Can't pay Information Commissioner's fine? No problem! Just liquidate your firm

UK data protection watchdog has a 54% cash recovery rate

The UK's data protection watchdog has recovered only about half the value of fines doled out to dodgy data controllers, and those handed to spam marketing firms are the most likely to remain unpaid.

According to figures released under the Freedom of Information Act, the Information Commissioner's Office has fined companies breaking data protection and marketing laws some £17.8m since 2010 – but just £9.7m has made its way into government coffers, a 54 per cent recovery rate.

The ICO can issue fines to organisations that it finds to be in breach of either the UK's Data Protection Act (DPA) or the Privacy and Electronic Communications Regulations (PECR), which governs marketing emails and calls.

The money is paid into the Treasury's Consolidated Fund (it does not feather the ICO's nest).

Broadly speaking, firms making millions of automated nuisance calls are mostly found to be in breach of PECR, while authorities that lose DVDs full of confidential information, or firms that leave themselves open to hacks, will get slapped with fines under the DPA.

Fines under the DPA tend to be higher than for PECR – the respective modes are £70,000 and £50,000, the median values £85,000 and £75,000.

Just 99.5 million nuisance calls... and KeurBOOM! A £400K megafine


But the highest fine given out under both is £400,000. The body can dish out a maximum penalty of £500,000, although this will increase to 4 per cent of global turnover or €20m under the General Data Protection Regulation (GDPR).

However, the results of the FOI throw the deterrent effect of these larger fines into question.

The requests – submitted by The Register and reader Robert Rijkhoff, who has a long-running campaign against junk mail – asked the ICO how many of the data controllers issued with fines between 2010 and April 2018 have paid up, in full or in part. It was based on the publicly available list of civil monetary penalties on the ICO's website (downloads CSV).

It revealed that some 43 of the 174 data controllers fined during that period have paid back half or less of their fines, and 38 of these have paid back nothing.

Just 14 paid back the full amount, with a further 115 taking advantage of the ICO's early-bird payment discount, where they get 20 per cent off for paying within 28 days. One controller has paid 81 per cent; another, 83.3 per cent.

Most of the unpaid fines were issued for breaches of PECR. Of the 84 fines issued under these rules, which had a total value of £8.5m, about half have not paid more than 80 per cent of the headline fine.

Of the bakers' dozen of companies handed a fine of £200,000 or more under these rules, just one has paid a substantial amount, Newday Ltd, which paid 80 per cent of its £230,000 fine this year.

In contrast, of the 90 DPA fines issued, which came to a total of £9.3m, all but three have been paid, and most of those that hand over the cash doing so within 28 days of being handed the fine.

Big fine? Businesses go Keurboom!

The ICO emphasised that there are a number of reasons for controllers not paying the full fines – an appeal can delay, negate or drop the cost. Christopher Niebel successfully appealed a £300,000 fine in October 2013. Moreover, some organisations choose to pay back in instalments, meaning the exact figures can change regularly.

But the figures clearly show a low recovery rate that goes beyond this, at the heart of which is a problem that has plagued the ICO for years. When faced with a big-bucks fine, some companies will simply choose to go into liquidation to avoid paying out.

This is particularly true of the nuisance call companies that tend to be fined under PECR. Keurboom Communications, which was fined £400,000 in 2017 for making 99.5 million nuisance calls, was in liquidation by the time the fine was announced.

Similarly, after Your Money Rights was fined £350,000 in 2017, the directors immediately sought to dissolve the firm and the fine remains unpaid, while ProDial Ltd was already seeking liquidation when the ICO formally handed down a £350,000 fine in 2016.

And Media Tactics appointed a liquidator in October last year after receiving a £270,000 fine six months earlier. Check Point Claims, which was fined £250,000 in 2016, was dissolved last year.

Neil Brown, tech lawyer at decoded:Legal, said that it was "no particular surprise that the recovery rate is low", especially given the commissioner's public acknowledgment that directors often liquidate their firm and restart under a new name.

ICO calls for director liability

In a bid to tackle this, the ICO has repeatedly asked for powers to hold directors of companies directly liable – something that the government promised the office back in 2016, but is yet to transpire.

"We welcomed the announcement by government in 2016 of a planned change in law to make directors themselves responsible for nuisance marketing," Elizabeth Denham said in a statement sent to The Register about the figures.

"It should have a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails. We hope the law change will come to fruition soon to increase the tools we have to protect the public from this modern menace."

We asked the Department for Digital, Culture, Media and Sport if the plans were still on the table, but it did not give a direct answer, instead saying it was "committed to working with regulators to make sure firm directors are held to account if they breach the rules and will be announcing further detail shortly".

In its FOI response to The Register, the ICO noted that it "will usually attempt to recover assets", including by working with other regulators or the government to take enforcement action against directors.

This includes banning them from acting as a director of another company – an option used this year in the cases of Leah Kimberley Masters, director of Cold Call Elimination (fined £75,000 in 2015), and Tony Ray Abbott, director of Reactive Media Ltd, which was fined £50,000 in 2014.

However, the fact the data controllers still escape without paying the fine arguably undermines the ICO's powers to hand out fines – something that has been made more of in light of the increased fines it can wield under the GDPR.

"Although fines are just one of the mechanisms available to the ICO to encourage compliance with the data protection framework, if they can be dodged easily, they lose their deterrent value," Brown said.

"You can understand why the ICO has been pushing for directors to be personally liable." ®

Send us news

Microsoft 365 faces more GDPR headwinds as Germany bans it in schools

Redmond disputes report that 'it is not possible to use without transferring personal data to the USA'

Meta faces lawsuit to stop 'surveillance advertising'

Case claims collecting personal data breaches UK GDPR, but implications could be wider

UK government set to extract hospital data to Palantir system without patient consent

'You'll be hearing from us,' say privacy campaigners who previously forced the government to back down

Gone phishing: UK data watchdog fines construction biz £4.4m for poor infosec hygiene

Staff member bit on lure, ultimately exposed up to 113,000 colleagues' personal information

US executive order a long way from settling EU privacy cases

Expect more sequels than Rocky: Europeans' view of 'proportional' very different from US

Brexit dividend? 'Newly independent' UK will be world's 'data hub', claims digital minister

Amid inevitable talk of 'red tape' cutting at ruling party conference, data protection experts are concerned

Nadine Dorries promotes 'Brexit rewards' of proposed UK data protection law

Culture secretary talks up pre-Commons reading as UK waits to hear who new leader will be

Halfords slapped on wrist for breaching email marketing laws

Bike and car accessory slinger fined £30,000 for hitting send on more than 499k unsolicited emails

Instagram fined in Ireland for violating children's privacy

Meta set to the appeal the data protection authority's near $400m penalty

Decisions on health data sharing should not be taken by politicians, citizen juries find

Britain's National Data Guardian report also warns NHS needs to earn people’s trust, support for controversial data platform

Twitter whistleblower summoned to Senate Judiciary Committee

Get the popcorn out for September 13

UK criminal defense lawyer hadn't patched when ransomware hit

Brit solicitor fined after admitting it took 5 months to install critical update