Whilst there must be few businesses in the UK who remain oblivious to the changes in data protection laws that arrived on 25 May 2018, the existing laws on direct marketing set out in the Privacy and Electronic Communications (EC Directive) Regulations 2003 (also known as PECR) have been overlooked by many in the mad rush to become "GDPR compliant". Now an amendment to PECR has come into force on 17 December 2018 and appears similarly to have gone largely unnoticed. This amendment gives the ICO the power to fine officers personally for breaches of the rules regarding electronic marketing. It's unlikely to be long before the ICO wields its new powers to tackle directors trying to dodge the fines.
PECR have been in force for a number of years and set out the rules for unsolicited direct marketing by electronic means (eg. email, text). These need to be complied with alongside the GDPR. Whilst in the run up to 25 May, the ICO warned businesses not to flout one law to get ready for another, its advice was unheeded by many. Inboxes across the UK have been inundated with requests for "opt in" consent for marketing communications sometimes in breach of PECR and there continues to be a high volume of nuisance calls and messages being reported to the ICO. Ofcom alone estimates that British consumers received 3.9 billion nuisance phone calls and texts last year.
The ICO has the power to fine companies up to £500,000 for serious breaches of PECR but it has faced difficulties in recovering these fines with a recovery rate of just over 50% of fines issued since 2010, being reported. The ICO has for a long time been concerned about directors who flagrantly flout the direct marketing laws and then dissolve or liquidate their company to avoid paying the fine. Some of these directors are then setting up again under a different name ( a practice known as 'phoenixing'). The Privacy and Electronic Communications (Amendment) Regulations 2018 amend PECR giving the Information Commissioner the ability to go after officers as well as companies for breaches of regulations 19-24 (automated calls and direct marketing) to try and address those intent on dodging the fines. This may catch the negligent as well as the intentionally in breach.
The Information Commissioner will now be able to issue a monetary penalty to an officer of a company, or even multiple officers from the same legal entity, as well as to the company for breaches of regulations 19-24 where:
- a monetary penalty has been issued to the company for the same offence; and
- the Commissioner is satisfied that the breach of PECR "took place with the consent or connivance of the officer" or was "attributable to any neglect on the part of the officer".
The changes are intended to make directors take direct marketing laws seriously and ensure that the penalties are "effective, proportionate and dissuasive" as required under PECR. Only time will tell whether it has any effect or whether those intent on flouting the laws will continue to do so. Given that the new powers have come in with little fanfare, some directors may learn the hard way before we see any change in the level of nuisance calls and unwanted marketing communications.