UK: Personal liability for PECR regulatory fines proposed in Government consultation

On 30 May the Department for Digital, Culture, Media & Sport in the United Kingdom launched a consultation on the functioning of the current regime for holding to account company directors, those holding similar positions in corporate bodies / unincorporated associations, and members of partnerships for breaches of the Privacy and Electronic Communication Regulations 2003 (PECR).


PECR sits alongside the Data Protection Act 2018 and the GDPR and provide data subjects with specific privacy rights in relation to electronic communications.

There are specific rules on:

• marketing calls, emails, texts and faxes;
• cookies (and similar technologies);
• keeping communications services secure; and
• customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

The proposals follow the Government’s amendments to PECR in April 2015, which lowered the threshold at which the Information Commissioner’s Office (ICO) can take action against companies that are in contravention of these rules. As a consequence of this change, the ICO is now empowered to issue civil penalties of up to £500,000.

Irrespective of the value of such penalties, experience to date shows that such fines may not be recovered in their entirety. The ICO indicated last week that it had recovered just over half (54 per cent) of the £17.8 million in fines issued for nuisance calls since 2010, with in many instances companies entering insolvency to avoid substantial penalties.

Given the ICO has recently publicised that in 2017 almost 130,000 complaints were received from those who had received nuisance calls, texts, or other electronic marketing messages, it is perhaps unsurprising that legislative change may be on the horizon in order to provide a more robust deterrent.

As it stands, only businesses responsible for such unlawful marketing are liable for fines, and in respect of fines levied against companies, in some instances directors have sought to escape paying penalties by placing the responsible company into liquidation – only to open up again under a different name, a process known as “phoenixing”.

The Insolvency Service already has the power to disqualify directors from boardroom positions and indeed on eight occasions since 2012 disqualification proceedings have been taken in respect of, or in relation to, ICO monetary penalties.

Most recently, in December 2017 a director of a marketing company agreed to a disqualification undertaking for a period of 12 years after what the Insolvency Service described as having “flagrantly breached his duties to regulators and company creditors over an extended period”. The proceedings followed the failure of the firm to comply with a £75,000 fine levied by the ICO for non-compliance with PECR.

While failure to adhere to disqualification orders could lead to a prison sentence, the Government proposals being consulted on will provide the ICO with the powers it needs to hold officers personally and directly responsible for fines of up to £500,000 under PECR.

Proposals for change

The consultation seeks opinion on two proposals – namely:

(a) relying on existing provisions currently available i.e. directors disqualification as a deterrent.

This would effectively maintain the status quo – with disqualification proceedings under existing legislation and fines and custodial sanctions for failure to adhere to the terms of any disqualification.

(b) introducing financial penalties for directors of companies in breach of nuisance calls rules under PECR.

The legislative changes would also allow the ICO to hold directors to account even in cases where the company is put into liquidation. The ICO would also be able to take action against those no longer in senior positions (for example through resignation), as long as they were a director at the relevant time of the breach. These steps are viewed as making it harder for the individual who has breached the law to set up a new company and carry out similar activities. This measure would operate alongside the existing disqualification provisions.

The ICO would be able to use its discretion to determine the appropriate enforcement action to take in any case. Such action could include the following possible steps:

● More than one director or partner could be issued with a civil penalty;
● The company and or director(s)/partner(s) could be issued with a civil penalty;
● The company directors could potentially face disqualification if they failed to comply with an enforcement notice

Any enforcement action taken by the ICO would be based on the seriousness of the contravention and other aggravating and mitigating factors. Those found in breach of the rules, could make an appeal through the first-tier information tribunal within 28 calendar days of receiving a decision notice from the ICO.

The consultation period runs until 21 August 2018 and the full consultation document is available here.