GDPR fines: Where does the money go?
GDPR gives regulators the power to issue enormous fines, but who benefits from all that cash?
Under the previous data protection regime, the UK’s Information Commissioner’s Office (ICO) was only able to punish organisations with a maximum fine of £500,000 for violating data protection rights.
This was deemed to be a significant sum historically, but when the EU’s General Data Protection Regulation (GDPR) came into force in May 2018, which exists alongside the UK’s own Data Protection Act 2018, the maximum penalty surged to a whopping €20 million, or 4% of global annual turnover, whichever is higher.
The ICO has already issued a couple of major fines to date under the new data protection regime, including issuing British Airways a £20 million penalty in October 2020 for a data breach in 2019. Marriot, too, has been fined £18.4 million for a 2014 data breach, although both sums were significantly reduced from the £183 million and £99 million penalties they initially faced.
Clearly, these penalties are several times larger than the maximum possible penalty under the previous regime, and have been issued alongside dozens of fines by authorities across Europe. One of the first major GDPR fines, for example, was a €50 million penalty issued by the French data regulator against Google.
Looking ahead, GDPR enforcement is likely to generate billions of pounds, but where this money ends up has been the source of confusion. The one-stop-shop principle, too, in which one data regulator adjudicates on behalf of all EU nations for cross-border cases, may cause tensions to escalate as regulators wrestle for jurisdiction. Finally, experts have routinely questioned whether regulators, such as the Irish Data Protection Commission (DPC) are well-resourced enough to handle the much greater caseload.
Myth-busting the fate of data protection fines
As the BA and Marriot fines show, the ICO certainly hasn’t been reluctant to issue major fines, even if they were heavily watered down. Contrary to popular belief, however, the money accrued from these penalties doesn’t actually go to the regulator itself.
The reality is that, in the case of the UK, this money is not channelled into the ICO's coffers but instead the Treasury's consolidated fund, into which it pours all revenues including taxes and fines. This is then distributed as part of wider government spending.
This isn't necessarily the case in every country across the EU, however, according to Helen Goldthorpe, a data protection specialist and commercial and IT lawyer with Shulmans. The ICO's equivalents in Denmark and Estonia, for example, can't issue fines directly and instead make recommendations to courts. Germany, meanwhile, has adopted a system whereby there are multiple regulators in each state. The process in Ireland involves a two-staged decision, first on whether there has been a violation, then on the nature of the penalty.
The Spanish regulator stands almost unique in that it has historically swallowed all the data protection fines it has levied. But Goldthorpe explains this led to accusations of a conflict of interest, and that the arrangement would eventually need to change under GDPR.
"Essentially the conflict is that if the regulator gets the money, then they have more of an incentive to fine," she says. "Their own self-interest may come into the decision as to what the fine should be, rather than the facts that they're meant to be taken into account."
Factoring in the 'one-stop-shop' principle
The harmonisation of data protection laws and the fluid nature of data-sharing has led the European Data Protection Board (EDPB) to devise the one-stop-shop principle. It's a key concept under GDPR that kicks in when a violation occurs across two or more jurisdictions, such as when dealing with multinational corporations.
In this case, a single regulator is nominated to serve as the lead supervisory authority, typically the regulator that sits closest to the offending organisation's European headquarters. This regulator spearheads an investigation, takes on the costs involved, and handles any regulatory action that's demanded. The matter, thereafter, is generally considered to be settled.
The Irish DPC is arguably the most active lead supervisory authority in EU, racking up several cases against big tech companies, with many of these being headquartered in Ireland.
Most recently, following a two-year investigation, the regulator hit WhatsApp with a record €225 million (approximately £193 million) fine for a lack of transparency in the way the service shares user data. The penalty, which is the biggest GDPR fine formally issued to date, was approved by the European Data Protection Board (EDPB) and is several times higher than the €50 million (roughly £43 million) draft fine the Irish data authority issued against the company in December last year. However, WhatsApp has already announced plans to appeal the penalty, branding it as “entirely disproportionate”.
The Irish DPC is currently working through a backlog of cases against big tech firms, with more than 10 complaints being against Facebook-owned companies alone. In fact, WhatsApp’s €225 million fine might soon be dwarfed if Luxembourg’s regulator finalises a provisional €746 million (approximately £637 million) fine against Amazon.
