As has been well documented, there are proposals to replace the current Privacy and Electronic Communications Regulations 2003 (PECR) with the e-Privacy Regulations, a new piece of legislation that will apply across the whole EU in the same way as the GDPR. Whilst the e-Privacy Regulations were originally intended to come into force at the same time as GDPR, it is still making its way through the European Parliament and so we shall update you as and when this comes into force.
In the meantime, the UK Government has amended PECR, which covers topics including marketing communications and cookies. The changes give the ICO the power to personally fine directors, managers or secretaries of a body corporate, or a partner of a Scottish partnership. Fines up to a maximum of £500,000 can now be imposed on such individual in a personal capacity for breaching the strict rules regarding the use of automated calling systems and direct marketing phone calls and emails.
Previously, it was the organisational entity that was served with a fine, and since 2015 when the power to fine organisations originally came into force, whilst £4.8million of penalties has been issued only £2.3million of that has actually been paid. This was mostly due to the practice of “phoenixing” where organisations voluntarily wind themselves up, before incorporating a brand new business, thereby avoiding the fine. This amendment means that the ICO is able to fine an organisation’s officers in their personal capacity, where breaches occur with their “consent or connivance” or due to “any neglect”.
This is a striking example of enhanced powers for the ICO and which could result in devastating personal consequences for officers who find themselves faced with a large fine. Whilst this amendment specifically concerns direct marketing communications, this is a practice that most organisations partake in and so it highlights how important it is for individuals in charge of organisations to ensure that direct marketing communications are sent either on the basis of (1) consent from the individual, or (2) with some exceptions, the communication being in the context of an ongoing commercial relationship or delivery of goods or services. Given the potential exposure of those in charge in a personal capacity, we recommend that managers etc. engage with the organisation and in particular marketing teams to ensure such marketing practices are legally compliant.