Under the Data Protection Act 1998 it was an offence to process personal data without notifying with the Information Commissioner (and paying the required notification fee) unless you were exempt from having to notify. The position changed in May when the GDPR and Data Protection Act 2018 entered into force. The requirement to notify, which had its origin in the 1995 Data Protection Directive, was done away with. This left the UK with a particular problem: the Information Commissioner’s work in relation to the enforcement of data protection was funded entirely by the notification fees paid by data controllers. The solution was to introduce a system of fees which data controllers are required to pay to the Information Commissioner unless they are exempt from having to do so.
The law was also changed so that non payment of the data protection fee by a controller required to pay it is no longer a criminal offence. There are duplicate provisions in law which allow the Information Commissioner to charge these fees. The duplicate provisions are section 137 of the Data Protection Act 2018 and section 108 of the Digital Economy Act 2017. The fees payable are current specified within The Data Protection (Charges and Information) Regulations 2018, which were made exercising the powers under section 108 of the Digital Economy Act (the Regulations being made prior to the enactment of the Data Protection Act 2018 in May). There are, however, no provisions within the Digital Economy Act 2017 in respect of penalties for non-payment of these fees; the only provision which provides for non-payment of these fees is section 158 of the Data Protection Act 2018, which applies to fees made under section 137 of the Data Protection Act 2018.
In terms of section 158 of the Data Protection Act 2018, the maximum penalty for non-payment of the fee is 150% of the highest charge payable in accordance with the fees regulations, disregarding any discount available under the fees regulations.
It seems that a number of data controllers, who the Commissioner believes should be paying a fee, have not paid their fee. Earlier this week it was announced that the Information Commissioner’s Office had started to take enforcement action against 34 such organisations. The enforcement regime in section 158 of the Data protection Act 2018 applies to regulations made under section 108 of the Digital Economy Act 2017 by virtue of a provision within Schedule 20 to the Data Protection Act 2018 which provides that Regulations made under section 108 of the Digital Economy Act 2017 are to have effect as if they were Regulations made under section 137 of the Data Protection Act 2018 after the coming into force of section 137 of the Data Protection act 2018 (which happened on 25 May 2018).
The Notices of Intent, according to the ICO press release, have been issued to a range of controllers across the public and private sectors and that there are others in the process of being about to be issued. They act as a final warning by the ICO they if organisations don’t pay then they will be the recipient of a fixed penalty. It seems that the ICO is taking a relatively strong stance against non-payers from the outset and data controllers should therefore ensure that they pay their registration fees (where applicable) as and when their notification under the Data Protection Act 1998 comes to an end; or immediately where they were did not notify under the Data Protection Act 1998.
If you would like advice on a data protection or privacy matter than contact Alistair on 0141 229 0880 or you can E-mail him directly. You can also follow our twitter account dedicated to the field of Information law