Data Protection: ICO Charges under the GDPR

October 30, 2017

In the days when I was taking on new publishing jobs, I had
a pretty simple approach to fees. The responses to three questions provided the
foundation for setting a fee. What do you need doing? By when? How much is in
the budget? Once I had laughed a little and challenged the budget and the
timeline, a fee would be set. Whether publisher or plumber, lawyer or
carpet-layer, the fee and the nature of the work required are inextricably
linked. Everybody knows that – no shocks there. Everybody knows that but not
everyone takes notice.

What happens if the work required and the funds available are
divorced? One person designs and sets a strategy and another person sets the fee for
it, and who pays it. We may be about to find out. And, sadly for tech lawyers, we
may find out in the context of data protection.

I was curious about the new fee structure for data
protection that is to take effect from 1 April. Curious and a little concerned.
I could see that the GDPR requires more of the supervisory authority than the
old regime and yet the requirement to notify and the revenue that went with it was
abolished by the GDPR. Here is what I found out and my resulting worries.

Does the GDPR require the ICO to do more?

The ICO target for full-time equivalent staff once GDPR is
in place is 581. The most recent figures published show it as having 460
full-time equivalent staff. Bearing in mind that the ICO has duties beyond data
protection, especially in relation to FOI, it seems reasonable to assume that
we are looking at a targeted increase in dedicated data protection staff that
goes beyond 25%.

It seems safe to say that the ICO is anticipating a
considerable increase in activity. There was a point when the need for 200
extra staff was mentioned but perhaps that falls into the dreamland category.
The DCMS has stated that it is committed to meeting GDPR standards after
Brexit.

In my view, there is likely to be a considerable bulge in
the work at the time of implementation of the GDPR. There are many calls for
more guidance, especially for the benefit of smaller organisations. While the
Article 29 Working Party is producing some pointers, much of this is in need of
more than translation into English – it often needs translation into real-world
guidance.

I could labour the point but, in short, the ICO has a lot
more to do from May 2018 shortly after the new fee structure comes into force.

How much has the ICO got to play with?

The ICO’s data protection activities are, at least in
theory, currently covered by the payment of fees by notifying organisations and
individuals. The current registration fees system is based on the size and
turnover of an organisation. 
Organisations with a turnover of £25.9 million and more than 249 members
of staff or public authorities with more than 249 members of staff pay £500 per
annum. All other organisations pay £35 per annum. The fee of £35 has been fixed
since 2000 and the £500 fee has not changed since its introduction.

The full-year forecast for that income in the 2017/2018
financial year is £20.75 million. On my reckoning, they need to find an extra £6
million if they are to meet their target post-GDPR.

Under the
Digital Economy Act 2017, s 108
, which came into force on 31 July:

‘(1) The Secretary of State may by regulations require data
controllers to pay charges of an amount specified in the regulations to the
Information Commissioner.

(2) Regulations under subsection (1) may require a data
controller to pay a charge regardless of whether the Information Commissioner
has provided, or proposes to provide, a service to the data controller.

(3) Regulations under subsection (1) may make provision
about the time or times at which, or period or periods within which, a charge
must be paid.

(4) Regulations under subsection (1) may make provision—

(a) for different charges to be payable in different cases;

(b) for cases in which a discounted charge is payable;

(c) for cases in which no charge is payable;

(d) for cases in which a charge which has been paid is to be
refunded.’

For these purposes, a ‘data controller’’ means a person who,
alone or jointly with others, determines the purposes and means of the
processing of personal data’ and ‘personal data’ is ‘any information relating
to an identified or identifiable individual’. I think that means that everyone
who uses a phone or computer, including a large number of private and
individuals (and almost every child over the age of 10), is potentially liable
to pay a charge but clearly the regulations will not have that effect.

Under s 109(1), the Secretary of State is required, before
making the charges regulations, to consult the Information Commissioner and
‘such representatives of persons likely to be affected by the regulations as
the Secretary of State thinks appropriate’ as well as any other person he or
she thinks appropriate. Under s109(2), the Secretary of State is required to
‘have regard to the desirability of securing that the charges payable … are
sufficient to offset …(a) expenses incurred by the Commissioner in discharging
the Commissioner’s functions …’.

The powers under the Digital Economy Act 2017, ss 108 and
109 are those that apply now and are likely to apply when regulations on
charges are made prior to 1 April 2018 (when the ICO states the charges
structure will apply). The Data Protection Bill currently before Parliament
broadly replaces these provisions (in cls 132 and 133), although there are some
inevitable differences because of context and the Bill’s drafting is neater
(though bizarrely removing the duty to consult the ICO before setting charges.
It is worth noting that both the DEA 2017 and the Bill refer to the charges
covering the ICO’s expenses ‘under or by virtue of the Privacy and
Electronic 
Communications (EC Directive) Regulations 2003’; since that instrument
will shortly be superseded, that wording might create some interesting issues (but
that’s for another day).

