Company Directors could be held personally liable and fined for PECR breaches

In all of the GDPR talk over the last month you can be forgiven for forgetting that the Privacy and Electronic Communication Regulations 2003 (PECR) also require consideration. As we explained in an earlier article, there are two pieces of legislation that need to be considered and PECR - which sits alongside the GDPR and the Data Protection Act 2018 - relates to specific privacy rights in relation to electronic communications (marketing calls, emails, texts, faxes and cookies).

As if GDPR wasn’t a big enough headache for business owners, on 30th May the Department for Digital, Culture, Media & Sport launched a consultation in relation to PECR. The second of our two recent articles about email marketing explained PECR in more detail.

The consultation process follows the Government’s amendments to PECR in April 2015. In these the threshold at which the Information Commissioner’s Office (ICO) can take action against companies breaking the rules was lowered. This meant that the ICO no longer had to consider whether the contravention was likely to have caused substantial damage or substantial distress and they could issue issue civil penalties up to £500,000, for serious breaches.

However, since then, although £17.8million has been issued in fines, less than 60% of this has been recovered. A significant part of this relates to the fact that only businesses are responsible for the fines. In some instances directors have sought to escape paying penalties by placing the responsible company into liquidation (before opening up again under a different name).

The consultation started in May seeks to consider this. Whilst directors found to have breached their duties to regulators and company creditors can be disqualified, and failure to adhere to disqualification orders can lead to a prison sentence, this new round of Government proposals seek to provide the ICO with the powers it needs to hold officers personally and directly responsible for fines of up to £500,000, under PECR.

If approved, these legislative changes would allow the ICO to hold directors to account, even if the company is put into liquidation. The ICO could also take action against those no longer in senior positions (for example if they’ve resigned or ‘retired’), if they were a director at the time of the breach.

The intention is that this will make it harder for those that breach the law to set up a new company and carry out similar activities, and it will work alongside the existing disqualification procedures.

The consultation puts forward several possible actions, depending on the seriousness of the breach and other, relevant factors:

  • More than one director or partner could be issued with a civil penalty;

  • The company and or director(s)/partner(s) could be issued with a civil penalty; or

  • The company directors could potentially face disqualification if they failed to comply with an enforcement notice

The consultation process also proposes the inclusion of an appeal process, through the first-tier information tribunal, within 28 calendar days of receiving a decision notice from the ICO.

The consultation period runs until 21 August 2018. You can read the full consultation document is here. We will update you as soon as we know more.