Skip links

UK data spillers fined, but enforcement slows: £5m in ICO penalties not yet paid

More than half of data protection fines issued by the Information Commissioner’s Office over the last two years, totalling more than £5m, have not been paid.

Of the 47 fines issued by the ICO since January 2020, 27 – 57 per cent – have not been paid off. These add up to £5.1m owed to the government’s treasury (the ICO doesn’t receive the proceeds of its fines.)

Henry Cazelet, director of marketing firm The SMS Works, which compiled the figures, described them as showing the ICO’s fine enforcement practices as becoming “worse and worse.”

The ICO told The Register: “Organisations have the right to appeal any regulatory action issued by the ICO and this can delay payment of a fine. Many nuisance call companies fined under Privacy and Electronic Communications Regulations go into liquidation.”

The SMS Works pointed out that fines to home improvements companies appear to be least likely to be paid, with £1.6m in fines issued to these firms resulting in just £280,000 being repaid to date. On the flip side, nearly double the number of fines were handed out in the last 10 months than in the whole of 2019.

Cold-calling companies tend to break data protection laws the most, having attracted 72 fines in total since 2015.

Slow ride, take it easy

Compared year-on-year, the figures tend to show that ICO fine enforcement has got less effective: at this point last year £2m in fines, representing 68 per cent of penalties issued, was unpaid.

Data breach fines totalling £6.994m were issued between January 2020 and September 2021. Of those, £5.18m have not yet been paid while just £1.8m were settled promptly. Companies fined during calendar year 2020 and 2021 to date included airline Cathay Pacific, insurance-for-the-elderly firm Saga and American Express.

Other companies have yet to settle their dues, with the ICO pointing out that some are on negotiated repayment plans.

Some businesses enter liquidation in the hope of avoiding financial penalties. In these cases the ICO can pursue directors for personal liability and even try to bankrupt them. While doubtless satisfying, in one case highlighted by El Reg last year the data protection watchdog spent £138,000 hunting down scofflaws who tried to evade a £40,000 fine.

An ICO spokeswoman concluded: “While in some respects a firm going into liquidation marks a frustrating end to our investigations, it’s worth noting that when nuisance call companies go out of business, they stop making calls. And that’s a successful outcome.”

True – unless they set up again under a new name and company structure. ®