Since the phone hacking scandal began, the ICO has been under pressure over the handling of related investigations. In particular, he has faced criticism over the handling of Operation Motorman. Since the Levenson enquiry began, the criticisms have increased. The revelations from Alexander Owens painted a potentially damaging picture of a regulator intimidated by the press. The picture was of a regulator that feared the political consequences from investigating the links between private investigators, reporters and newspapers.
My modest proposal is that such a picture misrepresents the role of a regulator and is an unbalanced portrait. My comments are directed at the concept of the regulator. The ICO and the current situation illustrate the theoretical points I am trying to make.
Before we criticise the ICO as a regulator, we need to understand the theory of a regulator. When considering the ICO’s situation three major issues must be addressed. First, the ICO needs the press on its side to develop an ecology of transparency. Without them, the ICO is not as successful. If they are opposed, the ICO cannot succeed. In particular, if an ecology of transparency existed, the ICO’s work would be reduced.
Second, the political context is only now becoming sympathetic to transparency. The ICO, like any regulator, needs to have a sympathetic political and social framework to work effectively. What has helped recently is that the Coalition government has worked to display its difference from the previous government. One only needs to compare Tony Blair’s memoirs on FOI and Cameron’s statements on transparency and accountability to see the difference. Yet, despite the difference in rhetoric (and to some degree policies), an ecology of transparency is yet to develop. For a regulator, especially one as relatively weak as the ICO is, allies and a sympathetic political process are crucial to success.
Third, organisational politics is the last issue to consider. Organisational politics play an important part, as it does for any regulator, where the frontlines clamour for more enforcement while those at the strategic level have to consider the overall responsibility. At the same time, there will be factions within a regulator organisation seeking to move it to their preferred course of action. Moreover, to the extent the internal politics is linked to or shaped by the external environment, the more pronounced will be the regulator’s vulnerabilities. While no attempt will be made to explore these issues directly, the goal is to draw out the theoretical issues.
What connects all of these, and is at the heart of regulatory action, is prudence. In considering these three areas, critics have to understand that regulatory action is not a black and white exercise. Instead, the regulator must make prudent choices about what is possible and what is necessary against a background of constraint financial and political resources. What may seem clear in hindsight will have been shrouded in uncertainty and layers of overlapping political and societal at its time where the regulator has to consider a course of action that is shrouded in uncertainty.
Section one an ecology of transparency regulatory theory
The ICO is weak in part because the UK lacks a strong ecology of transparency. Although this is changing, the ICO’s weakness as a regulator is a direct consequences. When most people consider regulators, the perception is that regulators are too powerful. The other concern, if the regulator is not too powerful, is that they will succumb to regulatory capture. What that means is that the regulator starts to identify with the industry it is meant to regulate and not stay independent and objective. http://en.wikipedia.org/wiki/Regulatory_capture
Yet, in the ICO’s case, it is the opposite. It has been a relatively weak regulator until recently. Even a sympathetic article in 2003 described the ICO in the following way.
“The challenging task of upholding the law and promoting compliance with the eight official data processing principles takes place in an office block in Wilmslow, Cheshire, where the Information Commissioner is based. By general consensus hopelessly under-resourced for the task it faces, this public agency tries to achieve results by persuasion and pressure rather than by sanction. It has no power to award compensation for individuals who have suffered loss.”
The ICO’s weakness, the lack of a direct sanction, has limited its ability to get cooperation and compliance with the law. Only in 2010, 13 years after coming into existence has it gained the power to impose fines. As a creature of parliament, the ICO’s weakness could only be removed by parliament giving it more powers. One could argue that as the public has become more aware of privacy and data protection issues, parliament has responded. Yet, the ICO’s political weakness has limited its effectiveness. In particular, it reinforced the need for allies and to find ways to leverage its power. Although the ecology of transparency is focused on one part of the ICO’s work (FOIA), it has resonance for the current issues of privacy and data protection. What Seth Kreimer describes as the ecology of transparency has three parts, two of which rely upon a strong press and these reveal the ICO’s need to work with, rather than against, the press.
- First, Kreimer says there needs to be a permanent infrastructure of civil servants with integrity, they act as the state’s internal watchdogs.
- Second a set of civil society actors capable of pursuing prolonged campaigns on these issues. In this area, the press have a role in keeping stories alive (like the Guardian) but also campaign groups (like campaign FOI, which support these issues) or even individuals (like Heather Brooke).
- Third, and this where the press are vital, there has to be reasonably open opportunities to publish and share information. The internet, blogs, and even twitter are changing this, but the main venue remains the press.
