The Information Commissioner’s Office (ICO) has just announced that it has served a fine (strictly, a monetary penalty notice) of £80,000, under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), on a company which sent a large number of particularly tasteless SMSs during the pandemic, of this sort
“Get Debt FREE during the Lockdown! Write off 95% of ALL DEBTS with ALL charges and fees FROZEN. Government backed. Click [here] Stop 2optout”
(In passing, I’m rather surprised the ICO’s announcement gave hyperlinks to the offending, albeit broken, URLs.)
In that accompanying announcement, the ICO’s Head of Investigations is quoted as saying
The company director failed to cooperate with our investigations through concealing his identity by using false company details on his websites; changing the wording on the text messages; and, changing his company’s registered address after becoming aware of our investigation.
and we are told that the director
tried to evade the ICO investigations with different tactics since 2019, but investigators were determined to bring this company to account for plaguing people’s lives with thousands of spam messages
What is interesting in this context is that the ICO’s powers to issue fines for serious contraventions were added to, in 2018, to allow them also to fine company directors themselves (where the contravention was with the consent of connivance of the director, or attributable to any neglect on their part).
I asked the ICO if they had a comment on why no director fine was issued here, but they only wished to say
The action we have taken is proportionate and appropriate in the circumstances of this case.
This is fair enough: there may be facts which are not public, and I don’t criticise what is a sound piece of enforcement against unlawful marketing communications.
However, as far as I am aware, since the ICO acquired the powers to fine directors (and similar officers) under PECR they have not exercised those powers once. This is odd – they had long lobbied for the powers, and when the change in the law was being proposed, the then Commissioner Elizabeth Denham told The Register “It should have a real deterrent effect”. Maybe there are legal issues with actually ascribing liability to directors, or practical issues with tracking and pinning them down to try to enforce against them. If so, and if the 2018 change in the law has not had that “real deterrent effect”, is the ICO letting government know?
The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.