A process of consultation on a new fees structure has taken
place. The ICO spokesperson responded to my enquiry about this, attaching a
copy of the consultation document, as follows:

‘The Department for Digital, Culture, Media and Sport (DCMS),
the ICO’s sponsor department, has the responsibility for developing the ICO’s
funding arrangement, with approval by Parliament.

DCMS undertook, through a third party, a consultation on the
proposed funding changes.

In 2015, the ICO used a third party to conduct initial
research about its funding structure. The contractors of the survey were
provided with a sample of 10% of the ICO’s register including all top fee
payers and a random sample of lower fee payers.  This equated to approximately
40,000 organisations, who were then contacted and around 2,000 responded. The
sample for this latest consultation is the circa 2,000 organisations that
responded to the previous research. Just over 300 of these data controllers
contributed to the latest consultation. DCMS is now reflecting on the responses
before developing the fee regulations needed to underpin the ICO’s future
funding arrangements.’

The consultation document envisages a three-tier structure.

  • Tier 1 would cover small and medium firms that do not
    process large volumes of data. This would be an organisation which has a staff
    headcount below 250 and a turnover below £50 million pa and which processes
    under 10,000 records. The envisaged fee for a Tier 1 organisation is £55 pa.
  • Tier 2 firms are those which have a staff headcount below
    250 and a turnover below £50 million pa but which process more than 10,000
    records. The envisaged fee for a Tier 2 organisation is £80 pa.
  • Tier 3 covers ‘large businesses’ which exceed the headcount
    or turnover limits. The annual fee for a Tier 3 organisation is £1,000.
  • Public authorities would pay a fee based on the same
    measures but ignoring turnover.
  • A top-up fee is proposed in respect of organisations that
    carry out electronic marketing as part of their business. £20 is mentioned as a
    possible top-up. It is hard to imagine what type of 21st century business does
    not engage in electronic marketing but no doubt there are some.

The consultation document does not give any hint as to the
nature of the exemptions that might apply. It uses the term ‘firm’ and
‘organisation’ but it is quite a leap to assume that all individuals are to be
exempted.

Will the charges be sufficient for the ICO to do the job?

While the provisions of the Digital Economy Act 2017, s
109(2) suggest that the charges must fit the expenses, there are three glaring
problems.

First, the requirement on the Secretary of State does not
amount to a duty to ensure that all the relevant expenses are covered by the
charges. It is not hard to imagine a newspaper campaign against an increase in
fees on business, large and small. That increase can, not unreasonably, be
characterised as a doubling of fees when the EU’s aim was ‘to revise and
simplify’. Moreover, some media outlets and politicians will be horrified by
the idea of ‘burdening business with Brussels-inspired red-tape’ – forgive me
for activating my inner Daily Mail. You and I may think that the burden is no
more than necessary in order to maintain a fundamental right, but it’s not the
easiest of sells. If a campaign ensues, the charges may be cut to the bone or
the exemptions widened to narrow the paying pool and make it unworkable. I
suspect that the mere whiff of a potential campaign is enough for cuts to be
made.

Secondly, the ICO is looking to recruit and retain staff at
a time when the status and salaries of those with real understanding of data
protection has never been higher. I am sure that the ICO can recruit 120 new
staff but, at the rates they can pay, they will not be able to afford staff
with the level of experience and knowledge that is really needed. Indeed, if
they do get some really capable staff, they will most certainly be tempted by
industry options elsewhere. While living costs in and around Wilmslow are lower
than in London and the south-east, as is too often mentioned, they are not
negligible, and are in fact higher than many other places beyond the hothouse
areas.

My third worry concerns that basic issue that every worker
setting a price will recognise. The role of the ICO under the GDPR should be
different to that which has gone before; we should be looking at a more
expansive and more expensive ICO. It should give more guidance. It should get
tougher or at least more rigorous in enforcing the obligations under the data
protection legislation. The ICO should be in schools and training teachers. The
list is long and you can all add your own pet projects. But the chances are
that the Secretary of State will not worry about the things that might be done
and are never done – he or she will worry more about the burden on business and
the political backlash if fees are seen as high.

My basic fear is that we could end up with a cut-price
budget for a luxury spec. That’s a recipe for a shoddy shambles.

Tangents

Two other points that don’t fit the argument are worth
mentioning.

There is no apparent provision for any payments to be made
where enforcement takes place to cover the ICO’s costs of enforcement. Yet that
might help with costs, and it might give an incentive to the ICO to take action
beyond the mild rebuke that is too often all the action taken.

Those who think that the ICO might be financed by penalties
should take note of the fact that the actual receipts from civil monetary
penalties do not come close to covering its costs. Not only do we have to
consider the ethics of giving the ICO an incentive to increase the fines etc –
a breach of natural justice – we also have to consider the fact that so many
offenders declare themselves insolvent on receipt of a penalty.

For more in a similar
vein, see
this excellent piece from Jon Baines which, rather annoyingly, says much of what
I had to say well before I put fingers to keyboard.