GDPR fines: Where does the money go?
With eye-watering penalties rolling in, the limits of the regulations are about to be tested
Under the previous data protection regime, the UK’s Information Commissioner’s Office (ICO) was only able to punish organisations with a maximum fine of £500,000 for violating data protection rights. This was deemed to be significant sum historically, but when the EU’s General Data Protection Regulation (GDPR) came into force in May 2018, shortly followed by the UK’s own Data Protection Act 2018, the maximum penalty surged to a whopping €20 million, or 4% of global annual turnover, whichever is higher.
The ICO has already issued a couple of major fines to date under the new data protection regime, including issuing British Airways with a £20 million penalty in October 2020 for a data breach in 2019. Marriot, too, has been fined £18.4 million for a 2014 data breach, although both sums were significantly reduced from the initial £183 million and £99 million penalties they initially faced.
Clearly, these penalties are several times larger than the maximum possible penalty under the previous regime, and have been issued alongside dozens of fines by authorities across Europe. One of the first major GDPR fines, for example, was a €50 million penalty issued by the French data regulator against Google.
Looking ahead, GDPR enforcement is likely to generate billions of pounds, but where this money ends up has been the source of confusion. The one-stop-shop principle, too, in which one data regulator adjudicates on behalf of all EU nations for cross-border cases, may cause tensions to escalate as regulators wrestle for jurisdiction. Finally, experts have routinely questioned whether regulators, such as the Irish Data Protection Commission (DPC) are well-resourced enough to handle the much greater caseload.
Myth-busting the fate of data protection fines
As the BA and Marriot fines show, the ICO certainly hasn’t been reluctant to issue major fines, even if they were heavily watered down. Contrary to popular belief, however, the money accrued from these penalties doesn’t actually go to the regulator itself.
The reality is that this money is not channelled into the ICO's coffers but instead the Treasury's consolidated fund into which it pours all revenues including taxes and fines. This is then distributed as part of wider government spending.
This isn't necessarily the case in every country across the EU, however, according to Helen Goldthorpe, a data protection specialist and commercial and IT lawyer with Shulmans. The ICO's equivalents in Denmark and Estonia, for example, can't issue fines directly and instead make recommendations to courts. Germany, meanwhile, has adopted a system whereby there are multiple regulators in each state. The process in Ireland involves a two-staged decision, first on whether there has been a violation, then on the nature of the penalty.
The Spanish regulator, stands almost unique in that it has historically swallowed all the data protection fines it has levied. But Goldthorpe explains this led to accusations of a conflict of interest, and that the arrangement would eventually need to change under GDPR.
"Essentially the conflict is that if the regulator gets the money, then they have more of an incentive to fine," she says. "Their own self-interest may come into the decision as to what the fine should be, rather than the facts that they're meant to be taken into account."
Factoring in the 'one-stop-shop' principle
The harmonisation of data protection laws and fluid nature of data-sharing has led the European Data Protection Board (EDPB) to devise the one-stop-shop principle. It's a key concept under GDPR that kicks in when investigations involve adjudicating on cross-border data processing violations.
Organisations alleged to have committed a violation in several jurisdictions are probed by a single regulator, nominated to serve as the lead supervisory authority. This regulator spearheads an investigation, takes on the costs involved, and handles any regulatory action that's demanded. The matter, thereafter, is generally considered to be settled.
The ICO's investigations into BA and Marriott were rare instances where the one-stop-shop mechanism was triggered, with the UK serving as the lead supervisory authority on behalf of multiple jurisdictions. This was prior to Brexit. The Irish DPC is arguably the most active lead supervisory authority in EU, racking up several cases against big tech companies due to the fact they're headquartered in Ireland for tax purposes.
However, if a neighbouring regulator makes a claim to take charge of the investigation, the matter escalate to a higher level.
"Under the mechanism the lead supervisory [agency] will liaise with its counterparts under the EDPB and a consistent approach agreed," Jon Belcher, senior associate with Blake Morgan, tells IT Pro. "Disputes between supervisory authorities are referred to a resolution mechanism.
"Joint enforcement action is possible, however the expectation is that the joint approach will establish the parameters between the authorities. It may be possible that this may include apportionment of a fine but if the ICO fines are correct this would not seem to be the case."
Rising tensions between member states
The EDPB is still working out how the one-stop-shop principle works in practice, since it's an entirely new concept. It has worked effectively so far, Goldthorpe adds, but there could be friction building between neighbouring regulators in future. That regulators can now issue fines on a far greater scale, however, likely won't factor into these calculations as they mostly won't directly benefit from the money.
"It's an interesting one, because from a purely financial point of view, actually, the issue is more that the investigations are expensive and hard for the regulator to fund," she says.
"But from a trust and profile point of view, and making sure that your view of what GDPR says gets some traction, regulators do quite like to take the lead, because it improves their profile; they're seen by their own citizens to be doing something; they're seen to be protecting their citizens. And so it's not always just about the money."
Another point of tension can arise when an investigation concerns data processing carried out within Europe but directed by a third-party country, such as the US, meaning it's less clear cut who has jurisdiction. A prime example of this, Goldthorpe adds, is Google's €50 million fine from French authorities.
"There was a bit of a debate about whether that should have been caught by one-stop-shop, because Google's main European headquarters were in Ireland, but the French authorities took the view that the processing that they were looking at was being dictated by the US.
"Ireland didn't really have anything to do with it and therefore the one-stop-shop didn't apply because it was not an EU decision. So they said, 'actually, we've got jurisdiction over this, so we're going to take action directly'."
Funding data protection in the GDPR era
As the data protection fines expect to scale up in volume, so do the size and scope of the investigations that precede them. Regardless of GDPR, the ICO has grown in terms of staffing scope in the last few years, fuelled in part by several investigations into the Cambridge Analytica scandal.
With regulatory fines funnelled into the Treasury Consolidated Fund set to soar, there's every chance the UK data regulator may demand a greater slice of the pie to support its growing prominence. Indeed, it's Helen Goldthorpe's view the ICO may be actively lobbying to achieve exactly this.
"There's a reference in the ICO's latest report, where it talked about fines going into the consolidated fund, but also said that they're working as a key piece of work for the next year - to identify how to try and get some money out of the fine income, particularly in relation to litigation costs," she says.
However, this process is in its very early stages, she adds, and the ICO may find it difficult to persuade the government, but "it's certainly something that the ICO are looking at".
"I think it's still relatively early stages of that," she continues. "It's one of the things that - having got the initial GDPR implementation work out of the way - they're then moving on to look at that."
The ICO says that it considers itself to be adequately funded, with a spokesperson telling IT Pro that with GDPR in place the regulator has enough resources to regulate effectively.
"Ultimately, it's up to the government to decide on how to fund the ICO," a spokesperson says. "Businesses that process personal data have to pay a fee to the ICO, which funds the ICO's work providing advice and guidance about how to comply with the law. Things like our online guidance, our telephone helpline and our digital toolkits."
In This Article
How to be an MSP: Seven steps to success
Building your business from the ground upDownload now
The smart buyer’s guide to flash
Find out whether flash storage is right for your businessDownload now
How MSPs build outperforming sales teams
The definitive guide to salesDownload now
The business guide to ransomware
Everything you need to know to keep your company afloatDownload now