Cold call bosses could be forced to cough up under new rules
UK.gov stiffens law after El Reg reveals low fine recovery rate
The UK government is planning to make company directors personally liable for nuisance calls – two years after it first promised the powers to the data protection watchdog.
At the moment, the Information Commissioner's Office can only hand out fines to companies that make spam marketing calls. Under the new plan, announced today, it will have the power to hand out further fines of up to £500,000 to the directors themselves.
The ICO has long called for this power as it struggles to recover cash from nuisance call firms that can simply liquidate to avoid paying up. The move comes after The Register last week revealed the ICO has clawed back just £9.7m of the £17.8m fines it has handed out since 2010.
Most of the unpaid fines are for breaches of the Privacy and Electronic Communications Regulations (PECR), which is usually the law used to fine companies making bulk nuisance marketing texts and calls. Common examples of breaches are failing to get the right permissions from people they call, or to check if numbers are listed on opt-out database the Telephone Preference Service.
According to figures released under the Freedom of Information Act, just £2.2m of the £8.5m fines handed out under PECR were paid back, with many of the largest bills going unpaid. In contrast, £7.5m of the £9.3m handed out under the Data Protection Act (DPA) have been recovered.
For instance, Keurboom Communications, which was hit with a record fine of £400,000 (the maximum under PECR is £500,000*) in 2017, was in liquidation by the time the fine was announced, and has yet to pay any money back.
The same is true for ProDial and Your Money Rights – both of which dissolved without having paid back any of their £350,000 fines – while Media Tactics and CheckPoint Claims were dissolved after being handed fines of £270,000 and £250,000, respectively.
The government and ICO have noted that in some cases the Insolvency Service can disqualify people from acting as directors – but the aim of the latest move is to help fill the government's coffers and ensure that the fines retain their deterrent effect.
"Even if a disqualification order is placed on the director following a company's dissolution, the debt originally placed on the company would go unrecovered without further enforcement action," the government consultation document on the proposed changes stated.
"This unlawful procedure undermines the ICO's enforcement powers and constricts one of the ICO's funding streams."
The government consultation (PDF) – which offers up two options, the status quo or extra powers – runs until August. If the decision is made to change PECR, it will be implemented using a negative statutory instrument, meaning it automatically becomes law without debate in parliament unless either house objects. ®
The stronger fines touted under the General Data Protection Regulation – which are set out in the UK's statute books in the form of the new Data Protection Act, at £17m or 4 per cent of global turnover – do not apply to PECR, where the max remains £500,000. The DPA also allows for company officers to be held personally liable for criminal offences – though not for non-criminal breaches.
Sponsored: Becoming a Pragmatic Security Leader