The early part of 2015 saw major changes to the monetary fines that may be imposed for breaches of the Data Protection Act (‘DPA’). For example, unlimited fines may now be imposed by UK Magistrates’ courts for criminal offences under the DPA.
The Information Commissioner’s Office (‘ICO’) has now seen similar changes to its powers. Effective 6 April 2015, the ICO is no longer required to be satisfied that a data controller’s contravention of the DPA is likely to cause “substantial damage or substantial distress” before it may impose a monetary fine. This was due, in part, to campaigns by the ICO for stricter and more effective punishments, and also following the decision in the Niebel case, where the high threshold meant that the offender escaped punishment.
Prior to 6 April 2015, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 inserted sections 55A to 55E of the DPA into the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘Privacy Regulations 2003’), which gave the Commissioner the power to impose monetary penalty notices on data controllers if it was satisfied that, among other things, the actions by the data controller were likely to cause “substantial damage or substantial distress”. However, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 removed the requirement to prove “substantial damage or substantial distress” with respect to serious breaches of regulations 19 to 24 of the Privacy Regulations 2003, relating to unsolicited direct marketing (marketing calls, texts, emails, etc.).
The ICO has detailed guidance on monetary penalty notices, and is currently reviewing and updating this guidance in order to reflect the 2015 amendment.
The recent amendment will be welcomed by direct marketing recipients; however, as heavier penalties are now available, together with a lower burden of proof, organisations will be forced to reassess their risk attitudes and review current and future marketing campaigns.
Going forward, organisations should think long and hard before, and if, hitting the “send” button…