Contributors
Since 2021 the ICO has increased its use of reprimands in its enforcement activity and from December 2022 it will be routinely publishing reprimands. What is a reprimand, how might it impact you and what is the effect of this change of policy by the ICO?
What is a reprimand?
A reprimand is a written letter stating that the ICO believes an organisation has not complied with the GDPR. It is often accompanied by a list of reasons for the decision and recommended actions that an organisation should take. Sometimes a reprimand asks an organisation to report back to the ICO on steps they have taken to correct any non-compliance.
Reprimands have been part of the GDPR since its inception, tucked away at Article 58(2)(b). They are typically issued following an ICO investigation and where an infringement is not serious enough to warrant a penalty or enforcement notice. Reprimands have been issued in a range of circumstances and most have been for smaller data breaches or failing to comply with data subject rights, like data subject access requests. In particular, they are used frequently against public sector entities instead of penalties, where the Commissioner does not believe that penalties against the public purse are useful.
Until 2020, reprimands were rarely used by the ICO, averaging 8 per year since the GDPR came into force in 2018. This grew to 24 in 2021 and then 28 in 2022 (see ICO FOIA responses IC-173635-G0Y8 and IC-132478-H6K7). Historically, reprimands were confidential and not routinely made public. However, from December 2022 the ICO is making all reprimands public unless there is a good reason not to (see ICO statement at FN2). The ICO has clearly changed its policy on the use of reprimands and now sees them an as important part of its enforcement toolkit.
What is the effect of a reprimand?
A reprimand does not compel an organisation to do or pay anything. They have a deterrence effect by bringing wrongdoing to light with the goal of discouraging others from doing the same thing. They also have a reputational impact on the reprimanded organisation.
However, the real-world effect of a reprimand is that it is a formal statement by a regulator that the GDPR has been infringed and this then creates a foundation for compensation claims from data subjects. Those compensation claims need to be brought in Court. A Court is not bound by the reprimand and must make its own decision on the evidence. However, any organisation will be on the backfoot throughout litigation if the Claimants start with an ICO decision that says the Defendant has acted unlawfully, as a Court will no doubt give deference to its findings as a specialist body.
This is where the use of reprimands becomes difficult and is exacerbated by the ICO's recent decision to make them public.
The difficulties with reprimands
There is no process in the GDPR or DPA 2018 governing how the ICO issues a reprimand. For other forms of enforcement action, the DPA 2018 requires the ICO to give formal, prior notice to an organisation and time for that organisation to make representations before any action is taken (see the requirements on the ICO to service a Notice of Intent in relation to penalties - Schedule 16 DPA 2018.) This firm's experience of reprimands is that the ICO sometimes goes from a neutral fact finding investigation to a reprimand decision, without the intermediate step of setting out why it believes the GDPR has been breached and providing an organisation with a chance to make representations.
Moreover, reprimands are arguably not capable of effective appeal. Only those enforcement actions listed in section 162(1) of the DPA 2018 can be appealed to the Information Tribunal and reprimands are not on that list. There is no other bespoke statutory appeal process and, to date, no internal ICO appeal mechanism has been offered. This leaves judicial review as the only route to challenge the ICO's decision, which is expensive, difficult and not fit for purpose for a routine enforcement decision of this nature.
This leads to the unsatisfactory outcome whereby an organisation may be served with a reprimand, without prior warning, without the right to make representations and without an effective route to challenge it, even where the ICO may have overlooked a key matter or made a mistake. Moreover, in a fast developing area of law and technical practice, there is ample opportunity for fair disagreement between the ICO and those they regulate as to the accuracy of the underlying facts relied upon for issuing the reprimand, and where the line for proportionate and effective compliance should be drawn. All the while, data subjects may rely on a published reprimand as prima facie evidence of wrongdoing and it may be reported in the media.
This situation does not appear to fit with the scheme envisaged under the GDPR. Article 58(4) provides that:
"The exercise of the powers conferred on the supervisory authority pursuant to this Article shall be subject to appropriate safeguards, including effective judicial remedy and due process, set out in Union and Member State law in accordance with the Charter."
Further, recital 129 provides that:
"Each legally binding measure of the supervisory authority should be in writing, be clear and unambiguous, indicate the supervisory authority which has issued the measure, the date of issue of the measure, bear the signature of the head, or a member of the supervisory authority authorised by him or her, give the reasons for the measure, and refer to the right of an effective remedy."
The ICO's reprimands do not currently refer to any right of remedy and the use of reprimands without safeguards, particularly an effective right of appeal, is arguably not permitted by the GDPR.
We suspect that the ICO cannot want this position to continue as it risks drawing the Commissioner into costly judicial review proceedings, or him having to publicly withdraw a challenged reprimand (if that is even legally possible to do). Hopefully, further safeguards will be put in place by the ICO in due course but for now organisations have limited options for opposing a reprimand or its publication.
