Thursday 11 April 2013

European Commission to fund the ICO in future?

If the proposals in the General Data Protection Regulation continue in their current vein, the Information Commissioner’s Office may lose it's ability to fund it's data protection work by means of registration fees from data controllers.  So, discussions on how to fund the ICO in future must be going on behind closed doors. If there is no requirement to register, the ICO won’t know who to recover a fee from.  Try as I can, I don’t see much evidence of a public debate going on about alternative funding streams for the ICO. 

So, perhaps it’s time to start one.

My cunning plan, for what it’s worth, is to work on the premise that if a decision is taken to change the regulatory framework by means of a Regulation, then the responsibility to fund the regulators should be transferred to the European Commission. The ICO can remain an agency independent from the British Government, but funded directly from Brussels. 

This frees up what is probably a Mexican standoff between the ICO, patiently explaining what resources are required to enforce what are evidently EU-determined “fundamental rights”, the Ministry of Justice, explaining that it simply hasn’t got enough money, and the European Commission, expecting common data protection standards to emerge within the EU.

Such a proposal could ensure, to the extent that regulators are expected to regulate a Regulation, that they all have equivalent resources to carry out this important work.   

The European Commission, of course, might insist that it could not possibly take on such a great financial burden - although, to be frank, it does seem to be the case that almost every EU Member State is reducing national budgets faster than the Commission.

If, on the other hand, a decision is taken to change the regulatory framework by means of a Directive, then the European Commission must accept that Member States have a right to decide for themselves what funds should be made available to regulators, bearing in mind other pressures on national budgets. And yes, this will lead to an uneven state of funding, and (probably) an uneven state of data protection compliance. 

But is there anything wrong with an uneven state of compliance, given that the economic conditions in Member States are also so uneven? Why should data protection be given priority in countries that are dealing with huge social problems brought on by economic circumstances?

To suggest, for example, that data protection funding in Greece should be given priority over funding for Greek pensions or Greek healthcare is surely absurd. 

 The Article 29 Working Party recently suggested that: “To ensure all DPAs are sufficiently equipped to perform their tasks, the budget of a DPA should be based on a fixed amount to cover the basic functions that all DPAs have to undertake equally, supplemented by an amount based on a formula related to the population of a Member State and its GDP and the amount of main establishments in that Member State. In addition, the Working Party feels DPAs should be enabled to be selective in order to be effective. They should be able to define their own priorities and to start actions, such as investigations, on their own initiative, notwithstanding the obligations regarding cooperation, mutual assistance and consistency according to Chapter VII. Therefore, to ensure DPAs and the European Data Protection Board can effectively carry out their duties it is necessary to provide clear rules on issues such as budget, equality of powers, the margin of discretion for DPAs and how the mutual assistance and the consistency mechanism are to be put to practice.”

So, not only does the Article 29 Working Party want funding based on a fixed formula, they also want the discretion on how the money should be spent. There is no mention on whether funding should be from central or local sources, though. 

Well, at least they are trying to start a public debate.

Let’s see who fancies joining in.

Statement of the Working Party on current discussions regarding the data protection reform
package, published by the Article 29 Working Party, 27 February 2013

Image credit: