Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
By George Lynch
The U.K. privacy office has levied significant fines, in number and size, in 2017 for data-related violations, putting it on pace to set an enforcement record in monetary penalties by the year’s end.
The increase in the U.K. Information Commissioner’s Office (ICO) monetary-penalty activity may be a sign that it is prepared to take advantage of the much larger fines available under the new European Union privacy regime coming in May 2018. The increase in the frequency and size of fines may raise compliance risk concerns for companies doing business in the U.K., particularly ones engaged in telemarketing.
The ICO confirmed that it has issued a total of 2.59 million pounds ($3.38 million) in monetary penalty notice fines through the first six months of 2017, well ahead of the pace set in 2016, when the office issued 3.25 million pounds ($4.25 million) in fines for the entire year, according to data compiled by PriceWaterHouseCoopers LLP.
Fines are getting bigger and more frequent. The ICO has already issued 15 fines of more than 100,000 pounds ($130,243) in the first half of 2017, compared to 12 fines over that amount for all of 2016. In May, the ICO issued its largest-ever monetary penalty for unlawful telemarketing when it fined Keurboom Communications Ltd 400,000 pounds ($522,244) for authorizing nearly 100 million robocalls.
The increased enforcement penalties could be a natural outgrowth of the expanding digital economy. Emma Flett, partner at Kirkland & Ellis LLP in London, told Bloomberg BNA that “the trend of larger, more frequent fines is only to be expected in the digital age in which we now work and play.”
But the ICO could also be signaling its readiness to levy stronger penalties in advance of the availability of massive fines under the EU’s new General Data Protection Regulation, privacy attorneys told Bloomberg BNA.
Privacy regulators such as the ICO are becoming “more savvy in how they use their enforcement powers to punish companies where it hurts—their profits,” Anita Bapat, a European data protection associate at Hunton & Williams LLP in London, told Bloomberg BNA.
The ICO’s enforcement priorities are important for companies facing dramatic regulatory changes with the GDPR. The EU regulation’s maximum fines—20 million euros ($22.4 million) or up to 4 percent of a company’s global annual revenue—have made many companies nervous.
The steady increase in penalties issued by the ICO may indicate support of the implied strategy behind the GDPR—that the deterrent of large fines is the only way to ensure that organizations comply with data protections laws, Bapat said. With the GDPR’s effective date approaching, the ICO may be signaling “that it is willing and ready to impose substantial fines when it is able to next May,” Bapat said.
Victoria Hordern, privacy counsel at Hogan Lovells LLP in London, told Bloomberg BNA that, “It may be that the new status and powers that data protection authorities will get under the GDPR has also influenced the ICO’s enforcement strategy.”
The ICO announced in its Information Rights Strategic Plan 2017-2021 that it would prioritize Privacy and Electronic Communications Regulations (PECR) enforcement against commercial calls, texts, and emails. The fines record bears that out.
Hordern said there has definitely been an “uptick” in fines levied under PECR against unlawful electronic marketing messages.
The ICO issued PECR fines of 2.05 million pounds ($2.68 million) in 2016. For the first six months of 2017, the ICO has levied PECR fines of 1.49 million pounds ($1.95 million), putting it on track for a nearly 50-percent increase in PECR fines this year.
Fines issued pursuant to the Data Privacy Act 1988 (DPA), the U.K.'s primary personal data privacy law, are also growing. DPA fines totaled 1.19 million pounds ($1.56 million) in 2016 and have already reached 1.09 million pounds ($1.42 million) in the first six months of 2017.
The scope of DPA enforcement action is expanding too, as the ICO has used the law to attack unlawful telemarketing. It is also pursuing enforcement actions under the DPA for incidents beyond data breaches, Hordern said, and is scrutinizing the improper use of “data list brokers.”
In February, the ICO fined the Data Supply Company Ltd for selling hundreds of thousands of records containing personal information to a data broker that ultimately resulted in thousands of spam texts being sent to those individuals.
To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)