Kreimer, Seth F., The Freedom of Information Act and the Ecology of Transparency (September 2, 2008). University of Pennsylvania Journal of Constitutional Law, Vol. 10, p. 1011, 2008; U of Penn Law School, Public Law Research Paper No. 08-06. Available at SSRN: http://ssrn.com/abstract=1088413
For an ecology of transparency to flourish, the press have to support it either actively or at least indirectly. If the regulator is “at war with the press” then, it will have lost an important ally and weakened the ecology of transparency. The ICO has a role in maintaining and fostering that ecology, in a sense it is the regulatory framework. To succeed, the regulator has to be able to nurture, not harm, that ecology.
As I mentioned earlier, one can define regulatory theory with one word–prudence. Jan Beecher’s excellent article from 2008 draws this and other excellent insights into the nature of a regulator. Beecher’s article (The prudent regulator: politics, independence, ethics, and the public interest) can be found in the Energy Law Journal [Vol. 29:577] http://felj.org/docs/elj292/577_-_prudent_regulator-clean_final_print_11-2-08.pdf
Her article describes the characteristics of a successful regulator. In particular, she shows that any regulator has to work within a political framework without becoming overly political. In doing this, they have to prove prudence in their choices. I would recommend Beecher’s article as a good source for measuring the ICO’s success as a regulator. At the same time, prudence reveals the difference with the unfolding fate of another regulator pushed to do too much too soon, without effective allies or a public educated to their issues– the Care Quality Commissioner. (For more on the challenges facing regulators see Buzbee’s (Recognizing the Regulatory Commons: A Theory of Regulatory Gaps William W. Buzbee Iowa Law Review, Vol. 89, 2003 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=447700 )
A regulator’s power ebbs and flows from tis successes as well as the wider regulatory framework (the ecology of transparency) it creates through its work of both active cases and educating the public. Both of these are limited by its political context as well as its regulatory power. In many ways, the best regulators are those who do not have to intervene directly because the regulatory framework works without their direct intervention. For example, a referee who has not had to book anyone during a football match could be such an example. All the players know and follow the rules. This is not to say deregulation is the answer. A failure to book a player may be a sign the regulator is unable to spot infractions or is unwilling to intervene.
For a regulator to succeed, they have to be mindful of their own powers as well as their power to shape the regulatory framework. The best regulator in the world will fail if the regulatory framework does not lead to compliance. In other words, the individual, the organisation, and the regulatory system have to work together for it to succeed. A new regulator faces particular challenges, because they have to develop allies, make the public aware of their role, and fend off any challenges to their existence.
In a hostile climate, one where the political framework is resistant to the aims and outcomes of the ICO, the challenges and trade offices have to be made. In that sense, the ICO has had to start small, develop allies, and slowly raise the regulatory temperature to achieve its ends. One way to do this is to have small, but significant, success and wait for large problems or issues to give it the leverage to extend its power. In a sense, it has to exercise political judo where it uses the energy created by someone else’s crisis to its advantage. The regulator has to wait for a crisis to emerge to get the political leverage. If they lack the political leverage, their work will be limited and success unlikely. For example, the HMRC data breach where 25 Million records were lost and a report made to Parliament was such a crisis. http://www.cesg.gov.uk/find_a/archive/iauk/PageFiles/143/poynter_review250608.pdf
The crisis raised the ICO’s profile and made the public aware of privacy issues and data protection issues. Considered in that context, the response to the phone hacking scandal fits a pattern. The ICO identified the problem and then explained to Parliament that there was limit to what they could do about it. The ICO report What Price Privacy (2006) sets this out.
What is interesting is how the ICO has also fended off suggestions it move beyond its legislative basis of the FOIA and the DPA to become something of a “privacy commissioner”. See for example the Select Committee on Culture, Media and Sport Fifth Report Annex D: Informal meeting with the Information Commissioner
The Commissioner said he had no wish to be given further responsibilities in addition to the two very considerably complex pieces of legislation under which he already had duties. However, he felt duty-bound to point out the significant contiguity of some of his responsibilities with some of the matters under consideration by the Committee and to offer the observation that a wholly new regulator, with an over-lapping remit, could add further confusion to an already uncertain legal environment.
The Commissioner pointed to some legal developments related to privacy. He felt that the courts were cautiously moving towards a common law concept of privacy in the same neighbourhood at least as the law of confidence. In his opinion, the Court of Appeal had come very close to recognising that, in an appropriate case and on particular facts, a “breach of privacy” would be found as opposed to a “breach of confidence”.
What is interesting to note is how the ICO is letting the courts (another important ally) do the running. In drafting behind the legal developments, the ICO conserves its energy for the immediate cases and leverages its position in relation to the legal developments. To put it differently, but directly, the press and the public have been “outraged” with J Eady rather than the ICO.
