By Jon Baines
Data Protection law has, since 1984 in the UK (with the first Data Protection Act), and since 1995 across Europe (with the Data Protection Directive), contained a general obligation on those who process personal data to notify the fact to the relevant supervisory authority (the Information Commissioner’s Office, or “ICO”, in the UK) and pay a fee for doing so. For many organisations it has in effect meant the payment of an annual fee in order to deal with people’s personal data.
Currently, in the UK, under the Data Protection Act 1998 (DPA), data controllers (those organisations who determine the purposes for which and the manner in which personal data are processed) pay either £35 or £500, according to their size (data controllers whose annual turnover is £25.9m or more and who have more than 249 staff must, in general, pay the larger amount). There are various exemptions to the general obligation, for instance for some controllers who are not-for-profit and for those who process personal data only for staff administration (including payroll), or advertising, marketing and public relations (in connection with their own business activity), or for accounts and records.
Failure by a controller to make a notification, unless it has an exemption, is a criminal offence under sections 17 and 21 of the DPA, punishable by a fine. However, only one successful prosecution appears to have been brought by the ICO in the last calendar year – a surprisingly low figure, given that, anecdotally, the author is aware of large numbers of controllers failing to make a notification when they should do so.
The General Data Protection Regulation (GDPR) does away with what has often been seen as a fragmented and burdensome notification requirement, substituting for it, at least in part, an accountability principle, under which relevant organisations (“data controllers”) will have to keep internal records of processing activities. As far back as 1997 the Article 29 Working Party, representing data protection authorities across the EU, recognised that excessively bureaucratic requirements in relation to notification not only represent a burden for business but undermine the whole rationale of notification by becoming an excessive burden for the data protection authorities.
And in its impact assessment in 2012, when the GDPR was first proposed, the European Commission explained some of the reasoning behind the removal of the requirement:
“[Notification] imposes costs and cumbersome procedures on business, without delivering any clear corresponding benefit in terms of data protection. All economic stakeholders have confirmed…that the current notification regime is unnecessarily bureaucratic and costly. [Data protection authorities] themselves agree on the need to revise and simplify the current system.”
However, in the UK at least the removal under the GDPR of notification fees would have had a catastrophic effect on the ICO’s existence, because, at the moment, all of the funding for its data protection work comes from fees income – almost £24m last year.
To address this impending shortfall, the government has aimed to provide powers (actually in the form of two pieces of legislation – first the Digital Economy Act and now the recent Data Protection Bill (DP Bill) (presumably the former will fall away given the introduction of the latter) to make regulations to create a domestic scheme for data protection fees. The explanatory notes to the Data Protection Bill state that”
“[Clause 132] provides the Secretary of State with a power to make regulations requiring data controllers to pay a charge to the Commissioner. Those regulations may provide for different charges in different cases and for a discounted charge. In setting the charge the Secretary of State will take into account the desirability of offsetting the amount needed to fund the Commissioner’s data protection and privacy and electronic communications regulatory functions. It also provides that the Secretary of State may make regulations requiring a controller to provide information to the Commissioner to help the Commissioner identify the correct charge.”
A clue as to how the charges might be set has now been provided by means of a questionnaire, sent on behalf of the Department for Digital, Culture, Media and Sport (DCMS) to 300 lucky data controllers, seeking their views on what the fee structure might be. There is nothing on the DCMS, or ICO, website about this, so it’s not clear if it takes the form of a consultation, or, more likely, a scoping exercise. But what it appears to be putting forward for consideration is a three-tier scheme, under which data controllers would pay £55, £80 or £1000, based on the size of the data controller and the number of “customer records” it handles.
As drafted, the questionnaire doesn’t propose any exemptions. One assumes that these would follow, but even so, the proposal to levy a fee for data protection on business, at a time when the European legislature has removed it, must raise questions about how business-friendly this particular piece of law-making will be.
Additionally, it is not clear what the sanction for non-compliance, and what the enforcement regime, would be. As indicated above, the current criminal sanction does not appear to have prevented any number of data controllers from avoiding their legal obligations, with apparent impunity. One presumes, though, that enforcement would be left as a function of the ICO, and, given that Commissioner Elizabeth Denham has said on various occasions that her office needs to grow to cope with the demands of GDPR, it is to be supposed that she will aim to be strict on this matter.
There are estimated to be approximately 5.5 million businesses in the UK. If each of those paid only the bottom tier under the suggested fees structure, this could equate to a potential cost to business of about £3bn per annum. Even if only a proportion of businesses actually end up paying (bearing in mind the likely exemptions, and likely avoidance/ignorance of some – just like now), £55 is a 57% increase on the current lower fee, and, added to the administrative costs of actually making a notification marks a considerable overall burden on UK business and – indeed – other data controllers.
There is no easy answer to the question of how the ICO’s regulatory functions can effectively be funded, and on one view it makes sense to retain a similar arrangement to the existing one, despite the European legislature having determined it is both ineffective and burdensome. However, it would not be a great surprise to see business interests in the UK lobbying against a domestic measure which is in fact more costly for them than the measures of the European Union the UK is planning to leave.
Jon Baines, is chair of NADPO (www.nadpo.co.uk) and blogs in a personal capacity.