The ICO was recently criticised in an opinion piece in The Lawyer for disclosing that staff at an unnamed mobile network operator had allegedly sold details of customers. The piece rightly pointed out that with only 5 operators to whom this could relate, it was only a matter of time before T-Mobile were identified as the operator affected. It was suggested that whilst this outing led to extensive press coverage, it damaged “the trust relationship between the regulator and regulated” and would lead to less transparency about security failures. The article noted, “Effective regulation is not just about tougher powers and penalties. Substantial improvements in practices could be achieved through a step change in thinking about the relationship between the regulator and regulated.”
My personal view (and not that of Charles Russell), is that regulators should not be overly concerned about their relationship with the regulated. Their guide should be their statutory duties and aims. They should only consider the state of their relationship with the regulated to the extent that this hinders or promotes those statutory duties. Undue concern about the relationship leads to regulatory capture by major regulated entities or regulatory paralysis.
In the case of the ICO, the lack of proper enforcement or rule-making powers has meant that a cooperative, educative or consultative approach has been the only one available since 24 October 1998, or earlier if you include the limited powers of the Data Protection Registry (being the ICO as it existed under the Data Protection Act 1984). The recent spate of massive data security breaches do not suggest that this has been an altogether successful approach, nor has the limited fines awarded for criminal offences under the Data Protection Act 1998 acted as a serious deterrent. It is therefore no wonder that the ICO has lost patience with the regulated, and seeks the enforcement powers to be able to use an effective “stick” as well as carrot approach.
As far as T-Mobile are concerned, whilst they may have suffered some unwelcome and unanticipated adverse publicity as a result of the ICO disclosure, they are probably all too well aware of the amendments agreed to the Privacy and Electronic Communications Directive 2002/58/EC and set out in the Citizens’ Rights Directive 2009/136/EC, which include new obligations on electronic communications service providers to report security breaches to the competent national authority. Measures must be adopted in the UK in approximately 18 months time to implement this new obligation (the exact date will depend upon when the Citizens’ Rights Directive is published in the Official Journal). Arguably any breakdown in trust between the ICO and electronic communications service providers who have volunteered information about security breaches will therefore soon be immaterial. The European Commission is already discussing proposals to broaden the new breach notification obligation to all data controllers, too.