Where's the money, Lebowski?! UK data watchdog says £7m in fines unpaid since 2015

The UK's data watchdog has confirmed it failed to collect up to £7m worth of fines dished out in the past four years.

Since 2015, the Information Commissioner's Office (ICO) has issued 152 penalties totalling £16.6m, of which 47 remain unpaid, according to Freedom of Information responses issued to SMS API company The SMS Works.

The claims management industry was the worst, receiving a total of £3.2m in fines since 2015 mainly due to nuisance calls. However, just £490,000 has so far been collected.

The largest outstanding amount is an unpaid £400,000 fine to Keurboom Communications, a company behind 99.5 million nuisance calls in 2017.

Financial punishment for data breaches have had the greatest success rate, with 85 per cent accounted for.

Research from The SMS Works previously found that 50.9 per cent of ICO fines were for data breaches, with nuisance calls accounting for 27 per cent and SMS and email spam making up the remaining 22 per cent.

The public sector was responsible for the highest number of data breach fines in the latest report, with a total of 60 handed out.

An ICO spokesperson pointed out that not all these fines may fall under the same legislation.

For example, companies found guilty of unsolicited marketing by phone, fax, email, text or other electronic message would have to pay a fine under the Privacy and Electronic Communications Regulations (PECR), which still has a maximum fine of £500,000.

So depending on the nature of the infringement, it could either fall under the Data Protection Act 1998, Data Protection Act 2018, the General Data Protection Regulation (GDPR) or PECR.

The ICO added: "We actively exercise our rights as a creditor to appoint professional insolvency practitioners, and work closely with the Insolvency Service in these cases, to not only seek to recover the money owed to the taxpayer but also to support action to disqualify the worst offenders from running companies in the future.

"Some nuisance call directors liquidate their firms to avoid paying fines from the ICO. In December 2018, the law changed to make directors themselves responsible for nuisance marketing. This should have a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails."

Under the UK's Data Protection Act, the maximum fine the ICO could impose for data breaches was £500,000. But since the EU's GDPR came into force on 25 May last year, companies are now liable to a penalty of up to 4 per cent of turnover.

Under GDPR, British Airways is facing a record fine of £183m for last year's data leakage (1.5 per cent of its turnover), and hotel chain Marriott could be stung for £99m (3 per cent). ®