On 14 June 2022, the UK Information Commissioner's Office ("ICO") announced that it had reached a fine income retention agreement with its sponsor department the Department for Digital, Culture, Media & Sport (DCMS) and the Treasury (HMT). Pursuant to the agreement, the ICO is now able to retain up to £7.5 million of funds paid as a result of its civil monetary penalties per annum. The funds will be audited and are to cover "pre-agreed, specific and externally audited litigation costs."
Before this announcement, all income from monetary penalties issued by the ICO were passed to the Government's central Consolidated Fund and the ICO did not retain any of the funds. The new agreement is therefore a significant shift from the previous system and will allow the ICO to recover a portion of its monetary penalties per annum.
The ICO commented in its announcement that the change means the ICO can make sure they "have the right resources to hold those who don't comply to account" but also so that the ICO can "make sure that more of the charges paid by small businesses can be used to directly fund our business advice and support services."
This is an interesting development which adds a further dynamic to the issue of monetary penalties, particularly those pursuant to the UK GDPR which have the potential to be significant. The ICO's comments indicate that this agreement will provide the ICO with at least some of the funds it requires to ensure that appropriate action is taken to hold businesses to account and may indicate a pending uptick in regulatory action.
It will be interesting to watch how the ICO approaches monetary penalties going forward and whether there is any change in appetite to investigate or a greater emphasis placed on the cost of the ICO in each matter when issuing a monetary penalty. Equally, we will be keeping an eye on whether the ICO starts to push back more robustly in response to appeals against monetary penalties. Over recent years, we have seen the ICO reduce GDPR monetary penalty notices, most recently in the case of Clearview AI Inc's fine for more than £7.5m last month which showed a drastic reduction from the provisional view to fine the organisation just over £17m in November 2021. Whether the ICO alters its approach to monetary penalty notices going forward remains to be seen.
It will also be interesting to see if any EU data protection authorities follow suit, either adopting the ICO's hybrid model or going further and following the model in Spain where the Spanish data protection authority - Agencia Española de Protección de Datos (AEPD) - is self-funding and retains all income received from civil penalties (fines) issued by the AEPD.
“Being able to recover some of our litigation costs will form an important part of ensuring that the ICO has the right tools to do our job. We are on the side of the public and responsible businesses and being well resourced to take action can give everyone the confidence that, where appropriate, we will act effectively to uphold rights.” James Dipple Johnston, Chief Regulatory Officer, ICO.