However, what happens when data protection regulators disagree on a fine? How do they decide which country’s authority has the right to take charge of an investigation?
According to Jon Belcher, senior associate with Blake Morgan, these are examples of situations where the matter gets escalated to a higher level:
"Under the mechanism the lead supervisory [agency] will liaise with its counterparts under the EDPB and a consistent approach agreed," Belcher tells IT Pro. "Disputes between supervisory authorities are referred to a resolution mechanism.
"Joint enforcement action is possible, however the expectation is that the joint approach will establish the parameters between the authorities. It may be possible that this may include apportionment of a fine but if the ICO fines are correct this would not seem to be the case."
Rising tensions between member states
The EDPB is still working out how the one-stop-shop principle works in practice, since it's an entirely new concept. It has worked effectively so far, Goldthorpe adds, but there could be friction building between neighbouring regulators in future. The fact that regulators can now issue fines on a far greater scale, however, likely won't factor into these calculations as they mostly won't directly benefit from the money.
"It's an interesting one, because from a purely financial point of view, actually, the issue is more that the investigations are expensive and hard for the regulator to fund," she says.
"But from a trust and profile point of view, and making sure that your view of what GDPR says gets some traction, regulators do quite like to take the lead, because it improves their profile; they're seen by their own citizens to be doing something; they're seen to be protecting their citizens. And so it's not always just about the money."
Another point of tension can arise when an investigation concerns data processing carried out within Europe but directed by a third-party country, such as the US, meaning it's less clear cut who has jurisdiction. A prime example of this, Goldthorpe adds, is Google's €50 million fine from French authorities.
Issued by French privacy Watchdog CNIL in January 2019, the penalty was at the time the highest in the GDPR's history and centred around Android users who, when setting up a new Android phone, were forced to follow Android's onboarding process which included forced consent for the processing of their data. Complainants argued that Google had no legal basis to process the personal data of its users "particularly for ads personalisation purposes".
"There was a bit of a debate about whether that should have been caught by one-stop-shop, because Google's main European headquarters were in Ireland, but the French authorities took the view that the processing that they were looking at was being dictated by the US.
"Ireland didn't really have anything to do with it and therefore the one-stop-shop didn't apply because it was not an EU decision. So they said, 'actually, we've got jurisdiction over this, so we're going to take action directly'."
Funding data protection in the GDPR era
As the data protection fines expect to scale up in volume, so do the size and scope of the investigations that precede them. Regardless of GDPR, the ICO has grown in terms of staffing scope in the last few years, fuelled in part by several investigations into the Cambridge Analytica scandal.
With regulatory fines funnelled into the Treasury Consolidated Fund set to soar, there's every chance the UK data regulator may demand a greater slice of the pie to support its growing prominence. Indeed, it's Helen Goldthorpe's view the ICO may be actively lobbying to achieve exactly this.
"There's a reference in the ICO's latest report, where it talked about fines going into the consolidated fund, but also said that they're working as a key piece of work for the next year - to identify how to try and get some money out of the fine income, particularly in relation to litigation costs," she says.
However, this process is in its very early stages, she adds, and the ICO may find it difficult to persuade the government, but "it's certainly something that the ICO are looking at".
"I think it's still relatively early stages of that," she continues. "It's one of the things that - having got the initial GDPR implementation work out of the way - they're then moving on to look at that."
The ICO says that it considers itself to be adequately funded, with a spokesperson telling IT Pro that with GDPR in place the regulator has enough resources to regulate effectively.
"Ultimately, it's up to the government to decide on how to fund the ICO," a spokesperson says. "Businesses that process personal data have to pay a fee to the ICO, which funds the ICO's work providing advice and guidance about how to comply with the law. Things like our online guidance, our telephone helpline and our digital toolkits."
In This Article
- 1What is GDPR?
- 2GDPR fines explained
- 3GDPR fines: Where does the money go? - currently reading
- 4What GDPR means for small businesses
- 5What Brexit means for GDPR
- 6What GDPR means for financial services
- 7How to perform a data protection impact assessment
- 8What is a subject access request?
- 9What is the 'right to be forgotten'?
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download