The ICO’s Enforcement of the PECRs – what powers are at its disposal?

Complaining about a PECR breach to the ICO, especially about an unwanted marketing communication, is quick and easy for the affected person. Meanwhile for an organisation at the sharp end of a complaint, the PECRs enforcement regime is not straightforward to untangle. In this blog, we outline the ICO’s specific enforcement regime when investigating breaches of the PECRs.

The Privacy and Electronic Communications Regulations (the “PECRs”) grant specific privacy rights relating to electronic communications, including routine business matters such as electronic marketing and using cookies. Different PECR offences can be disposed by the Information Commissioner’s Office (the ICO) via different routes. These include, at the sharpest end, criminal prosecution and non-criminal monetary enforcement up to a maximum penalty of £500,000.

ICO enforcement has been fast to meet the changing landscape of electronic marketing, which is the main area of PECR enforcement. The ICO’s website shows that 91% of its enforcement actions over the last year related to PECR contraventions with fines in 2021 amounting to £3,268,000 (a combined total of 33 monetary penalty notices).[1] This shows an upwards enforcement trend, given that only 11 monetary penalty notices were made by the ICO in 2020, amounting to fines of £1,266,000.

Legal basis for enforcement

The PECRs sit alongside provisions from the Data Protection Act 1998 (“DPA 1998”), Data Protection Act 2018 (“DPA 2018”) and the UK GDPR. The PECRs’ enforcement regime is found in Part V of the DPA 1998, not the DPA 2018, despite the DPA 1998 being otherwise repealed in light of Brexit and to implement the provisions of the GDPR.

Part V of the DPA 1998 grants the ICO important investigative and enforcement powers when pursuing a data controller under the PECRs. Any organisation being investigated should also have regard to the current versions of the ICO’s Regulatory Action Policy[2] and the PECR enforcement guidance in respect of monetary penalties[3].  It should be noted that this policy and guidance is currently undergoing a consultation and the proposals can be accessed on the ICO’s website[4] [5]. Organisations should also have regard to the ICO’s enforcement and money penalty notice guidance, also published on its website.

 

Investigative tools

The ICO may use the following investigative tools, under its Part V DPA 1998 and policy regime:

1. Requests for information and information notices: The ICO’s usual policy is to make first a voluntary request for information from the investigated organisation, specifying the information requested and the deadline to respond. If the organisation does not comply, the ICO may move to a compulsory information notice under the DPA 1998. Failure to comply with an information notice makes an organisation liable to pay a monetary penalty. It is also a criminal offence to make or recklessly make a statement known to be false in a material respect in response to an ICO information notice.
2. Audits: The ICO can conduct audits of organisations, the primary objective being to ensure that organisations have appropriate measures to operate in compliance with the PECRs. Again, the ICO will aim to seek the organisation’s consent for a ‘voluntary’ audit, and if not may exercise its powers to conduct a compulsory audit. It should be noted that the ICO does not have the power to conduct compulsory interviews in connection with PECRs breaches.
3. Warrant to search premises: The ICO has the power to apply to court for a warrant to search premises in the course of a PECRs investigation. The exercise of this power is reserved for extreme circumstances of non-compliance with PECR or in situations where there is a risk of evidence being destroyed before the ICO can exercise its other powers. In granting a warrant, the judge will need to be satisfied that there are reasonable grounds for suspecting non-compliance is occurring and that the evidence of that non-compliance is to be found on the relevant premises.

 

Enforcement powers

The ICO’s Regulatory Action Policy clarifies that where considering whether to take action, the ICO will have regard to five objectives. Objective 2 emphasises the importance of proportionality and Objective 3 enables the ICO to promote compliance with the law through the promotion of good practice. It follows that some PECR breaches, where de minimis, may not result in hard-edged enforcement action.

A considerable number of PECR breaches do however result in enforcement action. The ICO’s track record shows its willingness to issue enforcement notices and/or significant monetary penalties in respect of PECR breaches, with ICO guidance noting the intrinsically intrusive nature of electronic communications for data subjects.

 

Enforcement notices

These are formal notices requiring organisations to take action to bring about compliance with the PECRs. Failure to comply with an enforcement notice is a criminal offence. Enforcement notices are likely to be issued in circumstances where organisations continue to breach the PECRs while under investigation.

