The Information Commissioner’s Office (ICO) is struggling to collect the monetary fines it issues, effectively allowing companies in breach of the law off the hook, according to new Freedom of Information (FOI) data.
API company The SMS Works has been tracking the progress of the UK’s privacy and information rights regulator since 2018. Last year it revealed that, since 2015, around £7 million, or 42% of the monetary total, remained unpaid.
The latest findings reveal that the ICO has only managed to collect one more of the 47 outstanding fines issued up to July 2019 — related to Facebook’s Cambridge Analytica scandal. This means £6.6 million, or over 39% of total fines, are still outstanding.
What’s more, the regulator hasn’t been much good at collecting more recent fines, despite telling The SMS Works last year that it would be stepping up its efforts with the help of debt collection agencies.
Of the 21 fines handed out between Jan 2019 and August 2020, only nine have been paid, the FOI data revealed. That means 68% of the monetary value of fines issued during this time remains outstanding.
Of these, the ICO does best at collecting data breach fines, managing to bring in money for 54% during the period. However, just 13% of nuisance call fines were collected.
The ICO should also have benefitted from a long-awaited change in the law which made company directors responsible for paying fines. Previously, many would simply declare bankruptcy to avoid the fine, and start a new company.
However, this process, known as “phoenixing,” is still rife: one company, previously known as Black Lion Marketing, was fined £171,000 in March 2020 but its owner pheonixed the business and is thought to have invented new trading names to escape scrutiny.
The ICO has already been criticized by some for reducing an initial intent to fine BA for a serious data breach from £183 million to just £20 million. In fact, according to the FOI data, the number of fines it has levied for breaches since the GDPR came into force fell from 89 in 2017-18 to just 29 in 2019-20.
Henry Cazalet, director of The SMS Works, told Infosecurity that resources weren’t the issue for the ICO.
“The ICO does, after all, employ over 500 staff in four offices across the UK, so its not short of manpower,” he continued.
“I believe the main issue it faces is that despite changes in the law, it's still too easy for companies and individuals that break the rules to find ways to avoid paying. In many cases the fines issued have been way in excess of the organization's ability to pay.”
The answer may therefore lie with levying smaller fines for breaches and spam offenses, which the ICO has a better chance of successfully paying, he argued.
The irony is that the privacy experts that drafted the GDPR, including many at the ICO, recommended the large upper fine limit of £20 million or 4% of global turnover as a deterrent to would-be offenders. If the fines can’t be collected, the idea of such a deterrent would seem pointless.