The UK’s data protection watchdog has signed an agreement with the government which will see it retain millions of pounds in fines to put towards mounting legal costs.
The Information Commissioner’s Office (ICO) said that previously, all income from the fines it issued – which under the GDPR could theoretically hit £17m or 4% of global annual turnover – was passed to the government’s Consolidated Fund.
However, the new agreement with the Treasury and the Department for Digital, Culture, Media & Sport (DCMS) will see it keep £7.5m of those fines annually to put towards “pre-agreed, specific and externally audited litigation costs.”
The ICO is one of the best-funded and resourced data protection bodies in Europe. A data protection fee paid by all UK organizations processing data accounts for up to 90% of its funding, which in the last year figures were available stood at over £45m.
However, this pales compared to the legal resources that large multinationals, especially US tech companies, have to throw at cases.
A 2020 report argued that this means many cases aren’t investigated or are limited because data protection authorities don’t have the capacity to defend their decisions in court.
It said at the time that only five of Europe’s 28 national GDPR enforcers had more than 10 tech specialists, while half had budgets of under €5m. The ICO had only 3% of its 680 staff focused on tech issues, it said.
A related challenge is actually recovering the fines that were originally issued.
The ICO is said to have issued a record £42m in fines during the financial year 2020/21, representing a 1580% increase on the previous year. However, a report late last year claimed that it had recovered just 26% of the value of fines issued since 2020.
A separate report out this week claimed that more than a quarter of fines issued since 2017, amounting to £13m, have yet to be paid.
“Being able to recover some of our litigation costs will form an important part of ensuring that the ICO has the right tools to do our job,” argued ICO chief regulatory officer James Dipple Johnstone.
“We are on the side of the public and responsible businesses and being well resourced to take action can give everyone the confidence that, where appropriate, we will act effectively to uphold rights.”