GDPR fines: Where does the money go?

There have been both record breaking fines including Google’s €50 million GDPR violation in France, and fines that have been reduced, like the recent British Airways data breach.

Both raise the question: who receives the money from these fines. Here we show you what happens to fines issued by regulators and fines as a result of legal cases. 

What happens to regulator issued fines?

As we’ve talked about the £20 Million fine to British Airways for their data breach, let’s focus on the UK and their regulatory body, the Information Commissioner’s Office (ICO).

Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the ICO (Source: ICO).

The Consolidated Fund is the Government’s general bank account at the Bank of England. Payments. This fund was established in 1787 to be “one fund into which shall flow every stream of public revenue and from which shall come the supply for every service”.

This means fines fund all public services, just like tax revenue. You can see the Government’s Consolidated Fund breakdown for 2018-2019 here.

Most member states have the same system, where the fine is brought back into the community.

What happens to fines as a result of a court case?

In court cases, if groups or individuals have been significantly impacted in terms of their rights, and have suffered damage and distress, the judge may fine the company involved and issue these funds as compensation to those affected.

It will be up to the judge to decide on the amount of compensation, and whether it will be issued to the individual or split if it is a group court case. They also will decide how these funds will be accessed, for example individuals may have to claim the funds using legal support or they may receive a share of the compensation directly. Typically the compensation will be issued less legal costs, which can add up if the case is particularly complex.

Courts will enforce the judgement if the organisation refuses or is unable to pay, and facilitate the right to appeal which may affect the amount of the fine issued. 

You can see this in the Equifax $US700m fine, in which a maximum of $425m will go to consumer losses. This is $2.89 if just divided per individual whose data was breached. 

It’s not only about data breaches. Read more about a recent fine for marketing texts during coronavirus.