Laurence Eastham worries about the ICO’s future funding and its capacity to do all that it might need to.
In the days when I was taking on new publishing jobs, I had a pretty simple approach to fees. The responses to three questions provided the foundation for setting a fee. What do you need doing? By when? How much is in the budget? Once I had laughed a little and challenged the budget and the timeline, a fee would be set. Whether publisher or plumber, lawyer or carpet-layer, the fee and the nature of the work required are inextricably linked. Everybody knows that - no shocks there. Everybody knows that but not everyone takes notice.
What happens if the work required and the funds available are divorced? One person designs and sets a strategy and another person sets the fee for it, and who pays it. We may be about to find out. And, sadly for tech lawyers, we may find out in the context of data protection.
I was curious about the new fee structure for data protection that is to take effect from 1 April. Curious and a little concerned. I could see that the GDPR requires more of the supervisory authority than the old regime and yet the requirement to notify and the revenue that went with it was abolished by the GDPR. Here is what I found out and my resulting worries.
Does the GDPR require the ICO to do more?
The ICO target for full-time equivalent staff once GDPR is in place is 581. The most recent figures published show it as having 460 full-time equivalent staff. Bearing in mind that the ICO has duties beyond data protection, especially in relation to FOI, it seems reasonable to assume that we are looking at a targeted increase in dedicated data protection staff that goes beyond 25%.
It seems safe to say that the ICO is anticipating a considerable increase in activity. There was a point when the need for 200 extra staff was mentioned but perhaps that falls into the dreamland category. The DCMS has stated that it is committed to meeting GDPR standards after Brexit.
In my view, there is likely to be a considerable bulge in the work at the time of implementation of the GDPR. There are many calls for more guidance, especially for the benefit of smaller organisations. While the Article 29 Working Party is producing some pointers, much of this is in need of more than translation into English – it often needs translation into real-world guidance.
I could labour the point but, in short, the ICO has a lot more to do from May 2018 shortly after the new fee structure comes into force.
How much has the ICO got to play with?
The ICO’s data protection activities are, at least in theory, currently covered by the payment of fees by notifying organisations and individuals. The current registration fees system is based on the size and turnover of an organisation. Organisations with a turnover of £25.9 million and more than 249 members of staff or public authorities with more than 249 members of staff pay £500 per annum. All other organisations pay £35 per annum. The fee of £35 has been fixed since 2000 and the £500 fee has not changed since its introduction.
The full-year forecast for that income in the 2017/2018 financial year is £20.75 million. On my reckoning, they need to find an extra £6 million if they are to meet their target post-GDPR.
Under the Digital Economy Act 2017, s 108, which came into force on 31 July:
'(1) The Secretary of State may by regulations require data controllers to pay charges of an amount specified in the regulations to the Information Commissioner.
(2) Regulations under subsection (1) may require a data controller to pay a charge regardless of whether the Information Commissioner has provided, or proposes to provide, a service to the data controller.
(3) Regulations under subsection (1) may make provision about the time or times at which, or period or periods within which, a charge must be paid.
(4) Regulations under subsection (1) may make provision—
(a) for different charges to be payable in different cases;
(b) for cases in which a discounted charge is payable;
(c) for cases in which no charge is payable;
(d) for cases in which a charge which has been paid is to be refunded.'
For these purposes, a ‘data controller’’ means a person who, alone or jointly with others, determines the purposes and means of the processing of personal data’ and ‘personal data’ is ‘any information relating to an identified or identifiable individual’. I think that means that everyone who uses a phone or computer, including a large number of private and individuals (and almost every child over the age of 10), is potentially liable to pay a charge but clearly the regulations will not have that effect.
Under s 109(1), the Secretary of State is required, before making the charges regulations, to consult the Information Commissioner and ‘such representatives of persons likely to be affected by the regulations as the Secretary of State thinks appropriate’ as well as any other person he or she thinks appropriate. Under s109(2), the Secretary of State is required to ‘have regard to the desirability of securing that the charges payable … are sufficient to offset …(a) expenses incurred by the Commissioner in discharging the Commissioner’s functions …’.
The powers under the Digital Economy Act 2017, ss 108 and
109 are those that apply now and are likely to apply when regulations on
charges are made prior to 1 April 2018 (when the ICO states the charges
structure will apply). The Data Protection Bill currently before Parliament
broadly replaces these provisions (in cls 132 and 133), although there are some
inevitable differences because of context and the Bill’s drafting is neater
(though bizarrely removing the duty to consult the ICO before setting charges.
