Category Archives: monetary penalty notice

Ineffectual powers

The Information Commissioner’s Office (ICO) has just announced that it has served a fine (strictly, a monetary penalty notice) of £80,000, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), on a company which sent a large number of particularly tasteless SMSs during the pandemic, of this sort

“Get Debt FREE during the Lockdown! Write off 95% of ALL DEBTS with ALL charges and fees FROZEN. Government backed. Click [here] Stop 2optout”

(In passing, I’m rather surprised the ICO’s announcement gave hyperlinks to the offending, albeit broken, URLs.)

In that accompanying announcement, the ICO’s Head of Investigations is quoted as saying

The company director failed to cooperate with our investigations through concealing his identity by using false company details on his websites; changing the wording on the text messages; and, changing his company’s registered address after becoming aware of our investigation.

and we are told that the director

tried to evade the ICO investigations with different tactics since 2019, but investigators were determined to bring this company to account for plaguing people’s lives with thousands of spam messages

What is interesting in this context is that the ICO’s powers to issue fines for serious contraventions were added to, in 2018, to allow them also to fine company directors themselves (where the contravention was with the consent of connivance of the director, or attributable to any neglect on their part).

I asked the ICO if they had a comment on why no director fine was issued here, but they only wished to say

The action we have taken is proportionate and appropriate in the circumstances of this case.

This is fair enough: there may be facts which are not public, and I don’t criticise what is a sound piece of enforcement against unlawful marketing communications.

However, as far as I am aware, since the ICO acquired the powers to fine directors (and similar officers) under PECR they have not exercised those powers once. This is odd – they had long lobbied for the powers, and when the change in the law was being proposed, the then Commissioner Elizabeth Denham told The Register “It should have a real deterrent effect”. Maybe there are legal issues with actually ascribing liability to directors, or practical issues with tracking and pinning them down to try to enforce against them. If so, and if the 2018 change in the law has not had that “real deterrent effect”, is the ICO letting government know?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Information Commissioner, monetary penalty notice, PECR, spam texts

ICO – fines, what fines?

No surprise…but ICO has only issued four notices of intent to serve a fine since GDPR came into application (and one fine)

I made a quick Freedom of Information Act (FOIA) request a few weeks ago to the Information Commissioner’s Office (ICO), asking

since 25 May 2018
1) how many notices of intent have been given under paragraph 2(1) of schedule 16 to the Data Protection Act 2018?
2) How many notices of intent given under 1) have not resulted in a monetary penalty notice being given (after the period of 6 months specified in paragraph 2(2) of the same schedule to same Act)?

I have now received (4 September) received a response, which says that four notices of intent only have been issued in that time. Three of those are well known: one was in respect of Doorstep Dispensaree (who have since received an actual fine – the only one issued under GDPR – of £275,000); two are in respect of British Airways and of Marriott Inc., which have become long-running, uncompleted sagas; the identity of the recipient of the final one is not known at the time of writing.

The contrast with some other European data protection authorities is stark: in Spain, around 120 fines have been issued in the same time; in Italy, 26; in Germany (which has separate authorities for its individual regions), 26 also.

Once again, questions must be asked about whether the aim of the legislator, in passing GDPR, to homogenise data protection law across the EU, has been anywhere near achieved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Some PECR figures in light of a new monetary penalty notice

Presented without comment.

21,166,574 unsolicited direct marketing messages

£100,000 monetary penalty

Only £1k in the bank at the last filings

Zero chance of recovery?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, marketing, monetary penalty notice, PECR

BA hints at massively reduced size of ICO proposed fine

A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Yet more delays to proposed ICO BA and Marriott fines

I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

COVID-19 and ICO’s proposed fines for BA and Marriott

I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Why the big pause? ICO delay agreed re GDPR fines

On the Mishcon website: ICO agrees delay over GDPR fines with both BA and Marriott

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, GDPR, Information Commissioner, monetary penalty notice

€9.5m GDPR fine to German telco for insecure customer authentication

Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.

Leave a comment

Filed under Data Protection, Europe, GDPR, monetary penalty notice

The Cost of Enforcement

I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said

one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.

With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that

Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year

Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.

Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, monetary penalty notice

Whither the ICO fines for BA and Marriott?

I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, monetary penalty notice