Category Archives: monetary penalty notice

ICO – fines, what fines?

No surprise…but ICO has only issued four notices of intent to serve a fine since GDPR came into application (and one fine)

I made a quick Freedom of Information Act (FOIA) request a few weeks ago to the Information Commissioner’s Office (ICO), asking

since 25 May 2018
1) how many notices of intent have been given under paragraph 2(1) of schedule 16 to the Data Protection Act 2018?
2) How many notices of intent given under 1) have not resulted in a monetary penalty notice being given (after the period of 6 months specified in paragraph 2(2) of the same schedule to same Act)?

I have now received (4 September) received a response, which says that four notices of intent only have been issued in that time. Three of those are well known: one was in respect of Doorstep Dispensaree (who have since received an actual fine – the only one issued under GDPR – of £275,000); two are in respect of British Airways and of Marriott Inc., which have become long-running, uncompleted sagas; the identity of the recipient of the final one is not known at the time of writing.

The contrast with some other European data protection authorities is stark: in Spain, around 120 fines have been issued in the same time; in Italy, 26; in Germany (which has separate authorities for its individual regions), 26 also.

Once again, questions must be asked about whether the aim of the legislator, in passing GDPR, to homogenise data protection law across the EU, has been anywhere near achieved.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Some PECR figures in light of a new monetary penalty notice

Presented without comment.

21,166,574 unsolicited direct marketing messages

£100,000 monetary penalty

Only £1k in the bank at the last filings

Zero chance of recovery?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, Information Commissioner, marketing, monetary penalty notice, PECR

BA hints at massively reduced size of ICO proposed fine

A new piece by me on the Mishcon de Reya website – BA’s parent company’s latest financial filings indicate it’s planning for (at most?) a E22m fine.

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Yet more delays to proposed ICO BA and Marriott fines

I have this piece on the Mishcon de Reya website. More than a year since they were first proposed, ICO has still not converted its notices of intent into actual fines. Will it ever?

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

COVID-19 and ICO’s proposed fines for BA and Marriott

I have a piece on the Mishcon de Reya website, questioning whether the Coronavirus might fundamentally affect the likelihood of BA and Marriott receiving huge GDPR fines.

Leave a comment

Filed under Data Protection, Data Protection Act 2018, GDPR, Information Commissioner, monetary penalty notice

Why the big pause? ICO delay agreed re GDPR fines

On the Mishcon website: ICO agrees delay over GDPR fines with both BA and Marriott

 

Leave a comment

Filed under Data Protection, Data Protection Act 2018, enforcement, GDPR, Information Commissioner, monetary penalty notice

€9.5m GDPR fine to German telco for insecure customer authentication

Another post by me on the Mishcon de Reya website – federal telecoms regulator issues fine for Article 32 failings after callers could give customer name and d.o.b. and obtain further information.

Leave a comment

Filed under Data Protection, Europe, GDPR, monetary penalty notice

The Cost of Enforcement

I wrote recently, on the Mishcon de Reya Data Matters blog, about whether BA and Marriott might actually avoid the fines the Information Commissioner’s Office (ICO) intends to serve on them. In that piece, I said

one has no doubt whatsoever that BA and Marriott will have had lawyers working extensively and aggressively on challenging the notices of intent.

With that in mind, it is interesting to note that, in commentary on recent management accounts, the ICO warns that

Legal expenses…are tracking at much higher levels than budgeted and are expected to be adverse to budget for the full financial year

Indeed, the ICO’s legal spend for this year is forecast to be £2.65m, against a budget of £1.98m. These sound like large sums (and of course they are), but, compared with the likely legal budgets of BA, or Marriott, or indeed, many other of the huge companies whose processing is potentially subject to enforcement action by ICO, they are tiny. Any large controller faced with a huge fine will almost inevitably spend large sums in challenging the action.

Query whether ICO can, realistically, actually afford to levy fines at the level GDPR envisages?

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, enforcement, GDPR, Information Commissioner, monetary penalty notice

Whither the ICO fines for BA and Marriott?

I have a new post on the Mishcon de Reya website, asking what is happening regarding the notices of intent served some months ago on BA and Marriott Inc.

Leave a comment

Filed under Data Protection, GDPR, Information Commissioner, monetary penalty notice

Farrow & Ball lose appeal for non-payment of data protection fee

I have a new post on the Mishcon de Reya website, drawing attention to the first (and unsuccessful) attempt to appeal an ICO monetary penalty for failing to pay the statutory data protection fee.

Leave a comment

Filed under Data Protection, Information Commissioner, Information Tribunal, monetary penalty notice