Government announces Lasting Power of Attorney “revamp”
Complaining about a PECR breach to the ICO, especially about an unwanted marketing communication, is quick and easy for the affected person. Meanwhile for an organisation at the sharp end of a complaint, the PECRs enforcement regime is not straightforward to untangle. In this blog, we outline the ICO’s specific enforcement regime when investigating breaches of the PECRs.
The Privacy and Electronic Communications Regulations (the “PECRs”) grant specific privacy rights relating to electronic communications, including routine business matters such as electronic marketing and using cookies. Different PECR offences can be disposed by the Information Commissioner’s Office (the ICO) via different routes. These include, at the sharpest end, criminal prosecution and non-criminal monetary enforcement up to a maximum penalty of £500,000.
ICO enforcement has been fast to meet the changing landscape of electronic marketing, which is the main area of PECR enforcement. The ICO’s website shows that 91% of its enforcement actions over the last year related to PECR contraventions with fines in 2021 amounting to £3,268,000 (a combined total of 33 monetary penalty notices). This shows an upwards enforcement trend, given that only 11 monetary penalty notices were made by the ICO in 2020, amounting to fines of £1,266,000.
The PECRs sit alongside provisions from the Data Protection Act 1998 (“DPA 1998”), Data Protection Act 2018 (“DPA 2018”) and the UK GDPR. The PECRs’ enforcement regime is found in Part V of the DPA 1998, not the DPA 2018, despite the DPA 1998 being otherwise repealed in light of Brexit and to implement the provisions of the GDPR.
Part V of the DPA 1998 grants the ICO important investigative and enforcement powers when pursuing a data controller under the PECRs. Any organisation being investigated should also have regard to the current versions of the ICO’s Regulatory Action Policy and the PECR enforcement guidance in respect of monetary penalties. It should be noted that this policy and guidance is currently undergoing a consultation and the proposals can be accessed on the ICO’s website . Organisations should also have regard to the ICO’s enforcement and money penalty notice guidance, also published on its website.
The ICO may use the following investigative tools, under its Part V DPA 1998 and policy regime:
The ICO’s Regulatory Action Policy clarifies that where considering whether to take action, the ICO will have regard to five objectives. Objective 2 emphasises the importance of proportionality and Objective 3 enables the ICO to promote compliance with the law through the promotion of good practice. It follows that some PECR breaches, where de minimis, may not result in hard-edged enforcement action.
A considerable number of PECR breaches do however result in enforcement action. The ICO’s track record shows its willingness to issue enforcement notices and/or significant monetary penalties in respect of PECR breaches, with ICO guidance noting the intrinsically intrusive nature of electronic communications for data subjects.
These are formal notices requiring organisations to take action to bring about compliance with the PECRs. Failure to comply with an enforcement notice is a criminal offence. Enforcement notices are likely to be issued in circumstances where organisations continue to breach the PECRs while under investigation.
Power to issue
Section 55A DPA 1998 grants the ICO the power to issue a monetary penalty in respect of a PECR contravention of up to £500,000. It will exercise this power if it is satisfied that:
In relation to seriousness, the ICO takes an objective approach, aiming to ensure that any harm is genuine and capable of explanation. A single breach may be sufficient but a high volume of breaches will more easily meet the “serious” threshold, under ICO guidance.
The ICO’s interpretations under its guidance of deliberate contraventions, and contraventions where organisations “knew or ought to have known” about the relevant risk, are objective and literal interpretations. On the latter, the test is the standard of care of a reasonably prudent person. A deliberate contravention means carrying out a deliberate act that contravenes PECR.
The ICO must serve a "notice of intent" on an organisation before serving a monetary penalty notice, giving the organisation an opportunity to make representations in favour of alternative enforcement action, or to vary the proposed sum payable. The ICO is required to consider any representations when deciding whether to serve a monetary penalty notice, and also has the power to vary or cancel monetary penalty notices.
Level of penalty
In determining the level of penalty, the ICO will seeks to ensure that it is reasonable and proportionate in light of the offending conduct. Guidance sets out that the ICO will consider, non-exhaustively:
The ICO will seek to eliminate any financial benefit obtained through PECR breaches, to remove unfair advantages from businesses complying with PECR. Its monetary penalty notices for PECR breaches also stress that organisations should be aware of their responsibilities, given the high volume of ICO guidance and resources such as the ICO helpline, particularly in respect of direct marketing rules. Direct marketing organisations that fall foul of the rules may as a result face stricter enforcement.
The ICO will consider the organisation’s cooperation during the investigation, whether its non-compliance was intentional or wilful and whether the business or operating model is intrinsically unlawful. It will consider the organisation’s prior regulatory history and the manner in which the breach or issue became known to the ICO. The ICO will view more favourably organisations that cooperate at investigation stage, cease offending activities and ‘get their house in order’ regarding wider data protection compliance.
The ICO will also consider the organisation’s means and ability to pay a monetary penalty notice when setting the level of penalty.
In 2018, the PECRs were updated to grant the ICO the power to pursue directors and company officers personally with a monetary penalty for PECR breaches (again to a maximum of £500,000). The ICO may do so where the relevant contravention:
(a) took place with the consent or connivance of the officer; or
(b) was attributable to any neglect on the part of the officer.
The policy concern underpinning this change was the situation of offending organisations declaring bankruptcy to avoid paying the monetary penalty, later opening organisations under a different name with the same directors / officers. To date however, there has not been an example of the ICO exercising this power. That is even so in circumstances where the conduct of the directors is criticised in the monetary penalty notice, or where the ICO highlights in the notice that a director/officer has been subject to previous investigation by the ICO.
 January 2021 – December 2021
Nick De Mulder is a public law solicitor supporting clients with respect to a range of data protection issues. He advises on GDPR and Data Protection Act compliance, subject access requests (SARs), freedom of information issues and ICO investigations. Our data protection team includes lawyers with breadth and depth of experience with respect to regulatory investigation and enforcement, as well as criminal proceedings, where data protection legislation has been breached. Given the potential liabilities and penalties under the PECRs, any organisation facing an ICO investigation should seek specialist assistance.
Hawa Jogi joined Kingsley Napley in August 2021. She is currently a paralegal in the Public Law team and assists the partners and associates in the team on a broad range of matters. Prior to joining Kingsley Napley, Hawa worked as a legal assistant at an Australian law firm providing support in areas of employment and commercial legal matters.
Skip to content Home About Us Insights Services Contact Accessibility