GDPR fines: Where does the money go?

A pile of 50 euro bank notes

Up until 2018, the UK’s Information Commissioner’s Office (ICO) was only able to punish organisations with a maximum fine of £500,000 for violating data protection rights.

This was deemed to be a significant sum historically, but when the EU’s General Data Protection Regulation (GDPR) came into force in May 2018, which exists alongside the UK’s own Data Protection Act 2018, the maximum penalty surged to a whopping €20 million, or 4% of global annual turnover, whichever is higher.

The ICO has already issued a couple of major fines to date under the new data protection regime, including issuing British Airways a £20 million penalty in October 2020 for a data breach in 2019. Marriott, too, has been fined £18.4 million for a 2014 data breach.

Clearly, these penalties are several times larger than the maximum possible penalty under the previous regime, and have been issued alongside dozens of fines by authorities across Europe. One of the first major GDPR fines, for example, was a €50 million penalty against Google, issued by French data regulator CNIL.

Data protection enforcement is generating billions of pounds in fines, but where this money ends up has been the source of confusion. The one-stop-shop principle, too, in which one data regulator adjudicates on behalf of all EU nations for cross-border cases, may cause tensions to escalate as regulators wrestle for jurisdiction. Finally, the question remains over whether regulators, such as the Irish Data Protection Commission (DPC), are well-resourced enough to handle a much greater caseload.

Does the ICO pocket the fines it levies?

As the BA and Marriot fines show, the ICO certainly hasn’t been reluctant to issue major penalties, even if they were heavily watered down. Many may have falsely assumed that the ICO benefits from these fines directly which, in the age of GDPR and the infinitely greater sums of money involved, may perversely incentivise the regulator to pursue heavier and more punitive penalties. Historically, however, the UK data regulator hasn’t seen a penny from the fines it’s issued.

Instead, all financial penalties accrued have been channelled into the Treasury's consolidated fund, which is an accumulation of all government revenue including taxes and fines from other regulators. This money is then distributed as part of wider central government expenditure.

The winds are changing, however, and the ICO struck a deal with the government to retain a portion of the fines it collects each year. This money, which may not exceed £7.5 million within a financial year, aims to cover pre-agreed, specific, and externally audited litigation costs. The retention of this money is subject to strict regulatory hurdles precisely in order to avoid the potential issue of a regulator being incentivised to target companies with fines.

“Being able to recover some of our litigation costs will form an important part of ensuring that the ICO has the right tools to do our job,” said the ICO’s chief regulatory officer, James Dipple-Johnstone. “We are on the side of the public and responsible businesses and being well resourced to take action can give everyone the confidence that, where appropriate, we will act effectively to uphold rights.”

This move puts the UK in unique company alongside Spain. Until recently, the Spanish data regulator was unique as being the only authority to directly fund itself through the money it accrued through fines. The approach varies from nation to nation. Other regulators don’t even issue fines directly, including authorities in Denmark and Estonia, instead making recommendations to courts. Germany, meanwhile, has established multiple regulators in each state. The process in Ireland, finally, involves a two-staged decision, first on whether there has been a violation, then on the nature of the penalty.

What the 'one-stop-shop' principle means for fines

The harmonisation of data protection laws and the fluid nature of data-sharing has led the European Data Protection Board (EDPB) to devise the one-stop-shop principle. It's a key concept under GDPR that kicks in when a violation occurs across two or more jurisdictions, such as when dealing with multinational corporations.

In this case, a single regulator is nominated to serve as the lead supervisory authority, typically the regulator that sits closest to the offending organisation's European headquarters. This regulator spearheads an investigation, takes on the costs involved, and handles any regulatory action that's demanded. The matter, thereafter, is generally considered to be settled.

The Irish DPC is arguably the most active lead supervisory authority in the EU, racking up several cases against big tech companies, largely because many of these entities have their European headquarters in Ireland.

Following a two-year investigation, the regulator hit WhatsApp with a record €225 million fine for a lack of transparency in the way the service shares user data. The penalty, which is the biggest GDPR fine formally issued to date, was approved by the European Data Protection Board (EDPB) and is several times higher than the €50 million draft fine the Irish data authority issued against the company in December 2020.

The Irish DPC is currently working through a backlog of cases against big tech firms, with at one stage processing more than 10 complaints against Facebook-owned companies alone. In fact, WhatsApp’s €225 million fine was dwarfed by Luxembourg’s regulator issuing a provisional €746 million (approximately £637 million) fine against Amazon.

However, what happens when data protection regulators disagree on a fine? How do they decide which country’s authority has the right to take charge of an investigation?

According to Jon Belcher, senior associate with Blake Morgan, these are examples of situations where the matter gets escalated to a higher level:

"Under the mechanism the lead supervisory [agency] will liaise with its counterparts under the EDPB and a consistent approach agreed," Belcher tells IT Pro. "Disputes between supervisory authorities are referred to a resolution mechanism.

"Joint enforcement action is possible, however the expectation is that the joint approach will establish the parameters between the authorities. It may be possible that this may include apportionment of a fine but if the ICO fines are correct this would not seem to be the case."

Rising tensions between member states

The EDPB is still working out how the one-stop-shop principle works in practice, since it's a new concept. It has worked effectively so far, but there could be friction building between neighbouring regulators in future. The fact that regulators can now issue fines on a far greater scale, however, likely won't factor into these calculations as they mostly won't directly benefit from the money.

Another point of tension can arise when an investigation concerns data processing carried out within Europe but directed by a third-party country, such as the US, meaning it's less clear cut who has jurisdiction. A prime example of this is Google's €50 million fine from French authorities.

Issued by French privacy Watchdog CNIL in January 2019, the penalty was at the time the highest in the GDPR's history and centred around Android users who, when setting up a new Android phone, were forced to follow Android's onboarding process which included forced consent for the processing of their data. Complainants argued that Google had no legal basis to process the personal data of its users "particularly for ads personalisation purposes.

There was debate at the time about whether this should have been caught by the one-stop-shop principle, because Google’s main European headquarters were in Ireland. The French authorities, however, deemed that the processing they were looking at was being dictated by the US. Ireland, therefore, was irrelevant, and they did not see the one-stop-shop principle applying, deciding instead to take action directly.

Funding data protection in a post-GDPR era

As the data protection fines are scaling up in volume, so are the size and scope of the investigations. Regardless of GDPR, the ICO has grown in terms of staffing scope in the last few years, fuelled in part by several investigations into the Cambridge Analytica scandal.

With the fines it collects increasing, and the probes increasingly complex and costly, there's every chance the UK data regulator may demand a greater slice of the pie to support its growing prominence. Indeed, this is true not only as the nature of the ICO shifts, but as the post-Brexit data protection landscape changes.

The ICO has actually been campaigning to be funded partially by fine money for a number of years, having made reference to seeking to retain some money gathered through fines in an annual report a number of years ago.

Now the door has been wedged open, the ICO is likely to expect the portion of money it can retain to increase year after year, not only as the costs of taking regulatory action increase, but also as the organisation grows and restructures. The Data Reform Bill, recently outlined by the government, for example, outlines how the ICO is set to appoint a chief executive, a chair and a board to support the ongoing operations.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.