and dissuasive. We submitted to the ICO that this represented a two-step process that went beyond the UK GDPR and could lead to unintended consequences.

Calculating the fine

If the decision is taken to issue a penalty notice, then the fine amount will be calculated by following five steps:

1. Assessment of the seriousness of the infringement – looking at A. above, the ICO will determine a starting point for all fines based upon the seriousness of the infringement. The starting point will vary between:
   
   
   • serious infringements: the fine will be between 20% and 100% of the legal maximum;
   • infringements with a medium degree of seriousness: the fine will be between 10% and 20% of the legal maximum; and
   • infringements with a lower degree of seriousness: the fine will be between 0% and 10% of the legal maximum.
     
2. Accounting for turnover – the ICO will then review the undertaking’s total worldwide annual turnover in its previous financial year (or where the controller / processor is not an undertaking, the ICO will review the assets, funding or administrative budget of the entity) and adjust the fine amount indicated by the calculation of the seriousness of the infringement. An undertaking that has an annual turnover of over £435 million is potentially exposed to fines of up to 4% of annual global turnover (so the statutory maximum).  The adjustment applied will mean that undertakings with a relatively low turnover are exposed to a mere fraction of the statutory maximum: for example, an undertaking with turnover of up to £2 million should receive a penalty of up to 0.4% of the sum indicated by the “seriousness of infringement” figure derived from Step 1.  The adjustment downward can be significant.
   
3. Calculation of the starting point – the ICO will then calculate the starting point in one of two ways (depending on the outcomes of step 1 and step 2):
   
   
   • If the statutory maximum is a fixed amount, then: [statutory maximum amount (fixed)] x [adjustment for seriousness] x [turnover adjustment]; or
   • If statutory maximum is turnover based, then: [turnover] x [statutory maximum amount (percentage)] x [adjustment for seriousness].
     
4. Adjustment to take into account any aggravating or mitigating factors – looking at Section B. above, the ICO will consider whether aggravating / mitigating factors should warrant an increase or decrease in the level of the fine.
   
5. Assessment of whether the fine is effective, proportionate and dissuasive – looking at Section C. above, the ICO will also seek to ensure the fine does not exceed the statutory maximum amount.

In our submission, we proposed to the ICO to consider taking account of the Competition and Markets Authority’s (CMA) method of calculation for fines, where a specific step dedicated to settlement discounts is included. We suggested that the Commissioner adopts a similar stance to the CMA and permits organisations to engage in formal settlement discussions and permitting a discount for any settlement, where the infringing party admits its participation in the infringement. It is worth noting that the ICO welcomed the suggestion about introducing a formal settlement policy and offering a reduction in fines on that basis, and although it was ultimately outside of the Guidance, it will give look to mirror this approach in the future.

We were also troubled by the approach in the draft guidance as to how the ICO approached the concept of an undertaking.  We note that, in response to our submission, the Guidance is now much more detailed as to the approach that the ICO will take to determining whether a parent company has decisive influence over a subsidiary and therefore whether the turnover of the parent company itself should be taken into account.

We also note the amendment made by the ICO following consideration of the submissions to reflect that steps taken to mitigate damage to data subjects following a personal data breach are a mitigating factor when it comes to calculating the penalty.

Concluding remarks

Between 2019 and 2024 the fines issued by the ICO have varied significantly as compared to the value contained in the notice of intent provided by the ICO as compared to the final amount ultimately levied against the organisation. The Guidance now provides a clearer reference point which companies can refer to and overlay into their risk documentation – particularly where financial risk is assessed. This will help build out risk analyses and add further clarity on what amount of fine any data protection infringement discovered by an organisation could amount to. Though, as referenced above, there is still a residual challenge given the inherent discretion that remains.

Should you wish to discuss any matter contained within this article, please reach out to the authors or your regular data protection point of contact.

A UK court has reversed a fine imposed on the provider of a facial image database service, Clearview AI, on the basis that the (UK) GDPR did not apply to the processing of personal data by the company. In so doing, the court has provided helpful judicial interpretation of both the territorial and material scope of UK data protection law.  

The key takeaways were:

• A controller or processor may be caught by the extra-territorial scope of the UK GDPR on the basis that its processing activities relate to the monitoring of the behaviour of data subjects in the UK, even where that entity is not itself monitoring data subjects, but where its activities enable its customers to conduct such monitoring.
• A reminder that processing activities that are carried out for, or connected to, law enforcement purposes – for example, where a company provides its services solely to law enforcement agencies – will fall outside of the scope of the UK GDPR. If those law enforcement agencies are in the UK, then the processing will instead be subject to the parallel law enforcement processing regime under the Data Protection Act. However, if the law enforcement agencies are outside of the UK (as Clearview AI’s customers were) then UK data protection law will not engage.

Background 

On 18 May 2022, the Information Commissioner’s Office brought twin-track enforcement action against Clearview AI in the form of: (1) an Enforcement Notice; and (2) a Monetary Penalty Notice (i.e., a fine) in the amount of GBP 7.5 million.

The ICO had concluded that Clearview AI:

1. was a controller of personal data under the GDPR as applied in the EU, and under the UK GDPR and Data Protection Act 2018 with respect to the UK data protection framework; and
2. was or had been processing personal data of UK residents within the scope of the GDPR (in respect of processing taking place up to the end of the Brexit transition period of 23:00 on 31 December 2020) and the UK GDPR (in respect of subsequent processing).

