The Privacy and Electronic Regulations (Amendment) 2018 – in force from 17 December 2018 – ICO power to fine officers up to £500,000
While GDPR arrived in a wave of heightened public awareness, it is important to remember that there is a framework of other regulations that work in…
While GDPR arrived in a wave of heightened public awareness, it is important to remember that there is a framework of other regulations that work in conjunction with it. Non-compliance with these other privacy-related laws could also lead to monetary and reputational damage. The amended regulations are not being introduced with a fanfare, mass emails and potential panic, but could have considerable financial consequences as they increase the powers of the Information Commissioner (ICO) to include the ability to fine officers of companies.
The Privacy and Electronic Communications Regulations (Amendment) 2018 (ePrivacy Regulations) have been issued and come into force on 17 December 2018. They amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and modify the application of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010, and are intended to ensure that the regime covering breaches is “effective, proportionate and dissuasive” in accordance with the criteria outlined in the PECR.
The PECR prohibits companies from transmitting unsolicited electronic communications to consumers for the purposes of direct marketing, by way of telephone, SMS and e-mail, unless the individual has given their prior consent to receive such communications, or if the sender can demonstrate an existing commercial relationship with the recipient.
One of the most frequent areas where the ICO undertakes enforcement action is in relation to breaches of the PECR. Under the current regime, the ICO is able to issue Monetary Penalty Notices (up to a maximum of £500,000) to data controllers who fail to comply with the requirements of PECR; however, when a company is served with a monetary penalty notice for breaching PECR, it is not uncommon for the company to close and for a new company to be created with the same people undertaking the same activities, meaning that the penalty goes unpaid.
The ePrivacy Regulations broaden the scope of monetary penalties that can be imposed by the ICO, who will also now have the power to fine an “officer” of a body up to £500,000, in addition to the body corporate (or Scottish partnership) itself where there has been a serious breach of regulations 19–24 (automated calling and unsolicited direct marketing) of the 2003 Regulations, and where the breach is caused by the action or inaction of an officer. An officer of the body is defined as, in relation to a body corporate, “a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or where the affairs of the body are managed by its members, a member”; and in relation to a Scottish partnership, “a partner or any person purporting to act as a partner.” The liability will arise where the director has consented to or connived in the breach, or if that breach is attributable to their neglect, and the ICO must also serve a monetary penalty notice on the controller. It will be interesting to see how and when the ICO uses this new power.
In the meantime, law firms should review their policies and procedures to ensure compliance and check they have adequate D and O/management liability insurance cover in place.
Compli provides you with full support on all risk, compliance and regulatory issues, all with the benefit of legal professional privilege, together with a suite of e-learning courses. If you have any queries on these changes or wish to discuss how Compli can help take the strain, call us on 0345 070 1047 or complete the form below.