Monetary penalties are one mechanism in a suite of tools that the UK Information Commissioner’s Office (“ICO”) uses to encourage compliance with data protection regulations. The ICO generally uses monetary penalties to sanction deliberate or negligent breaches of the law, but the purpose is not to impose financial hardship but rather to “act as an encouragement towards compliance, or at least as a deterrent against non-compliance.” The following is a brief overview of the ICO’s authority to issue monetary penalties.
- On April 6, 2010, the ICO’s power to issue monetary penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 (the “DPA”) came into force.
- On May 26, 2011, the ICO’s power to similarly issue fines of up to £500,000 for breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “Privacy Regulations”) came into force.
- In early 2012, the ICO released updated statutory guidance (the “Guidance”) setting forth the circumstances under which the ICO will issue fines and it will determine the amount of such fines. The Guidance, which should be read in conjunction with the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 and the Data Protection (Monetary Penalties) Order 2010, states that the ICO is “committed to acting consistently, proportionately and in accordance with public law.”
- For breaches of the DPA, the ICO has the power to issue fines to all data controllers in the private, public and voluntary (nonprofit) sectors.
- For breaches of the Privacy Regulations, the ICO has the power to issue fines to natural and legal persons in the private, public and voluntary sectors (although not to employees merely acting under the instructions of an employer).
Monetary penalties are reserved for the most serious breaches of the DPA and the Privacy Regulations. Before issuing any fine, the Commissioner must determine that (1) there has been a serious breach of the DPA or the Privacy Regulations; (2) the breach is of a kind likely to cause substantial damage or distress; and (3) the breach was deliberate, or the transgressor knew or should have known that there was a risk that such a breach would occur and they failed to take reasonable steps to prevent it.
When issuing penalties, the ICO takes into account the organization’s size, financial resources and whether it is a voluntary or commercial undertaking. The general principle is that “a person with substantial financial resources is more likely to attract a higher monetary penalty than a person with limited resources for a similar contravention.” The ICO also will take into account a number of other factors, including the need to “maximize the deterrent effect” and whether the breaching party had corporate governance controls and/or specific procedures and processes in place which may have prevented the non-compliance.
As we previously reported regarding the ICO’s agenda, the ICO has been heavily promoting its offer of free audits and advisory visits. Organizations should be aware that another consideration for deciding whether to issue a monetary penalty is whether an organization previously refused to submit to a voluntary assessment or audit which “could reasonably have been expected to reveal a risk of the contravention.”