Henry Cazalet - Director, The SMS Works
ICO Fines Collection Crisis - 42% of Fines Remain Unpaid
Since 2015, The Information Commissioner’s Office (ICO) has fined 152 organisations a total of £16.6 million for data breaches, spam and nuisance calls.
All these fines were raised before GDPR came into force in May 2018, so the maximum fine allowed was £500,000. The penalties range from £1000 to £500,000.
The ICO meticulously report on all the fines that they’ve handed out on the ‘enforcement’ section of their website. What’s not revealed is whether these fines have actually been paid.
We wanted to find out how successful the ICO is in actually collecting the fines that they hand out.
Freedom of information request submitted
Under a freedom of information request that SMS API provider, The SMS Works submitted, we now have a complete breakdown of paid and unpaid fines since 2015.
We suspected that collecting some of the large fines from smaller organisations might have proved challenging, what we didn't expect is the sheer scale of the fines collection crisis.
Fines collection largely unsuccessful
Of the 152 fines issued since 2015, 47 or 30% of them remain unpaid.
The total amount fined was £16.6 million and £7.05 million remains uncollected, that’s a staggering 42% of the total.
Crunching the numbers further reveals which type of organisations are avoiding paying. Not surprisingly charities and public organisations stood up to their responsibilities, with 100% of fines being paid.
The same can’t be said for private companies, in particular the Claims Management industry. The sector has received a total of £3.2 million in fines since 2015, mainly for blighting millions of people’s lives with nuisance calls.
So far, only £490,000 has been collected., leaving 84% of fines to the claims management sector unpaid.
Faced with a huge bill for their illegal and distressing activities, most companies simply fold, leaving the bill unpaid and the ICO almost no chance of recovering the debt.
Nuisance call perpetrators go unpunished
Nuisance calls fines, despite inflicting untold consumer misery and distress, have the lowest rate of success in fine collection. Just 23% of fines for nuisance calls are successfully gathered in.
Email and SMS spam have fine payment rates of 64% and 74% respectively.
Fines for data breaches have the greatest success rate with 85% of fines having been paid.
ICO makes concerted effort to retrieve fines
There is hope that at least some of the unpaid fines will be recovered. The ICO say that they are still attempting to collect £4.1 million despite many of the companies having folded rather than pay up.
In a statement made in response to these findings, an ICO spokesperson said:
“We actively exercise our rights as a creditor to appoint professional insolvency practitioners, and work closely with the Insolvency Service in these cases, to not only seek to recover the money owed to the taxpayer but also to support action to disqualify the worst offenders from running companies in the future.”
“Some nuisance call directors liquidate their firms to avoid paying fines from the ICO. In December 2018, the law changed to make directors themselves responsible for nuisance marketing. This should have a real deterrent effect on those who deliberately set out to disrupt people with troublesome calls, texts and emails.”
The 3 largest fines unpaid ICO fines
Company Your Money Rights Ltd
Date of fine 08/09/2017
Fine amount £350,000
Reason for fine
The company made a record high 146 million illegal calls about PPI has been fined £350,000 by the Information Commissioner’s Office (ICO).
People were left feeling harassed and threatened by the recorded – also known as automated - calls. The company was responsible for the most amount of automated calls to result in an ICO fine to date.
Outcome Fine unpaid – Company no longer trader – compulsory liquidation
Company Miss-sold Products UK Ltd
Date of fine 12/01/2018
Fine amount £350,000
Reason for fine
Miss-sold Products UK Ltd made automated marketing calls between 16 November 2015 and 7 March 2016. The calls contained recorded messages, primarily promoting PPI compensation claims, but the company did not have the recipients’ consent for making marketing calls, which is against the law.
Outcome Fine unpaid – Company no longer trading– compulsory liquidation
Company Keurboom Communications Ltd
Date of fine 10/05/2017
Fine amount £400,000
Reason for fine
The company behind 99.5 million nuisance calls was fined a record £400,000 by the Information Commissioner’s Office (ICO).
Keurboom Communications Ltd has been issued the ICO’s highest ever nuisance calls fine after more than 1,000 people complained about recorded calls.
Outcome Fine unpaid – Company no longer trading – voluntary liquidation
Will post GDPR fines be paid?
The new rules outlined in the ICO's statement mean that company directors will no longer be able to avoid paying their fines simply by closing their business. Having your home at risk will act a real deterrent from breaking the rules in the first place.
Under GDPR, the ICO has the power to raise monstrously large fines. As has been reported absolutely everywhere, they can now fine organisations up to 20 million Euros or 4% of global turnover.
They’ve already shown they’re willing to flex their muscles with two very large proposed fines handed to British Airways (£183 million) and Marriott Hotels (£99 million). Both fines were for allowing hackers to steal huge quantities of customer data and for not having adequate measures in place to prevent these types of attacks.
Both British Airways and Marriott have deep enough pockets to be able to pay these fines and come out the other side but it faced with a similar breach and massive fine, many companies would be unable to pay and would have no option but to go out of business.
The proposed BA fine was for a leak of around 500,000 customer records including card details. If a much smaller company were to have the misfortune to be the victim of a similar attack, they could expect to receive a similar sized fine.
There are hundreds of companies that hold that amount of consumer data, most of them without the resources of our national airline.
For the ICO’s penalty system to be fair, the size of the fine should be based on the seriousness of the offence, not on the organisation’s ability to pay.
ICO fines under appeal
Both the BA and Marriott fines are currently under appeal. If their appeals are successful it might mean that the ICO will need to adjust its ambitions to fine such titanic amounts.
There’s little point if by fining heavily if you force companies out of business.
A more moderate approach might mean that a greater proportion of future fines actually make it to the Government’s coffers.