U.K. Privacy Fines Jump May Signal Move to New EU Regime

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The U.K. privacy office has levied significant fines, in number and size, in 2017 for data-related violations, putting it on pace to set an enforcement record in monetary penalties by the year’s end.

The increase in the U.K. Information Commissioner’s Office (ICO) monetary-penalty activity may be a sign that it is prepared to take advantage of the much larger fines available under the new European Union privacy regime coming in May 2018. The increase in the frequency and size of fines may raise compliance risk concerns for companies doing business in the U.K., particularly ones engaged in telemarketing.

The ICO confirmed that it has issued a total of 2.59 million pounds ($3.38 million) in monetary penalty notice fines through the first six months of 2017, well ahead of the pace set in 2016, when the office issued 3.25 million pounds ($4.25 million) in fines for the entire year, according to data compiled by PriceWaterHouseCoopers LLP.

Fines are getting bigger and more frequent. The ICO has already issued 15 fines of more than 100,000 pounds ($130,243) in the first half of 2017, compared to 12 fines over that amount for all of 2016. In May, the ICO issued its largest-ever monetary penalty for unlawful telemarketing when it fined Keurboom Communications Ltd 400,000 pounds ($522,244) for authorizing nearly 100 million robocalls.

The increased enforcement penalties could be a natural outgrowth of the expanding digital economy. Emma Flett, partner at Kirkland & Ellis LLP in London, told Bloomberg BNA that “the trend of larger, more frequent fines is only to be expected in the digital age in which we now work and play.”

But the ICO could also be signaling its readiness to levy stronger penalties in advance of the availability of massive fines under the EU’s new General Data Protection Regulation, privacy attorneys told Bloomberg BNA.

Privacy regulators such as the ICO are becoming “more savvy in how they use their enforcement powers to punish companies where it hurts—their profits,” Anita Bapat, a European data protection associate at Hunton & Williams LLP in London, told Bloomberg BNA.

EU Privacy Regime Changes

The ICO’s enforcement priorities are important for companies facing dramatic regulatory changes with the GDPR. The EU regulation’s maximum fines—20 million euros ($22.4 million) or up to 4 percent of a company’s global annual revenue—have made many companies nervous.

The steady increase in penalties issued by the ICO may indicate support of the implied strategy behind the GDPR—that the deterrent of large fines is the only way to ensure that organizations comply with data protections laws, Bapat said. With the GDPR’s effective date approaching, the ICO may be signaling “that it is willing and ready to impose substantial fines when it is able to next May,” Bapat said.

Victoria Hordern, privacy counsel at Hogan Lovells LLP in London, told Bloomberg BNA that, “It may be that the new status and powers that data protection authorities will get under the GDPR has also influenced the ICO’s enforcement strategy.”

Targeting Telemarketing

The ICO announced in its Information Rights Strategic Plan 2017-2021 that it would prioritize Privacy and Electronic Communications Regulations (PECR) enforcement against commercial calls, texts, and emails. The fines record bears that out.

Hordern said there has definitely been an “uptick” in fines levied under PECR against unlawful electronic marketing messages.

The ICO issued PECR fines of 2.05 million pounds ($2.68 million) in 2016. For the first six months of 2017, the ICO has levied PECR fines of 1.49 million pounds ($1.95 million), putting it on track for a nearly 50-percent increase in PECR fines this year.

Fines issued pursuant to the Data Privacy Act 1988 (DPA), the U.K.'s primary personal data privacy law, are also growing. DPA fines totaled 1.19 million pounds ($1.56 million) in 2016 and have already reached 1.09 million pounds ($1.42 million) in the first six months of 2017.

The scope of DPA enforcement action is expanding too, as the ICO has used the law to attack unlawful telemarketing. It is also pursuing enforcement actions under the DPA for incidents beyond data breaches, Hordern said, and is scrutinizing the improper use of “data list brokers.”

In February, the ICO fined the Data Supply Company Ltd for selling hundreds of thousands of records containing personal information to a data broker that ultimately resulted in thousands of spam texts being sent to those individuals.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security