NEWS “without comment”

The ICO is struggling to collect fines from companies that violate data protection rules

The Watchdog lacks teeth: 68 per cent of fines issued since January 2019 haven’t been paid

Dev Kundaliya –

December 03, 2020

The Information Commissioner’s Office (ICO) is struggling to retrieve monetary penalties issued to companies for violating rules on nuisance calls, SMS and email spam and data breaches.

That is according to SMS Works, a SMS API company, which recently submitted a Freedom of Information (FOI) request seeking information from the ICO on the status of the unpaid fines.

The data released by the watchdog revealed that of the 47 outstanding fines issued between 2015 and July 2019, the regulator has managed to retrieve just one more additional fine – from social media giant Facebook, which was penalised in October 2018 over the Cambridge Analytica data scandal.

According to ICO data, 68 per cent of the fines issued since January 2019 have not been paid by offending companies.

The UK data watchdog is also struggling to collect fines that were more recently issued. Of the 21 penalties imposed between January 2019 and August 2020, only nine have been paid so far. That means just £1.03 million of the total £3.2 million has been paid by the companies.

Nuisance call fines are proving to be the most difficult to retrieve from offenders. Just 10.7 per cent of the total fine issued for making spam calls has been collected so far.

The higher penalty, the less likely the ICO is to successfully collect it, the data suggests. Just eight of the 21 fines between £250,000 and £500,000 have been paid, leaving £4.55 million outstanding.

The ICO data also indicates that the regulator is fining a smaller number of companies now than earlier.

Despite fears of vast numbers of post GDPR fines, it punished 89 companies in 2017-2018, with the number dropping to 29 during 2019-2020.

According to SMS Works, companies violating the rules are finding new ways to wriggle out of their responsibilities. It was observed that some companies intentionally closed their business to avoid paying a fine. Later, they opened a new company to continue their unlawful activities under a new name.

Last month, the ICO also reduced the fine it had originally proposed to impose on hotel chain Marriott International over the data breach that exposed the personal information of millions of guests worldwide. In its final penalty notice, the watchdog said that Marriott would be required to pay £18.4m, down from the £99 million figure proposed in July 2019.

The fine demanded from BA for the Magecart hack was also shaved from an initial figure of £183 million to just £20 million, on account  of the pandemic.