ICO issues second £400,000 fine in less than a year – a sign of stricter times to come?

Earlier this month, we saw the second instance of the Information Commissioner's Office (ICO) issuing a £400,000 fine, this time on cold-calling firm Keurboom Communications (Keurboom). A previous fine at that level was issued against Talk Talk for security breaches.

Keurbroom breached privacy laws by calling people without their consent, often repeatedly and during unsocial hours. It had even made efforts to hide its identity so that it would be harder for anyone to complain. The ICO wanted to send a very clear message, but the fine is only a sign of potential greater enforcement actions to come.

The Keurbroom Director had been quoted as saying that while he didn't enjoy receiving cold calls himself and personally found them annoying, it didn't make them illegal. A few words of warning:

  • Firstly, making automatic marketing calls without people's consent is illegal. Of even greater significance is that company directors are shortly due to find themselves directly responsible and face personal liability, with each director being capable of a fine of up to £500,000 by the ICO. The Department for Culture, Media and Sport originally announced that the Privacy and Electronic Communications (EC Directive) Regulations 2003 would be amended, to make all directors liable for nuisance call fines. In light of the up-coming election, we understand this change is now likely to take place in the autumn.
  • Secondly, under the EU General Data Protection Regulation 2016 (GDPR), which comes in to force here in the UK on 25 May 2018, ICO fines for data protection breaches are set to increase further – potentially extending up to the greater of €20m or 4% of global annual turnover.
  • The third (and final for the purposes of this article only!) words of warning are that the ePrivacy Regulation is weaving its way through the European institutions. It has the aim of ensuring even stronger privacy in electronic communications. The regulation will strengthen laws on processing communications content and breaches, which apply extra-territoriality, can also attract fines of up to 4% of worldwide annual turnover.

Ultimately, this fresh wave of new legislation emphasises the Europe-wide aims upholding privacy, security and information rights in the UK's public interest. Companies and their directors need to be alert to the full extent of the powers that will shortly be extended to the ICO and ensure they are suitably prepared to remain on the right side of the law. Not to do so could be an expensive mistake.

For further insights on Data Protection, please contact Tom Torkar, Partner and head of Technology at tom.torkar@michelmores.com