The ICO concluded that Clearview AI had infringed whole rafts of the UK GDPR and GDPR in respect of the requirements:

• represented by the core data protection principles under Article 5;
• as to lawfulness of processing under Article 6;
• around the processing of special category data under Article 9;
• represented by the transparency obligations under Article 14;
• represented by the data subject rights to subject access (under Article 15), to rectification (under Article 16), to erasure (under Article 17), and the right to object (under Article 21);
• as to automated decision making under Article 22; and
• to undertake a data protection impact assessment under Article 35.

Preliminary Issue

Clearview AI appealed the enforcement notice and the monetary penalty to the First-tier Tribunal (Information Rights). The matters before the Tribunal did not relate to whether Clearview AI had infringed the GDPR or UK GDPR. The issue under consideration was solely relating to the jurisdictional challenge brought by Clearview AI.

It primarily considered three questions as to:

1. whether as a matter of law, Article 3(2)(b) can apply where the monitoring of behaviour is carried out by a third party rather than the data controller;
2. whether as a matter of fact, processing of data by Clearview AI was related to monitoring by either Clearview AI itself or by its customers; or
3. whether the processing by Clearview AI was beyond the material scope of the GDPR by operation of Article 2(2)(a) GDPR and/or was not relevant processing for the purposes of Article 3 of the UK GDPR thereby removing the processing from the material scope of the UK GDPR.

Clearview AI argued that the data processing undertaken by it in the context of the services was outside the territorial scope of the GDPR and UK GDPR, with the consequence that the ICO had no jurisdiction to issue the notices.

Clearview AI services

Clearview AI provides law enforcement agencies with access to a database of facial images scraped from public sources. It uses biometric processing to match a customer’s image with an image and identity in its database. In detail, its services were broadly achieved through the following phases of activity:

Activity 1

• It copied and scraped facial images in photographs that it found across the public internet and stored them with a series of connected databases and sub-databases, linked to the source of the image, the date and time it was made, and information around associated social media profiles.
• That material was then used for the creation of a set of vectors for each facial image, using the Clearview AI machine learning facial recognition algorithm.
• The facial vectors were then stored in a neural-network database, clustered together according to closeness in facial similarities.

Activity 2

• If a customer wished to use the service, they would upload the facial image being searched for to the Clearview AI system. Vectors would be created of the facial features of that image, which would then be compared to the facial vectors of the stored images on the database using the Clearview AI machine learning facial recognition algorithm. Up to 120 matching facial images would be returned, along with an assessment of the degree of similarity. The service was found to achieve over 99% accuracy.

Further Activity

• The returned images would allow a customer to then view additional, non-Clearview AI derived information, (such as by visiting the source page where the image was scraped from) as to:
  • the person’s name;
  • the person’s relationship status, whether they have a partner and who that may be;
  • whether the person is a parent;
  • the person’s associates;
  • the place the photo was taken;
  • where the person is based/lives/is currently located;
  • what social media is used by the person;
  • whether the person smokes/drinks alcohol;
  • the person’s occupation or pastime(s);
  • whether the person can drive a car;
  • what the person is carrying/doing and whether that is legal; and/or
  • whether the person has been arrested.

The Tribunal considered that it was reasonably likely that the database would contain the images of UK residents and/or images taken within the UK of persons resident elsewhere. It was therefore found that the Clearview AI service could have an impact on UK residents, irrespective of whether it was used by UK customers.

The Clearview AI service was used by customers for commercial purposes prior to 2020 and is not currently used by customers in the UK or in the EU at all. Its customers are in the United States, as well as other countries globally (including Panama, Brazil, Mexico, and the Dominican Republic). It was acknowledged that investigators in one country may be interested in behaviour happening in another country, given that criminal activity is not limited by national boundaries.

Clearview AI had offered its service on a trial basis to law enforcement and government organisations within the UK between June 2019 and March 2020. An overseas law enforcement agency could use the service as part of an investigation into the alleged criminal activity of a UK resident.

Conclusions of the Tribunal

The Tribunal considered that Clearview AI was the sole controller responsible for Activity 1 (as described above) and that Clearview AI was joint controller with its customers for Activity 2. The Further Activity was then processing for which Clearview AI was not a controller at all.

The ICO submitted that the Clearview AI service was being used to monitor the behaviour of the data subjects. The Tribunal concluded that Clearview AI did not monitor behaviour itself but that its customers used the service to monitor the behaviour of data subjects. Consequently, for the purposes of Article 3(2)(b), Clearview AI’s services were related to the monitoring of the behaviour of data subjects. Clearview AI’s status as a joint controller with its customer for the purposes of Activity 2 may have been a significant factor in establishing a sufficiently close nexus between Clearview AI, as the ‘service provider’, and its customer, as the entity actually conducting the behavioural monitoring.

However, whilst the processing activities may in theory have been within the territorial scope of the (UK) GDPR, what was decisive was that they fell outside of its material scope. The Tribunal accepted that Clearview AI offered its services exclusively to non-UK/EU law enforcement and national security agencies, and their contractors, in support of the discharge of their respective criminal law enforcement and national security functions. Such activities fall outside of the scope of the GDPR and the UK GDPR. Whilst the UK has data protection regimes under the Data Protection Act 2018 that apply to both law enforcement and intelligence agencies, those regimes only bind processing activities relating to UK law enforcement or intelligence agencies.