Second section Politics of the situation
When the Information Commissioner was created, it was not given exceptional powers. Even when it published What Price Privacy, the recommendations did not lead to an increase in powers. Yet, the ICO pointed out the problems that existed, their cause, and its inability (because of parliament’s unwillingness,) to address the source of the problem. For example, when the data protection act was created, s.55 (about criminal breaches) attracted discussion of a custodial sentence, yet it did not materialize.
Today, the various breaches and the egregious examples of the data protection act being flouted have changed the political climate. Parliament, and more importantly, the public, wants the legislation to change. Whether s.55 is modified to have a custodial sentence remains to be seen, yet the option is now being considered. The ICO can now take advantage of this political climate in a way it could not do in 2003 or 2006. If one is playing the long game, (as most regulators, rather than politicians, have to do), then the decision “not to go to war” fits a pattern. The ICO may have avoided the battle with the press because it was “too big” because they did not have the political allies, either the politicians, the public, the legal establishment, or the press, to go after the problems.
If the ICO had gone after the NOTW, assuming the trail only led there, then, would it have folded? The political and social powers that the ICO needed did not exist. The ICO may have seen the evidence to make the case, but without the power, they had to bide their time. In much, the same way, that Lincoln, as a statesman, understood he could not force the resolution of slavery. He had to lead the United States in the path that would resolve the slavery question. He had to let it emerge, in the way that it did, so it could be resolved in the way that it was resolved. He could not be certain of the outcome, once commenced, but he was aware that it would be resolved.
In that light, what would the ICO have gained by “going to war” in 2003 or 2006? With the NOTW in full power and the public unaware of the issues, the outcome would have been at best a draw or a spectacular defeat. Moreover, without the political cover, of politicians or the public, taking on the press (which should normally be an ally) would be a weakened position.
Section three Organisational politics
In the end, is this exactly what happened? No. There are the organisational politics to consider as the ICO will have (as any organisation is) riven with factions wanting to go further while some elements would have wanted to wait or move in a different direction. In an extreme scenario, the regulator may have been “penetrated” by the press in much the same way the Met appears “penetrated” with senior officers being employed by the press or having a strong “briefing” relationship. Even if none of these scenarios is valid, the point remains that the regulator’s job is more complex than the recent evidence has suggested and that the role of the regulator has to be understood within a political and regulatory framework.
In particular, how the ICO approached each case will reveal the organisational politics. The decision to gather evidence, but not pursue it, will not have satisfied those intent upon pushing the issue. At the same time, it would have worried those within the organisation concerned with protecting its ability to act as a regulator. In much the same way that Plato described a tripartite soul, the more spirited (wanting to push the investigation and take the evidence forward) and the appetitive wanting to play it safe to maintain what has already been created and what works, and the rational, the strategic view of developing to a position of strength.
To put it in movie terms, it is like the Godfather’s three sons. One is like Sonny, the spirited one taking it all personally, acting first, and thinking later. The other is like Fredo, who is appetitive and less dynamic. Finally, there is Michael who will become the Godfather because he acts rationally and it is just business, never personal. Against this backdrop, the public are the crucial battleground. At all costs, they must be won over, even if they are not focused on the issue because they hold the ability to change everything. However, public satisfaction is not an ideal way to measure regulatory action nor is it a way to make regulatory policy. On this issue, see for example Cary Coglianese, Is Satisfaction Success? Evaluating Public Participation in Regulatory Policymaking (September 2002). KSG Working Paper No. RWP02-038. Available at SSRN: http://ssrn.com/abstract=331420
Moreover, the organisational politics and the wider political game that the regulator has to play involve situations where full transparency is not ideal. See for example, Cary Coglianese et al. Seeking Truth for Power: Informational Strategy and Regulatory Policy Making (January 13, 2010). Minnesota Law Review, Vol. 89, p. 277, 2004; Stanford Public Law Working Paper No. 93; Harvard Public Law Working Paper No. 101; KSG Working Paper No. RWP04-021. Available at SSRN: http://ssrn.com/abstract=545104
If a regulator is to be judged by their prudence, then one could argue that the ICO has succeeded to this point. This is not to say the ICO has been correct or has always made the right choices. To be sure, there have been mistakes and missteps. However, the wider political spheres, and the immediate regulatory sphere, are moving in its direction and not against it. Whether that has strayed in to timidity from intimidation (too much Fredo), has succumbed to policymaking navel gazing (too much Sonny), or has walked the path of prudence (Michael), it remains for the ICO to explain.
I hope my argument and the sources I have provided some evidence to change the focus of the debate and add some needed context to the challenges a regulator faces. Time will tell if the ICO has chosen the correct path as a regulator and we need to judge the ICO against the regulatory theory and the success of the wider regulatory framework before we consider the outcome of a specific case or campaign.