The Information Commissioner’s Office (ICO) is working hard to collect the fines it has imposed so that companies breaking the law can effectively fall off the hook after new Freedom of Information (FOI) data.
API company The SMS Works has been tracking the UK’s privacy and information rights regulator’s progress since 2018. Last year it was revealed that around £ 7m, or 42% of the cash amount, has not been paid out since 2015.
The latest results show that the ICO only managed to collect one more of the 47 outstanding fines imposed as of July 2019 – related to Facebook’s Cambridge Analytica scandal. This means that £ 6.6m or more than 39% of the total fines are still outstanding.
Additionally, the regulator wasn’t very good at collecting recent fines, despite telling The SMS Works last year that it would be stepping up its efforts with the help of debt collection agencies.
Of the 21 fines imposed between January 2019 and August 2020, only nine were paid, the FOI data showed. This means that 68% of the monetary value of the fines imposed during this period are still outstanding.
Of these, the ICO is best able to collect fines for data breaches, bringing in 54% cash over the reporting period. However, only 13% of the fines were collected for disruptive calls.
The ICO should also have benefited from a long-awaited change in law that made the company’s directors responsible for paying fines. In the past, many simply filed for bankruptcy to avoid the fine and started a new business.
However, this process known as “phoenixing” is still prevalent: a company previously known as Black Lion Marketing was fined £ 171,000 in March 2020, but its owner pheonixed the business and it is believed that he invented new trade names to avoid control.
The ICO has already been criticized by some for reducing its initial intent to punish BA for a serious data breach from £ 183m to just £ 20m. According to FOI data, the number of fines imposed for violations since the GDPR came into force has fallen from 89 in 2017-18 to just 29 in 2019-20.
Henry Cazalet, director of The SMS Works, told Infosecurity that resources for the ICO are not the problem.
“The ICO employs over 500 people in four offices across the UK, so there is no shortage of manpower,” he continued.
“I think the main problem is that despite changes in the law, it is still too easy for companies and individuals who break the rules to find ways to avoid paying. In many cases, the fines imposed have far exceeded the organization’s solvency. “
The answer, therefore, could be to impose smaller fines for violations and spam violations, which the ICO has a better chance of successfully paying for, he argued.
The irony is that the privacy professionals who drafted the GDPR, including many at the ICO, recommended the high cap of £ 20 million, or 4% of global sales, to deter potential criminals. If the fines cannot be collected, the idea of such deterrence seems pointless.