The Information Commissioner's Office (ICO) has announced it has served notices of intent to serve monetary penalties on 34 data controllers (including NHS bodies, recruitment companies and government) for failure to pay their data controller fee. Data Protection Advisor Jon Baines asks whether this signals a new strategy for ICO enforcement and revenue-gathering.
When the General Data Protection Regulation (GDPR) became directly applicable on 25 May this year, it swept away the requirement at European law for data controllers to register with their supervisory authority if they were processing personal data, and also to provide certain particulars, which would then be available on a public register maintained by that authority (which in the UK is the Information Commissioner's Office, or ICO). However, on the same date, regulations (The Data Protection (Charges and Information) Regulations 2018) made under sections 137 and 138 of the Data Protection Act 2018 (DPA) (which, rather oddly, effectively mirror provisions already in the Digital Economy Act 2017) were made which provide for a domestic scheme under which data controllers must pay a "fee" to the ICO, unless they can avail themselves of an exemption. On the face of it, then, the new domestic scheme differs little from the old one.
However, there are some interesting differences.
Notably, the new regime is enforceable under civil law, rather than the criminal law which applied under the prior regime (the ICO has always had, and retains, certain prosecutorial powers). Failure to notify, in circumstances where the controller was required to do so, was, until 25 May, a criminal offence. Now, it is a civil wrong.
As section 137(4) of the DPA, and the explanatory memorandum to the new regulations, make clear, the purpose of the fees payable by data controllers is to fund the ICO's data protection work. Under a three-tier system, payment of a fee of £40, £60 or £2900 (depending upon the size of the data controller) is mandatory, unless an exemption applies. Failure to pay exposes a data controller to the risk of a civil monetary penalty (levied by the ICO) of up to £4350 (a sum which the ICO itself is required to set in statutory guidance, issued under section 158 of the DPA, and which, rather unhelpfully – given that the failure to notify is now a civil law issue – refers to such penalties as "fines").
Under paragraph 2 of Schedule 16 of the DPA, a "notice of intent" must first be served by the ICO on a controller which is believed not to have paid the requisite fee. And – notably - it appears that the ICO now effectively has an automatic notice of intent procedure in place: their guidance explains that controllers who previously paid a notification fee under the prior law will be sent,
a reminder explaining when you need to pay [the new fee]. If you don't pay, or tell us why you are no longer required to pay a fee, we will issue a notice of intent 14 days after expiry [of the old fee]
This is arguably rather draconian. Payment of the fee might not the highest priority for hard-pressed business-owners and overworked public sector compliance officers. It also seems likely to lead to a major increase in ICO (and related) activity in this area. Firstly, it may well lead to a large number of penalty notices themselves being issued (if the reminder and then the notice of intent are both overlooked). And secondly, as each such penalty notice is appealable by right, and free of charge, to the Information Tribunal, there may also be a significant increase in its own workload.
So, the announcement of the 34 notices of intent served may just be a foretaste of what will be a regular occurrence.
But perhaps the important thing to note is this - it is much easier for the ICO to serve a monetary penalty than it is to secure a conviction in the criminal courts. To bring a prosecution the ICO had to follow the Prosecutors’ Code, and the Director of Public Prosecutions’ Charging Guidance. Accordingly, they had to be satisfied that the threshold for bringing a prosecution was met, and that it was in the public interest to bring it (bearing in mind that the standard of proof for the court would be that it was beyond all reasonable doubt that the offence had been committed). Even then, a statutory defence was available, (at section 21(3) of the Data Protection Act 1998), if the controller could show that they had exercised “all due diligence to comply with the duty” to notify. Under the new fees regime, the ICO must simply abide by general principles of public law and proper administrative practice and follow its own guidance. There is no threshold test, no public interest test, and when considering whether an infringement has occurred the ICO will simply have to be satisfied on the civil test of the balance of probabilities. Moreover, there is no express “defence” relating to the infringement.
And when one puts all this together, one can see a situation emerging under which the ICO has a much simpler means of enforcing compliance, and, as a result, raising revenue. Forgetful or recalcitrant data controllers should be on their guard.