 

Monetary penalties

Power to issue

Section 55A DPA 1998 grants the ICO the power to issue a monetary penalty in respect of a PECR contravention of up to £500,000. It will exercise this power if it is satisfied that:

1. There has been a serious contravention of PECR; and
2. Either:
   1. the contravention was deliberate; or
   2. the data controller knew (or ought to have known) that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent it.

In relation to seriousness, the ICO takes an objective approach, aiming to ensure that any harm is genuine and capable of explanation. A single breach may be sufficient but a high volume of breaches will more easily meet the “serious” threshold, under ICO guidance.

The ICO’s interpretations under its guidance of deliberate contraventions, and contraventions where organisations “knew or ought to have known” about the relevant risk, are objective and literal interpretations. On the latter, the test is the standard of care of a reasonably prudent person. A deliberate contravention means carrying out a deliberate act that contravenes PECR.

The ICO must serve a "notice of intent" on an organisation before serving a monetary penalty notice, giving the organisation an opportunity to make representations in favour of alternative enforcement action, or to vary the proposed sum payable. The ICO is required to consider any representations when deciding whether to serve a monetary penalty notice, and also has the power to vary or cancel monetary penalty notices.

Level of penalty

In determining the level of penalty, the ICO will seeks to ensure that it is reasonable and proportionate in light of the offending conduct. Guidance sets out that the ICO will consider, non-exhaustively:

1. The nature and effect of the contravention.
2. Behavioural issues, such as data protection processes, and whether there has been co-operation with the ICO investigation.
3. The impact of the penalty on the organisation.

The ICO will seek to eliminate any financial benefit obtained through PECR breaches, to remove unfair advantages from businesses complying with PECR. Its monetary penalty notices for PECR breaches also stress that organisations should be aware of their responsibilities, given the high volume of ICO guidance and resources such as the ICO helpline, particularly in respect of direct marketing rules[6]. Direct marketing organisations that fall foul of the rules may as a result face stricter enforcement.

The ICO will consider the organisation’s cooperation during the investigation, whether its non-compliance was intentional or wilful and whether the business or operating model is intrinsically unlawful. It will consider the organisation’s prior regulatory history and the manner in which the breach or issue became known to the ICO. The ICO will view more favourably organisations that cooperate at investigation stage, cease offending activities and ‘get their house in order’ regarding wider data protection compliance.

The ICO will also consider the organisation’s means and ability to pay a monetary penalty notice when setting the level of penalty.

 

Personal liability for directors/officers

In 2018, the PECRs were updated to grant the ICO the power to pursue directors and company officers personally with a monetary penalty for PECR breaches (again to a maximum of £500,000). The ICO may do so where the relevant contravention:

(a)        took place with the consent or connivance of the officer; or

(b)        was attributable to any neglect on the part of the officer.

The policy concern underpinning this change was the situation of offending organisations declaring bankruptcy to avoid paying the monetary penalty, later opening organisations under a different name with the same directors / officers. To date however, there has not been an example of the ICO exercising this power. That is even so in circumstances where the conduct of the directors is criticised in the monetary penalty notice, or where the ICO highlights in the notice that a director/officer has been subject to previous investigation by the ICO. 

 

Notes / References

FURTHER INFORMATION

If you have any questions or concerns about the topics raised in this blog, please contact Nick De Mulder, or any member of our Public Law team.

 

ABOUT THE AUTHORs

Nick De Mulder is a public law solicitor supporting clients with respect to a range of data protection issues. He advises on GDPR and Data Protection Act compliance, subject access requests (SARs), freedom of information issues and ICO investigations. Our data protection team includes lawyers with breadth and depth of experience with respect to regulatory investigation and enforcement, as well as criminal proceedings, where data protection legislation has been breached. Given the potential liabilities and penalties under the PECRs, any organisation facing an ICO investigation should seek specialist assistance.

Hawa Jogi joined Kingsley Napley in August 2021. She is currently a paralegal in the Public Law team and assists the partners and associates in the team on a broad range of matters. Prior to joining Kingsley Napley, Hawa worked as a legal assistant at an Australian law firm providing support in areas of employment and commercial legal matters.