A bizarre news story is doing the rounds, although it hasn’t, as far as I can see, hit anything other than specialist media. An example is here, but all the stories contain similar wording, strongly suggesting that they have picked up on and reported on a press release from the company (“Secure Redact”) that undertook the research behind the story.
We are told that
research reveals that 43% of UK retailers reported that they had been fined for a violation of video surveillance GDPR legislation…Of these retailers, 37% reported paying an equivalent of 2% of their annual turnover, 30% said the fine amounted to 3% of annual turnover, and 15% said the fine was 45% [sic] of annual turnover…A staggering 33% of those fined also had to close stores as a result of enforcement action
The research was apparently based on a survey of 500 respondents in retail businesses (50% in businesses with less than 250 employees, 50% in businesses with more than 250).
What is distinctly odd about this is that since GDPR has been in force in the UK, including since it has become – post-Brexit – UK GDPR, there has been a sum total of zero fines imposed by the Information Commissioner in respect of CCTV. 43% of retail businesses have not been fined for CCTV infringements – 0% have.
You can check here (direct link to .csv file) if you doubt me.
It’s difficult to understand what has gone wrong here: maybe the survey questions weren’t clear enough for the respondents or maybe the researchers misinterpreted the data.
Whatever the reasons behind the stories, those in the retail sector – whilst they should certainly ensure they install and operate CCTV in compliance with GDPR/UK GDPR – should not be alarmed that there is a massive wave of enforcement action on the subject which threatens to put some of them out of business.
Because there isn’t.
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
ICO often say they can’t award compensation, but what they can do is – in criminal cases – make an application for the court to make an award (separate to any fines or costs). But as far as I know, until this case last week, they’d never done so:
I’ve written an “initial thoughts” analysis on the Mishcon de Reya website of the some of the key provisions of the Data Protection and Digital Information Bill:
The Data Protection and Digital Information Bill – an (mishcon.com)
This is a significant development – the Information Commissioner will now be able to keep up to £7.5m a year from penalties, to cover their litigation and debt recovery costs:
A piece by me just uploaded to the Mishcon de Reya website, on an FOI disclosure to me of the most recent reprimands under GDPR/ UK GDPR issued by the Information Commissioner
ICO reprimands Cabinet Office, UKIP, CPS and others for (mishcon.com)
I’ve written on the Mishcon website about the PACAC report on the Clearing House.
A new piece on the Mishcon de Reya site: the First-tier Tribunal is dealing with at least eight applications to certify contempt of court for failure by public authorities to comply with decision notices.
FOI enforcement starts to get serious?
I’ve written a piece on the Mishcon de Reya website on the first ever case of certification of contempt of court to the High Court, for failure to comply with a decision notice.
I was delighted recently to be invited by OpenDemocracy to sign an open letter to John Edwards, new Information Commissioner, calling for more to be done to regulate FOI effectively. I’ve written many posts in the past breaking the state of FOI enforcement, so everything in the letter resonated with me. The letter has now been sent, and there are some very high profile journalists, MPs and campaigners who have signed:
Edwards has already replied, and said that addressing these concerns will be a priority for him.