In another in our series focusing on the impact of the GDPR, Natalie Stockmann asks if the end of the old funding model for the ICO creates a challenge or opportunity
Applications to become the next Information Commissioner have now closed but when the new Commissioner begins, will he or she be receiving a note similar to that left by Liam Byrne, former Treasury Chief Secretary, to his successor, David Laws – 'I am afraid there is no money'? The ICO has recognised for some time that it would be required to do 'better with less' (Annual Report and Financial Statements 2013/14) and with the final version of the GDPR now agreed, subject to formalities, the funding position is unlikely to improve, so what now?
As expected, the GDPR abolishes the requirement for national registrations to privacy regulators. Previously, the Data Protection Act 1998, s 18(5), together with secondary legislation, obliged data controllers in the UK to pay up to £3,500 annually. According to the notes of an ICO Management Board meeting in April 2015 ('Registration Fee Strategy', 27 April 2015), the ICO had approximately 409,000 data controllers registered with approximately 5,000 higher tier fee payers, which was equivalent to an income of more than £317m. This fee income is currently the sole source of funds for the ICO's data protection work, with its freedom of information budget coming from government.
However, maybe the perceived funding gap is not as serious as it seems; perhaps it is an opportunity for the ICO to develop further its more recent approach.
The ICO held two public consultations in early 2014 designed to address its growing levels of work and the impending funding issues: 'Our new approach to data protection concerns', and 'Looking ahead, staying ahead: Towards a 2020 vision for information rights'.
The proposed new approach set out in the first consultation was, from April 2014, to focus on improvement of information rights and serial offenders, rather than refereeing individual disputes where data protection might be an incidental issue in a wider dispute, or where an individual has not approached the relevant organisation first to raise a concern, and then given it an opportunity to respond. In practice though, it is unclear whether the ICO has followed this arguably less resource-intensive approach.
With abolition of national registrations now confirmed, the ICO will continue to need to prioritise its scarce resources. This could however be an opportunity. One key aim of the GDPR was to update the European data protection framework to reflect the significant technological advances and digital innovation since Directive 95/46/EC was passed. The ICO could maybe benefit from some of these advances to deliver its services at a lower cost. The ICO plan 2014-2017 envisages completion of online registration software development, and the development of 'online transactions including self-reported breaches and reporting of concerns'. But what else? Could AI tools support routine queries, for example?
Alternatively, the potential cost savings and efficiency arising from use of new technology can require significant up-front investment, and the GDPR may preclude further attempts at what might be perceived as a more 'hands-off' approach. The ICO may therefore be facing a genuine challenge.
One solution that Christopher Graham, the outgoing Commissioner, has advocated is an 'information rights levy' for both data controllers and public authorities subject to the Freedom of Information Act, with, as is the case now for notification fees, a higher levy for larger data controllers. The ICO last year had to acknowledge that a levy was unlikely. In its Management Board Meeting in April 2015, the ICO noted the 'concerns across government that this would result in private sector cross subsidising public sector work'. At the same meeting, it was noted that the ICO was reviewing fee arrangements with the Ministry of Justice and had proposed some fundamental principles, including the need for flexibility against changes in risks or legislation. This would seem to suggest there is much work still to be done to ensure the ICO is adequately funded once registration fees cease.
Another key aim of the GDPR is harmonisation of data protection laws within Europe so it seems appropriate to also look to our counterparts on the continent for solutions on funding. The regulator in Spain, the AEPD, is funded by fines and it is perhaps no coincidence that the AEPD has historically been one of the most prolific regulators for enforcement action. (In 2012, the AEPD handled close to 900 sanctions proceedings, imposing fines totalling €21,054,656 – see A kinder, gentler Spanish Data Protection Authority? Eric A. Packel, Baker & Hostetler LLP 29 July 2015, Lexology.) The greatly enhanced enforcement powers in the GDPR (with fines of up to 4% of global annual turnover) could provide significant income. Although with the ICO issuing fewer than 20 monetary penalties in 2015, this would fall well short of current levels of income without the increased powers in the GDPR.
Whether you see the funding changes as a challenge or an opportunity, the ICO now has until 2018 to act.
Natalie Stockmann is in the Data Privacy Legal team at Barclays.