GDPR: Where does the fine money go?
With eye-watering penalties rolling in, the limits of the regulations are about to be tested
Before the EU's General Data Protection Regulation (GDPR) came into force, the Information Commissioner's Office's (ICO) powers were limited to fining organisations a maximum of 500,000. This was considered significant at the time, but it pales in comparison to the penalties that have already been issued under the Data Protection Act 2018 and GDPR.
On 8 July 2019, the ICO issued British Airways with a 183 million penalty for violations and just one day later levied a 99 million fine against hotel chain Marriott. These sums are 366 and 198 times the previous maximum penalty respectively. Elsewhere, Google was hit with a 50 million fine by French authorities, and at least 70 enforcement actions have been taken in total across the EU little more than a year after the new regulations came into force.
But the destination of this money, which has the potential to exceed billions in the next few years, has been the subject of uncertainty. The relatively untested one-stop-shop principle, too, may lead to tensions brewing as data protection authorities wrestle over claims for jurisdiction with regards to mammoth investigations; think the likes of Facebook and Google where millions is at stake.
There's finally the question as to whether data protection regulators, specifically the ICO, are well-funded enough to cope with greater investigatory workloads; and whether the advent of GDPR, and explosion in fines, means their need for additional funding will skyrocket.
Myth-busting the fate of data protection fines
The ICO clearly hasn't shied away from making big calls, as the BA and Marriott fines show, and it's been a common misconception that all this money goes directly to the ICO. Contrary to what many have at one time assumed, the ICO says it's never directly benefited from this money.
The reality is that this money is not channelled into the ICO's coffers but instead the Treasury's consolidated fund into which pours all general revenues including taxes and fines. This is then distributed as part of wider government spending.
This isn't necessarily the case in every country across the EU, however, according to Helen Goldthorpe, a data protection specialist and commercial and IT lawyer with Shulmans. The ICO's equivalents in Denmark and Estonia, for example, can't issue fines directly and instead make recommendations to courts. Germany, meanwhile, has adopted a system whereby there are multiple regulators in each state. The process in Ireland involves a two-staged decision, first on whether there has been a violation, then on the nature of the penalty.
The Spanish regulator, stands almost unique in that it has historically swallowed all the data protection fines it has levied. But Goldthorpe explains this led to accusations of a conflict of interest, and that the arrangement would have to change under GDPR.
"Essentially the conflict is that if the regulator gets the money, then they have more of an incentive to fine," she says. "Their own self-interest may come into the decision as to what the fine should be, rather than the facts that they're meant to be taken into account."
Factoring in the 'one-stop-shop' principle
The harmonisation of data protection laws and fluid nature of data-sharing has led the European Data Protection Board (EDPB) to devise the one-stop-shop principle. It's a key concept under GDPR that kicks in when investigations involve adjudicating on cross-border data processing violations.
Organisation alleged to have committed a violation in several jurisdictions are probed by a single regulator, nominated to serve as the lead supervisory authority. This regulator spearheads an investigation, takes on the costs involved, and handles any regulatory action that's demanded. The matter, thereafter, is generally considered to be settled.
The ICO's investigations into BA and Marriott were rare instances where the one-stop-shop mechanism was triggered, with the UK serving as the lead supervisory authority on behalf of multiple jurisdictions. This wasn't much publicised at the time, though.
However, if a neighbouring regulator had made a claim to taking charge of the investigation, the matter would have escalated to a higher level.
"Under the mechanism the lead supervisory [agency] will liaise with its counterparts under the EDPB and a consistent approach agreed," Jon Belcher, senior associate with Blake Morgan, tells IT Pro. "Disputes between supervisory authorities are referred to a resolution mechanism.
"Joint enforcement action is possible, however the expectation is that the joint approach will establish the parameters between the authorities. It may be possible that this may include apportionment of a fine but if the ICO fines are correct this would not seem to be the case."
Rising tensions between member states
The EDPB is still working out how the one-stop-shop principle works in practice, since it's an entirely new concept. It has worked effectively so far, Goldthorpe adds, but there could be friction building between neighbouring regulators in future. That regulators can now issue fines on a far greater scale, however, likely won't factor into these calculations as they mostly won't directly benefit from the money.
"It's an interesting one, because from a purely financial point of view, actually, the issue is more that the investigations are expensive and hard for the regulator to fund," she says.
"But from a trust and profile point of view, and making sure that your view of what GDPR says gets some traction, regulators do quite like to take the lead, because it improves their profile; they're seen by their own citizens to be doing something; they're seen to be protecting their citizens. And so it's not always just about the money."
Another point of tension can arise when an investigation concerns data processing carried out within Europe but directed by a third-party country, such as the US, meaning it's less clear cut who has jurisdiction. A prime example of this, Goldthorpe adds, is Google's 50 million fine from French authorities.
"There was a bit of a debate about whether that should have been caught by one-stop-shop, because Google's main European headquarters were in Ireland, but the French authorities took the view that the processing that they were looking at was being dictated by the US.
"Ireland didn't really have anything to do with it and therefore the one-stop-shop didn't apply because it was not an EU decision. So they said, 'actually, we've got jurisdiction over this, so we're going to take action directly'."
UK-based organisations, moreover, could soon be on the receiving end of this regulatory "free-for-all" should the UK leave the EU without a deal. At the moment, under the one-stop-shop principle, organisations based in the UK only have to deal with the ICO. If that mechanism falls away with Brexit, cross-border data processing violations in Europe could potentially lead to direct regulation by other territories in which they operate.
Funding data protection in a the GDPR era
As the data protection fines expect to scale up in volume, so do the size and scope of the investigations that precede them. Regardless of GDPR, the ICO has grown in terms of staffing scope in the last few years, fuelled partially by several flagship investigations into the Cambridge Analytica scandal.
With regulatory fines that are funnelled into the Treasury Consolidated Fund set to soar, there's every chance the UK data regulator may demand a greater slice of the pie to support its growing prominence. Indeed, it's Helen Goldthorpe's view the ICO may be actively lobbying to achieve exactly this.
"There's a reference in the ICO's latest report, where it talked about fines going into the consolidated fund, but also said that they're working as a key piece of work for the next year - to identify how to try and get some money out of the fine income, particularly in relation to litigation costs," she says.
However, this process is in its very early stages, she adds, and the ICO may find it difficult to persuade the government, but "it's certainly something that the ICO are looking at".
"I think it's still relatively early stages of that," she continues. "It's one of the things that - having got the initial GDPR implementation work out of the way - they're then moving on to look at that."
The ICO says that it considers itself to be adequately funded, with a spokesperson telling IT Pro that with GDPR in place the regulator has enough resources to regulate effectively.
"Ultimately, it's up to the government to decide on how to fund the ICO," a spokesperson says. "Businesses that process personal data have to pay a fee to the ICO, which funds the ICO's work providing advice and guidance about how to comply with the law. Things like our online guidance, our telephone helpline and our digital toolkits."
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now