At the time of the consultation of the new regime for data protection fees, the maximum fee was floated as £1000. The draft fees regulations suggest a maximum fee of £2900. Laurence Eastham bemoans his ignorance of the process that led to a leap that would leave Jonathan Edwards in awe
Since I have frequently bemoaned the habit of government of introducing legislation or schemes when they have failed to consult on their proposals with those who actually understand, and are affected by, the changes, I welcomed the DCMS consultation on data protection fees. Just as I usually have doubts about consultations with ‘stakeholders’, a Humpty Dumpty word if ever there was one, I had worries about who was being consulted but still – better a duff consultation than none at all.
Those with long memories will know that the third-party consultation that we heard about in October was based on suggested fees of £50, £80 and £1000. According to the ICO, the consultation was carried out on behalf of the DCMS, using organisations which had responded to previous ICO research – about 2,000 organisations of which just over 300 responded. We don’t know for sure but there is some indication that large organisations were disproportionately represented amongst consultees. Once the results of that research were reported to the DCMS it reflected on the responses and then developed the fee regulations.
A draft of those regulations was published a fortnight ago. The draft is currently before Parliament. It requires Parliamentary approval. The fees in the draft are £40, £60 and £2,900, according to criteria relating to a data controller’s turnover and number of members of staff (or only members of staff, for a public authority). So how did we get from £1,000 to £2,900? Were the consultees pressing for this tripling of the top fee?
That the larger organisations favoured a larger fee being paid by them seems unlikely as the selection would have included larger organisations – although it is perfectly possible as £2,900 is not going to send large companies, even large organisations like Carillion, into receivership and, hey, Sunderland voted for Brexit. The problem I have is that I have no idea how we got where we are and have seen no justification for the tripling of the fee for fat data controllers.
The fact that I have not seen a justification does not mean that there is no justification. I admit that I never thought that the fees suggested at the time of the October consultation were adequate. I wrote this back in October on the suggested charges and their effect; Jon Baines wrote this even earlier. But the prize for early accurate analysis goes to Chris Pounder of Amberhawk whose blogpost on the need for registration fees for large controllers to be raised very considerably was published in April 2017: ‘Fees well north of £2K can be expected to be the norm for those larger controllers who have to register under the new regime’.
One theory is that, before setting the fees, the Secretary of State read Chris Pounder’s blogpost or did a short course in basic maths. Either activity was likely to result in much higher fees than those floated in October. But isn’t it reasonable to expect some of the basic working to be public and transparent? And has the Secretary of State fulfilled the statutory duty to consult when consulting on a model that is so different to the actual regime imposed?
I have asked the ICO how we got to £2,900 and they referred me to the DCMS. Fair enough - though I suspect they know. I asked the DCMS and they have not responded. I wonder if Parliament might ask before nodding through the regs but, given a Second Reading debate on the Data Protection Bill that was obsessed with Leveson-like issues, I won’t get my hopes up.
I sincerely hope that the fees when collected (a pretty crucial element) enable the ICO to do a proper job of implementing the GDPR and offering the sort of detailed guidance that is needed.