MPs: ICO Faces £42.8m Shortfall Thanks To European Privacy Plans

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Taxpayers could end up paying more if European data protection proposals go ahead as planned, says Justice Committee

The Information Commissioner’s Office (ICO) is facing a shortfall of £42.8 million, thanks to data privacy legislation changes in Brussels, according to a group of MPs.

The European Commission’s proposals on data protection, which amount to a draft directive and regulation, have caused quite a stir, with the ICO itself saying the measures on the table are too heavy-handed.

Plans include heavier fines for data privacy offenders, mandatory breach reporting within 24 hours and the “right to be forgotten” – something that has upset a host of US firms, especially Facebook, which believes it is infeasible to delete all data related to their services whenever they are asked.

ICO needs more dosh

Christopher Graham ICONow MPs, as part of the Justice Committee, have voiced concerns British taxpayers will be faced with a bigger bill, when the  ICO steps up to the increased workload.

There would be a £26.3 million increase in costs if the ICO were to take on all the responsibilities the planned EU rules require, whilst £15 million would be sucked out of revenues if the reforms abolish notification fees, the committee claimed. Notification fees are paid by all data controllers, who are required by current UK law to pay a sum to the ICO – either £35 or £500 depending on the size and turnover of the company.

The recent Leveson report also suggested making the ICO a more integral player in regulation of the press, landing it with even more work.

“No one seems to know where resources would come from to replace the notification fee if it is abolished,” the Justice Committee report read.

“[The ICO’s] responsibilities in the field of data protection look set to expand dramatically if new EU data protection legislation comes into effect and recommendations made by the Leveson Inquiry for the ICO to take on additional functions are adopted.

“If the government requires that his Office expand its role in monitoring the standards of data protection in the press, it should ensure he has the resources to do so properly.”

The committee recommended the government ensures notification fees are still paid to the ICO after the EU rules come into force, or introduces an alternative fee, otherwise the taxpayer would be left to fund the body.

Information commissioner Christopher Graham said in a blog post the funding problems had to be addressed. “The £42 million figure is very much a worst case scenario, and is based on a proposed legislative framework that is ever changing,” Graham said.

“What is certainly clear is that, like any public sector organisation, we are living through lean times, and we’re aware of the importance of the ICO showing itself to be efficient, effective and excellent value for money.

“But sorting out an acceptable system for funding the ICO in the future now needs to be tackled.”

The Justice Committee has expressed its dismay at the EU privacy proposals before. In November, it said the European Commission should “go back to the drawing board”.

British private industry isn’t enamoured with the proposals either. BT is the biggest UK company currently lobbying EU officials on the laws, whilst the US government, Facebook, Amazon, Yahoo, eBay and a host of other tech giants are eagerly attempting to change the laws before they are signed off.

Are you a pedant on privacy? Try our quiz!