ICO fines crisis deepens – 68% of fines issued since Jan 2019 haven’t been paid
Henry Cazalet – Director, The SMS Works. A low cost SMS API for developers
A year ago we published a report highlighting the problems that the ICO was having collecting the fines that they had issued for email and SMS spam, nuisance calls and data breaches.
The report revealed that 42% of all the fines handed out, remained unpaid.
One year on from that report, we wanted to discover whether the ICO had been successful in collecting the huge number of historical unpaid fines and whether they were being more effective at retrieving more recently issued penalties.
A month ago, we received a response from the ICO following our freedom of information request to update the status of the unpaid fines.
Historic fines collection largely ineffective
Of the 47 unpaid fines handed out between 2015 and the end of July 2019, the ICO has succeeded in collecting just one more additional fine.
That was from Facebook for a serious breach of personal data in October 2018.
At the time we published our previous article, The ICO were at pains to point out that they would deploy the service of debt collection agencies to assist them with debt collection.
“We actively exercise our rights as a creditor to appoint professional insolvency practitioners, and work closely with the Insolvency Service in these cases, to not only seek to recover the money owed to the taxpayer but also to support action to disqualify the worst offenders from running companies in the future.”
The Information Commissioner’s Office
It would seem that these efforts have been in vain as the total of unpaid fines issued up to July 2019 is £6.55 million or 39.4%.
So has the ICO been more effective at collecting more recent fines?
Unfortunately not.
The ICO continues to struggle to effectively collect the fines that they issue. Companies are still finding ways to wriggle out of their responsibilities.
This is despite some new laws that the ICO hoped would act as a deterrent.
In December 2018, the law changed to make directors themselves responsible for nuisance marketing. According to the ICO, this “should have had a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails.”
(ICO statement)
From January 2019 to the end of August 2020, the ICO handed out 21 fines to companies, amounting to £3.2 million.
Of this, just £1.03 million has been collected which equates to just 32% of all fines issued.
Only 9 out of 21 of the fines issued during the period have been paid.
Despite the new regulations that make company directors individually responsible for paying fines, many are simply claiming voluntary insolvency and successfully avoiding payment.
Extreme measures to avoid fines
Some companies even deliberately shut down their business to avoid paying a fine, only to reopen a new company, allowing them to continue their shady activities under a new name.
In a process known as ‘phoenixing’, companies can very quickly skip from one identity to another, often retaining the same members of staff and operating address.
Because the process of identifying culprits of spam and nuisance calls can take months, the scammers can always remain one step ahead.
Black Lion Marketing used this exact tactic when faced with a fine from The ICO for £171,000 in March 2020.
They were found not only to be phoenixing the business, but also of using ‘fictitious company names in an apparent attempt to conceal its true identity.’
Nuisance call companies remain a major problem
Companies that blight people’s lives with invasive calls to their homes are particularly hard to bring to justice.
Between the beginning of 2019 and the end of August 2020, the ICO handed out 8 fines, totalling £1.3 million to companies involved in nuisance calls.
Just 2 of these fines have been paid, leaving £1.17 million of unpaid fines.
Just 10.7% of the fines for nuisance calls have been paid.
The ICO defends its record in fine collection
In a statement made to The Register in response to these findings, The ICO defended its record in collecting fines.
Many nuisance-call companies fined under the Privacy and Electronic Communications Regulations go into liquidation. While in some respects, a firm going into liquidation marks a frustrating end to our investigations, it’s worth noting that when nuisance-call companies go out of business, they stop making calls. And that’s a successful outcome.
Since January 2019, nine fines have been paid, seven fines are in the process of being recovered and five are under appeal. Over the same period 16 directors have been disqualified for 94 years and a sole trader also signed a Bankruptcy Restriction Undertaking for six years in connection with ICO fines.
Number of fines decreases, post GDPR
In the run up to the introduction of the GDPR in May 2018, the media was awash with predictions of a tsunami of fines that would be handed out for even the most minor offences.
It was one of the GDPR myths that The ICO was keen to quash at the time,
It turns out that those fears were unfounded; far fewer fines have been issued post GDPR than in the preceding years.
In 2017-2018, 89 fines were handed out, in 2019- 2020 there have only been 29.
As well as a reduction in the number of fines being issued, British Airways has also benefitted from a show of leniency by the ICO. Their proposed monster fine of £183 million, for a massive data breach, has been reduced to a more modest £20 million.
The reduction has been put down to BA’s cooperation and the impact that the corona crisis has had on the air industry. It was also in part because a more detailed analysis of the circumstances of the hack, put less blame on BA than had originally been thought.
Which type of offence attracts the most fines
Data breaches account for 51% of fines issues since 2015.
Of all the spam offences (calls, SMS, email), nuisance calls remain the most fined, attracting 63 fines or 28%.
Note that general account alerts by email and SMS do not require specific customer opt in. Also SMS appointment reminders are not subject to GDPR regulations
Email spam is the least fined offence. Just 14 fines (6%) were handed out for this type of offence.
Type of Offence | No. Fines Issued |
Email Spam | 14 |
SMS Spam | 34 |
Data Breach | 113 |
Nuisance Calls | 63 |
The larger the fine, the less likely it is to be paid
Since 2015, The ICO has handed out 21 larger fines of between £250,000 and £500,000.
Of these only 8 have been paid.
If we remove larger, household brands, who always tend to pay promptly, the payment problem is even starker.
In the £250,000 – £500,000 bracket, not a single fine has been paid by a non household brand.
That leaves £4.55 million in unpaid fines, with little hope of bringing any of it in.
Smaller fines could improve collection rate
Effective fine collection remains a major headache for the ICO. It seems the larger the fine, the less likely they will be able to bring it in.
Many organisations and individuals will do all they can to avoid paying a fine of over £100,000. The larger the fine, the more extreme the measures individuals are prepared to take.
It raises the question of whether issuing smaller and more realistic fines might be a sensible strategy. Large fines only act as a deterrent if they can be collected and too often, this just isn’t the case.
Henry Cazalet.
Director – The SMS Works
Provider of a low cost SMS API for developers