Since I have frequently bemoaned the habit of government of
introducing legislation or schemes when they have failed to consult on their
proposals with those who actually understand, and are affected by, the changes,
I welcomed the DCMS consultation on data protection fees. Just as I usually
have doubts about consultations with ‘stakeholders’, a Humpty Dumpty word if
ever there was one, I had worries about who was being consulted but still –
better a duff consultation than none at all.
Those with long memories will know that the third-party consultation
that we heard about in October was based on suggested fees of £50, £80 and
£1000. According to the ICO, the consultation was carried out on behalf of the DCMS,
using organisations which had responded to previous ICO research – about 2,000
organisations of which just over 300 responded. We don’t know for sure but
there is some indication that large organisations were disproportionately
represented amongst consultees. Once the results of that research were reported
to the DCMS it reflected on the responses and then developed the fee
regulations.
A draft of those regulations was published a fortnight ago.
The draft is currently before Parliament. It requires Parliamentary approval.
The fees in the draft are £40, £60 and £2,900, according to criteria relating
to a data controller’s turnover and number of members of staff (or only members
of staff, for a public authority). So how did we get from £1,000 to £2,900?
Were the consultees pressing for this tripling of the top fee?
That the larger organisations favoured a larger fee being
paid by them seems unlikely as the selection would have included larger
organisations – although it is perfectly possible as £2,900 is not going to
send large companies, even large organisations like Carillion, into
receivership and, hey, Sunderland voted for Brexit. The problem I have is that
I have no idea how we got where we are and have seen no justification for the
tripling of the fee for fat data controllers.
The fact that I have not seen a justification does not mean
that there is no justification. I admit that I never thought that the fees suggested
at the time of the October consultation were adequate. I wrote this
back in October on the suggested charges and their effect; Jon Baines wrote this
even earlier. But the prize for early accurate analysis goes to Chris Pounder
of Amberhawk whose blogpost
on the need for registration fees for large controllers to be raised very
considerably was published in April 2017: ‘Fees well north of £2K can be
expected to be the norm for those larger controllers who have to register under
the new regime’.
One theory is that, before setting the fees, the Secretary
of State read Chris Pounder’s blogpost or did a short course in basic maths.
Either activity was likely to result in much higher fees than those floated in
October. But isn’t it reasonable to expect some of the basic working to be
public and transparent? And has the Secretary of State fulfilled the statutory duty
to consult when consulting on a model that is so different to the actual regime
imposed?
I have asked the ICO how we got to £2,900 and they referred
me to the DCMS. Fair enough – though I suspect they know. I asked the DCMS and they have not responded. I wonder if
Parliament might ask before nodding through the regs but, given a Second
Reading debate on the Data Protection Bill that was obsessed with Leveson-like
issues, I won’t get my hopes up.
I sincerely hope that the fees when collected (a pretty
crucial element) enable the ICO to do a proper job of implementing the GDPR and
offering the sort of detailed guidance that is needed.