Back to top
Article

Let them (not) eat cake

16 December 13

The authors dispute that the right to appeal a £500,000 data fine can be lost

by Paul Motion, Laura Irvine

The Upper Tribunal has recently upheld the First-tier Information Rights Tribunal’s refusal to quash a £90,000 monetary penalty notice (MPN) imposed by the Information Commissioner (ICO) on Central London Community Healthcare NHS Trust: [2013] UKUT 551(AAC).

One of the rejected grounds of appeal concerned the so-called “early payment discount” scheme the ICO operates. If a fine is paid within 28 days, the ICO will allow a 20% discount. This could save an organisation up to £100,000 against the maximum possible £500,000 fine. But, according to the ICO, paying the discounted fine immediately forfeits any right of appeal against the original fine.

The appellate route is particularly important relative to MPNs. The ICO is not an independent and impartial tribunal. This was conceded in the successful Scottish Borders Council appeal against a £250,000 fine (EA2012/212).

Unlike other regulators such as the Financial Conduct Authority, the ICO does not negotiate when deciding how much a MPN will be. The ICO’s procedure in setting the amount of fine is not transparent. The grounds are often difficult to decipher, as the two recent successful appeals to the First-tier Tribunal have shown. The process followed by the ICO is not to provide full disclosure of the proposed amount to the data controller and enter into plea adjustment prior to sentencing before a court. Instead the decision as to amount is made behind closed doors, with input from the data processor to a very limited extent, ordinarily comprising revisals to the narrative of the notice of intent the ICO must serve prior to issuing a MPN. The ICO does not, apparently, take into account the means of the data controller or distinguish between a public authority and a private sector business.

A piece of cake

Where fines as large as £0.5 million are concerned, one might have taken it as read that natural justice required an unfettered recourse to an independent and impartial tribunal. Rather alarmingly, the Upper Tribunal judge in Central London characterised the act of claiming the early payment discount whilst also appealing, as a data controller “trying to have its cake and eat it” (at para 65).

The Upper Tribunal likened the discount to that given in a criminal case to an accused who pleads guilty at an early stage. This is not a valid comparison. The significant difference here, not seemingly considered by the Upper Tribunal, is that prior to a guilty plea being tendered, the accused person will have been provided with full disclosure of the case against him or her, will have made an informed decision about a plea generally based on legal advice, and will have been informed of the right to seek legal advice. Then, an independent tribunal and decision maker will have decided on the penalty, not the prosecutor. The ICO is obliged by statute to issue a notice of intent before issuing an MPN, but there is no disclosure process for establishing what evidence that notice is based on, or for testing that evidence.

If of course the Upper Tribunal was intending to infer that MPNs were criminal and that ICO investigations relative to MPN procedure thus required to be compliant with ECHR articles 6 and 7 – as we have argued elsewhere – then that would be an entirely different matter. This aspect was not however developed in the Upper Tribunal’s decision.

Just a fixed penalty?

The other comparator that the Upper Tribunal prayed in aid was the fixed penalty scheme for minor road traffic offences, littering and other antisocial behaviour. The First-tier Tribunal had also referred to fines for parking offences and minor road traffic offences. The system as described by the tribunal is that there are “mutually exclusive options”. Either the penalty is paid within 28 days or the offender can request a court hearing and face a higher fine if found guilty.

The tribunal’s analogy between £30 parking tickets and £0.5 million data protection fines is in our view manifestly inappropriate. Fixed penalty notices are an administrative process set up to deal with high volumes of parking infringements and minor crime. The sums of money and reputational damage at stake are generally low. Commonly if a parking fine or fixed penalty is not paid and an appeal is requested, the original amount is frozen until the outcome of the appeal, or at least there is a discretion to impose the level of fine as originally envisaged, even if the appeal is unsuccessful. That is presumably because even at these low values, unfettered access to an independent and impartial tribunal is seen as a right which is fundamental to our justice system.

By contrast, data protection MPNs are relatively few in number and can be high in value. The ICO is on record as stating that he can foresee no instance where an MPN would ever be set at less than £75,000. MPNs are preceded by an inquisitorial process, flawed as it may be. The regulator is both inquisitor and prosecutor. The prosecutor also sets the level of fine. A MPN appeal is the only route to an impartial tribunal, and to a de novo hearing where all the material relied on by the regulator is revealed. This route ought to be unhindered. But appealing suddenly presents huge risks to a small company or public body if the very act of appealing will always result in the immediate loss of a saving which could be as much as £100,000. There will be pressure from directors, investors or councillors just to take the bird in the hand, pay the penalty and have at least the certainty of the discount, as opposed to appealing where the only certainty is to watch the 20% discount being snatched away.

The ICO has made it clear that it will not distinguish between a public sector body and private body when imposing a monetary penalty. The majority of monetary penalties imposed since April 2010 for DPA breaches have been against public sector bodies – 36 as opposed to six private sector bodies. No one disputes that our public sector bodies must comply with the DPA 1998 and protect data properly, just as they must protect the health and safety of their employees. But fining them large sums of money, particularly without an unfettered right of appeal, may be counterproductive. Public authorities may feel they have no choice but to divert resources to avoid large data fines, or may feel compelled to pay large fines to secure a discount because they fear an unsuccessful appeal may leave them 20% worse off. Is this really what Parliament intended as the objective of MPNs?

Paul Motion and Laura Irvine are solicitor advocates with BTO Solicitors, Edinburgh.
They can be contacted at prm@bto.co.uk and lji@bto.co.uk or www.bto.co.uk

Have your say