Single breach could lead to e-privacy fine, ICO warns

Out-Law News | 08 Jul 2011 | 4:56 pm | 2 min. read

Privacy watchdog the Information Commissioner could use his powers to levy up to £500,000 fines for breaking e-privacy laws over single incidents if they are serious enough.

The Information Commissioner's Office (ICO) has published guidance for companies over what will trigger new fining powers under the Privacy and Electronic Communications Regulations (PECR). It is consulting with businesses over whether to adopt the proposed guidance.

Amendments to the existing data privacy regulations gave the ICO the power to fine organisations for serious breaches of the regulations or UK data protection laws. It can now administer fines of up to £500,000 for violations of PECR in addition to the Data Protection Act for which it already had that fining power.

PECR was updated in May to comply with an EU Directive on data privacy and the ICO is consulting with businesses on its guidance.

Losing customers' personal data because files were not securely protected, making repeated automated marketing calls, sending spam emails and secretly tracking someone's whereabouts through the use of location data on mobile phones are all serious breaches of the laws for which companies could be fined, the ICO said in its guidance.

"The Commissioner will aim to reflect the reasonable expectations of individuals and society and ensure that any harm is genuine and capable of explanation," the ICO guidance said.

"It is possible that a single breach may be sufficient to meet this threshold," the ICO said.

"The Information Commissioner may issue a monetary penalty notice if a person has seriously contravened the regulations and if the contravention was of a kind likely to cause substantial damage or substantial distress," the ICO said.

"In addition the contravention must either have been deliberate or the person must have known, or ought to have known, that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it," the ICO consultation document said.

In its guidance the ICO explains circumstances in which companies may have taken reasonable steps to comply with PECR. It also details examples of the level of harm individuals would have to suffer for the ICO to consider issuing companies with a fine.

In the consultation organisations have been asked whether the ICO's guidance is suitably clear and exhaustive and whether the examples the data watchdog provided are useful. Organisations can also suggest further guidance they would like to receive on when financial penalties will apply under PECR, the consultation said.

When it was introduced in May the amended data privacy regulations also detailed new investigative powers given to the ICO. These powers allow the Information Commissioner to demand information from telecommunications companies and internet service providers (ISPs), to help with investigations into breaches of the regulations.

Telecommunications companies and ISPs will also have to notify the ICO and their customers in certain circumstances if a personal data breach occurs. The ICO will be able to audit these companies and ISPs to ensure they comply with this requirement.

The ICO is also responsible for enforcing new rules surrounding the use of cookies and other technologies that similarly track internet users' activity online.