Associate James Kelliher considers the main takeaways from the ICO’s action in the Farage/NatWest privacy dispute in Law360.
James’s article was published in Law360 on 23 August 2023 and can be read here.
In the heat of the ongoing dispute between Nigel Farage, former leader of the U.K. Brexit Party, and NatWest Bank, the latest intervention from the U.K. Information Commissioner’s Office, or ICO, threatens to heap further financial and reputational damage on the embattled bank.
While questions about the bank’s decision making have been the focal point of intense media attention so far, the involvement of the U.K.’s data regulator indicates that NatWest and its since-resigned CEO Alison Rose are likely to be dragged over the coals for their inadequate data protection adherence.
Rose’s extraordinary admission that she was the source of a BBC news journalist’s story about the closure of Farage’s bank account at Coutts & Co., the private bank and a subsidiary of NatWest, is remarkable given her seniority and her years of experience in the banking industry.
Customer privacy is a central pillar supporting banks’ relationships with their clients, so for the CEO of one of the U.K.’s major banks to admit to having discussed a customer’s personal financial situation with a reporter is shocking and reveals a culture still prevalent within banks from the top down.
Given the level of notoriety that the story of Farage’s account closure had already reached by the time Rose spoke to the BBC reporter, all staff should have been warned to be doubly careful not to pour fuel on the fire, on top of fulfilling their day-to-day basic duties to adhere to data protection laws.
Rose’s revelations about her role in the BBC story ended up having an even greater impact than the closure of Farage’s bank account in the first place.
Rose’s comments to the BBC claiming the reason for the account closure was due to Farage’s personal wealth falling below the threshold required to maintain an account at Coutts were interpreted by Farage’s team and other observers as designed to create a smokescreen for the real reason for debanking Farage.
Following notification of the closure of his Coutts account, Farage submitted a data subject access request, or DSAR, to the bank.
The information supplied in the bank’s response to Farage’s DSAR revealed that his account was closed because Coutts simply did not approve of his political activities and decided that his remaining a customer of the bank was a risk they no longer wanted to take.
Had Farage not made the request, the true reason for the closure might have never been revealed, either to him or to the wider audience following the story in the press.
Subject Access Request
DSARs allow individuals to request all of their personal data held by an organization, as per the General Data Protection Regulation first introduced in the 1998 Data Protection Act. The organization’s data protection officer has to respond to a DSAR within 30 days and cannot charge a fee to the requester.
It has since come to light that many members of the public have been debanked without being provided with a reason, and unaware of the useful data subject access request tool, they never discover why their accounts have been closed.
As such, DSARs are a swift, inexpensive and powerful tool for individuals concerned about the processing of their personal data by an organization or seeking to understand what personal data of theirs the organization holds.
Escalating the Matter
Given Rose’s admission that she was the source of the misleading story, it is little wonder that Farage and his legal team have decided to escalate the matter beyond NatWest and to the regulator itself.
Farage’s request for an investigation by the ICO strongly suggests his lawyers have solid grounds to believe that a serious breach of data protection law has taken place.
At the same time, the mere request of assistance from the ICO to look into a potential data breach does not carry the weight of a confirmation of such a breach once the ICO has finished scrutinizing the situation.
As such, it is far too early to conclude that NatWest will be found to be in breach of the GDPR.
Many commentators have flagged the irony of Farage, an ardent Eurosceptic, using the GDPR, a flagship EU law, as a weapon with which to attack NatWest, suggesting such a move demonstrates hypocrisy on his part.
However, were the U.K. to have had its own similar regulatory framework in place on which Farage could rely, he would no doubt have done so instead.
The issue is less about the source of the legislation, but the fact that it exists at all, providing vital safeguards for individuals when problems such as these arise.
Rose’s frank admission of a “serious error in judgment” will likely be a focal point of the ICO’s examination of the case. Investigators will take a microscope to the nature of her conversation with the BBC journalist, examine what information was disclosed, and ultimately analyze the safeguarding measures that NatWest is legally obligated to have in place to protect the sensitive data of its customers.
If the regulator does find conclusive evidence of wrongdoing, the fallout from the ongoing controversy will cause an even greater headache for the bank.
Depending on the severity of the breach, the ICO has the power to impose hefty fines or even initiate legal proceedings against the responsible parties.
However, past performance has shown a reluctance by the ICO to issue penalties and fines that come anywhere close to acting as effective deterrents to firms, meaning that many organizations continue to operate with a sense of impunity when handling data subjects’ personal information.
Figures for the size and number of fines imposed by the ICO in 2022 again demonstrate that the regulator’s bark is worse than its bite, in line with the low levels of financial penalties meted out in previous years.
Only 34 such fines were issued during 2022, of which all but five related to breaches of electronic marketing rules, rather than to breaches of the type alleged by Farage and his lawyers.
In 21 of the total 34 cases, the fines imposed were less than £100,000 ($127,000), meaning that the bigger the organization, the more cavalier it can afford to be in relation to their obligations under the GDPR.
Were NatWest to be fined such a relatively insignificant amount in relation to the Farage investigation, management would barely notice the impact on their balance sheet, and as a result be unlikely to pay much heed to improving their systems.
Conclusion
Every individual should be able to expect that their privacy is respected by the organizations they entrust with holding and processing their personal data.
It is paramount that the data privacy rights of individuals be upheld, with the NatWest saga highlighting the importance of the legal responsibilities of all data processors who are in possession of such sensitive information.
It is therefore essential for organizations to responsibly handle all customer data which they process and to comply fully with data protection laws, as set out by the GDPR.
Any breaches of privacy should be taken extremely seriously and thoroughly investigated, in order that trust in data-handling practices is maintained.