The risk of large fines for businesses for data protection breaches has never been higher. But data unearthed by one company suggests that many are avoiding paying up.
With the advent of GDPR, the potential for European regulators to issue large fines to organisations violating of its terms increased dramatically – from a maximum of £500,000 in the UK pre-GDPR, to €20 million or 4% of the past year’s global turnover post-Regulation in the most severe infringements.
Alongside the GDPR sits the Privacy and Electronic Communications Regulations (PECR), providing specific privacy rights in relation to electronic communications such as marketing calls, emails, texts and faxes. Under the PECR, the UK regulator, the Information Commissioner’s Office (ICO), can impose a fine of up to £500,000 against an organisation or its directors.
The potential for such sums to be levied on offenders could be construed as some pretty big teeth. But are those teeth somewhat blunted if a large chunk of fines go uncollected? This is the contention of one Bristol-based company.
The SMS Works is an SMS API provider, providing tools for businesses to use SMS as part of their communication platform – largely for functions such as appointment reminders, delivery notifications, and some marketing as well.
For the last year, the company has been keeping tabs on ICO fine collection, compiling data via Freedom of Information requests and mapping the responses on to its own data – with some interesting reveals.
“We’re interested in finding out how much the ICO is fining, who they are fining and what for. But also, are they successful in collecting these fines? And the answer to the last part of that is: not very,” says Director Henry Cazalet.
According to the company’s data, from January 2019 to the end of August 2020, the ICO handed out 21 fines, totalling £3.2 million. But just nine of the 21 had been paid, amounting to just £1.03 million, or 32% of the fines issued.
Since 2015, the greatest number of fines was issued for data breaches (113), followed nuisance calls (63), SMS spam (34), then email spam (14).
But, in The SMS Works’ data for the period between 1 January 2019 and 31 August 2020, fines issued for nuisance calls were the least likely to be paid, with 13 fines collected, while data breaches were the most, at 54.
Cazalet contends that there were two general patterns identifiable in the data collected by his company. One is that the bigger the brand, the more likely they are to pay. The other is that for smaller organisations – outside of “household name” brands – the larger the fine, the less likely the company is likely to come up with the goods.
The SMS Works says that since 2015, 21 fines of between £250,000 and £500,000 have been handed out – but only eight have been paid. The eight paid-up companies include the likes of Equifax, Facebook and TalkTalk. But that leaves £4.55 million in uncollected fines.
So how are companies avoiding paying fines? Cazalet has a theory.
He says: “If you take the smaller companies, the larger that fine is, the more likely they are just to go: Nah, I’m folding.”
“That happens time and time again. If you want to avoid paying your fine, you just collapse your business. If the fine is that large that you think we’re either unwilling or unable to pay this, there have historically been ways of wriggling out of your fine,” he explains.
Legislation came into force in December 2018 allowing the ICO to make company directors and other officers personally liable for fines arising from illegal marketing.
But Cazalet alleges that this has not had a significant impact on the collection of fines.
He says: “We had a look at all the fines that had been handed out since January 2019 and found out that you look at the individual cases, and people are still finding ways of wriggling out through personal insolvency and just avoiding ways of paying, basically.”
The SMS Works’ report describes the process of “phoenixing”, where companies switch to another identity and then simply carry on the same business, or even use false company names.
In a statement, an ICO spokesperson said: “Many nuisance call companies fined under Privacy and Electronic Communications Regulations go into liquidation. While in some respects, a firm going into liquidation marks a frustrating end to our investigations, it’s worth noting that when nuisance call companies go out of business, they stop making calls. And that’s a successful outcome.”
“If the fine is that large that you think we’re either unwilling or unable to pay this, there have historically been ways of wriggling out of your fine”
The ICO’s has a Financial Recovery Unit, which works to recover assets from all companies engaging in fine avoidance. Its methods include serving statutory demands, obtaining court orders for recovery, and petitioning for the winding up of companies or bankruptcy of individuals. It also nominates insolvency practitioners, whose investigations can result in personal claims against directors, and works closely with the Insolvency Service, supporting action to disqualify the “worst offenders” from running companies in the future.
According to an ICO spokesperson, since Jan 2019, alongside the nine paid fines, seven are in the process of being recovered and five are under appeal.
“Organisations have the right to appeal any regulatory action issued by the ICO and this can delay payment of a fine,” the spokesperson said.
“Over the same period 16 directors have been disqualified for 94 years and a sole trader also signed a Bankruptcy Restriction Undertaking for six years in connection with ICO fines.”
But, Cazalet and The SMS Works have another theory – that perhaps the size of the fines is to blame.
“Of course, if you fine someone £100,000, that’s a huge amount of money. And if you find someone £10,000, that’s a different magnitude, it sort of feels more realistic. Our hypothesis is that perhaps the ICO would be better off fining less and collecting more of it.”
Register for our weekly newsletter and receive the latest headlines, comment and insight straight to your inbox.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.