It is worth noting that both the DEA 2017 and the Bill refer to the charges
covering the ICO’s expenses ‘under or by virtue of the Privacy and
Communications (EC Directive) Regulations 2003’; since that instrument will shortly be superseded, that wording might create some interesting issues (but that’s for another day).
A process of consultation on a new fees structure has taken place. The ICO spokesperson responded to my enquiry about this, attaching a copy of the consultation document, as follows:
'The Department for Digital, Culture, Media and Sport (DCMS), the ICO's sponsor department, has the responsibility for developing the ICO's funding arrangement, with approval by Parliament.
DCMS undertook, through a third party, a consultation on the proposed funding changes.
In 2015, the ICO used a third party to conduct initial research about its funding structure. The contractors of the survey were provided with a sample of 10% of the ICO’s register including all top fee payers and a random sample of lower fee payers. This equated to approximately 40,000 organisations, who were then contacted and around 2,000 responded. The sample for this latest consultation is the circa 2,000 organisations that responded to the previous research. Just over 300 of these data controllers contributed to the latest consultation. DCMS is now reflecting on the responses before developing the fee regulations needed to underpin the ICO's future funding arrangements.'
The consultation document envisages a three-tier structure.
The consultation document does not give any hint as to the nature of the exemptions that might apply. It uses the term ‘firm’ and ‘organisation’ but it is quite a leap to assume that all individuals are to be exempted.
Will the charges be sufficient for the ICO to do the job?
While the provisions of the Digital Economy Act 2017, s 109(2) suggest that the charges must fit the expenses, there are three glaring problems.
First, the requirement on the Secretary of State does not amount to a duty to ensure that all the relevant expenses are covered by the charges. It is not hard to imagine a newspaper campaign against an increase in fees on business, large and small. That increase can, not unreasonably, be characterised as a doubling of fees when the EU’s aim was ‘to revise and simplify’. Moreover, some media outlets and politicians will be horrified by the idea of ‘burdening business with Brussels-inspired red-tape’ – forgive me for activating my inner Daily Mail. You and I may think that the burden is no more than necessary in order to maintain a fundamental right, but it’s not the easiest of sells. If a campaign ensues, the charges may be cut to the bone or the exemptions widened to narrow the paying pool and make it unworkable. I suspect that the mere whiff of a potential campaign is enough for cuts to be made.
Secondly, the ICO is looking to recruit and retain staff at a time when the status and salaries of those with real understanding of data protection has never been higher. I am sure that the ICO can recruit 120 new staff but, at the rates they can pay, they will not be able to afford staff with the level of experience and knowledge that is really needed. Indeed, if they do get some really capable staff, they will most certainly be tempted by industry options elsewhere. While living costs in and around Wilmslow are lower than in London and the south-east, as is too often mentioned, they are not negligible, and are in fact higher than many other places beyond the hothouse areas.
My third worry concerns that basic issue that every worker setting a price will recognise. The role of the ICO under the GDPR should be different to that which has gone before; we should be looking at a more expansive and more expensive ICO. It should give more guidance. It should get tougher or at least more rigorous in enforcing the obligations under the data protection legislation. The ICO should be in schools and training teachers. The list is long and you can all add your own pet projects. But the chances are that the Secretary of State will not worry about the things that might be done and are never done – he or she will worry more about the burden on business and the political backlash if fees are seen as high.
My basic fear is that we could end up with a cut-price budget for a luxury spec. That’s a recipe for a shoddy shambles.
Two other points that don’t fit the argument are worth mentioning.
There is no apparent provision for any payments to be made where enforcement takes place to cover the ICO’s costs of enforcement. Yet that might help with costs, and it might give an incentive to the ICO to take action beyond the mild rebuke that is too often all the action taken.
Those who think that the ICO might be financed by penalties should take note of the fact that the actual receipts from civil monetary penalties do not come close to covering its costs. Not only do we have to consider the ethics of giving the ICO an incentive to increase the fines etc – a breach of natural justice – we also have to consider the fact that so many offenders declare themselves insolvent on receipt of a penalty.
For more in a similar vein, see this excellent piece from Jon Baines which, rather annoyingly, says much of what I had to say well before I put fingers to keyboard.