In the eighteen months since the General Data Protection Regulation (GDPR) came into application, the Information Commissioner's Office (ICO) has yet to issue a single fine under the stringent powers it gained with the new legislation. What's more, an FOI disclosure to this firm has revealed that the ICO has in fact only served three notices of intention to fine in all that time (two of which were the notices of intent to BA and Marriott Inc about which we wrote recently).
By contrast, across Europe, our calculations indicate that 124 fines have been issued, with some countries (such as Spain, with 21, Germany, with 15, and Romania, with 12), in particular, having data protection authorities apparently keen to exercise their powers). The only other countries where no fines have yet been issued are Croatia, Estonia, Finland, Luxembourg, Slovenia and the Republic of Ireland (where of course the supervisory authority is tasked with investigating large-scale complaints against Facebook, Google, WhatsApp, Twitter and other huge tech companies).
In view of this apparent inconsistency of approach by regulators, it is worth remembering that GDPR aims to ensure "consistent and homogenous application of the rules...throughout the Union" (recital 10) and provides for a "consistency mechanism" under which the European Data Protection Board (EDPB) may issue binding decisions, on any matter of general application, referred to it by a supervisory authority or by the European Commission (Article 64(2)).
Of particular interest is the fact that, in many European countries, multiple relatively small fines (in the thousands-of-euros) have been levied, for relatively minor infringements. Nothing in GDPR suggests that fines are only reserved for the more serious of infringements, but it may be that the ICO is taking the view that that is the approach to take (one notes that its Regulatory Action Policy says "In the majority of cases we will reserve our powers for the most serious cases, representing the most severe breaches of information rights obligations"). Under the prior law (the Data Protection Act 1998) this was certainly correct – monetary penalties could only be served for serious contraventions, of a kind likely to cause substantial damage or substantial distress (section 55A of the 1998 Act). But if the ICO is still taking that approach, it may a) not strictly be in accordance with the aims of GDPR, and b) be subject to challenge, and a future binding decision by the EDPB.
The ICO has gained plaudits for its data protection work, and certainly on the communications front it has been forthcoming and forthright, but its reputation as being a strong regulatory might be dented if it continues to avoid using its fining powers to the same extent as some of its European peers.