In November we discovered that the first "fines" had been issued by the Information Commissioner's Office (ICO) for failure to pay the statutory fee for data controllers. The Information Rights Tribunal has now issued its first ruling of an appeal against those ICO fines, and has upheld the ICO decision. The recipient of the fine, and therefore the appellant in the proceedings, was paint and wallpaper company Farrow & Ball.
Regulations (The Data Protection (Charges and Information) Regulations 2018), made under sections 137 and 138 of the Data Protection Act 2018 (DPA), provide for a domestic scheme under which data controllers must pay a "fee" to the ICO, unless they can avail themselves of an exemption. Under a three-tier system, payment of a fee of £40, £60 or £2,900, depending on the size of the data controller, is mandatory - unless an exemption applies. Failure to pay exposes a data controller to the risk of a "fine22" (more correctly, a civil monetary penalty levied by the ICO) of up to £4,350.
In this instance, the ICO had fined Farrow & Ball £4000. The appeal was on various grounds, but Farrow & Ball did not dispute that it had had an obligation to pay the fee, nor that it had failed to do so. Its argument was that circumstances obtained which meant discretion should have been exercised, and the penalty not imposed, or that it be a lower amount. It pleaded that the ICO reminder to pay the fee was sent whilst the relevant Farrow & Ball representative was on holiday and, therefore, the ICO should have issued a further reminder; that the ICO wrote to the company secretary but the correspondence was not recognised as important internally; and that the ICO was contacted promptly once the error was spotted and the fee was then paid immediately. In mitigation Farrow & Ball also argued that it had learned from its mistake and put procedures in place to ensure the failure to pay would not happen again.
The Tribunal noted that it was increasingly common for the General Regulatory Chamber, of which it is part, to determine appeals against financial penalties imposed by civil regulator. It also noted that an approach of asking whether a defaulting appellant has a “reasonable excuse” for their default, notwithstanding the fact that “reasonable excuse” concept is not expressly referred to in the relevant legislation (which is the case with the Fees Regulations at issue here), is one that has been approved by the Upper Tribunal. Adopting this approach on the facts, however, the Tribunal concluded that Farrow & Ball had not advanced a reasonable excuse for its failure to comply with the fee regulations:
“...a reasonable data controller would have systems in place to comply with the Regulations...the Appellant has pointed to no particular difficulty or misfortune which explains its departure from the expected standards of a reasonable data controller”.
Furthermore, there was no evidence presented to justify imposing a lower penalty as Farrow & Ball had not pleaded any financial hardship.
The approach of considering “expected standards”, and whether controllers have systems in place to comply with the Regulations, is a sensible one for the Tribunal to take. Subject to any further appeal by Farrow & Ball, it is likely to be adopted by future tribunals, as well as the ICO when determining whether to impose a penalty in the first place.