ICO Struggling to Recover GDPR Fines

Over the past couple of years, the number of financial penalties issued for violations of the EU General Data Protection Regulation (GDPR) has increased sharply, with 2021 seeing a sizeable increase in fines for companies that have fallen afoul of the GDPR Rules.

While enforcement of compliance has increased and many fines have been imposed, recovery of the financial penalties has proven problematic, especially for the UK’s GDPR watchdog agency, the Information Commissioner’s Office (ICO). In 2020, research conducted by TheSMSWorks showed the ICO had only collected 32% of the fines imposed for GDPR violations, and the ICO’s collection problems are getting worse.

TheSMSWorks reports that between January 2020 and September 2021, the ICO imposed 47 financial penalties to companies that have been engaged in spamming or have been discovered to have failed to protect the personal data of EU data subjects. Only 19 of the 47 financial penalties have been paid in full. Fines totaling £7 million have been imposed, but only £1.81 million has been collected. 74.1% of the value of fines has yet to be recovered. These financial penalties do not include the fines for British Airways and Marriott hotels, which were fined £20 million and £18.4 million respectively, as the ICO agreed to annual payments of the financial penalties due to the problems the companies have faced due to the COVID-19 pandemic.

The financial penalties least likely to be paid are those imposed on companies in the home improvements sector, which in the majority of cases have been imposed for nuisance phone calls to homeowners. TheSMSWorks report says the sector has been fined £1.6 million since January 2020, yet only £280,000 has so far been recovered. 83% of fines remain unpaid. Fines issued to companies involved in claims management have similarly been slow to be paid, with over 75% of fines remaining unpaid. The only sector that has paid promptly is the charities sector, where 100% of the financial penalties imposed have been paid. Across other industry sectors, there is a delinquency rate of at least 50%.

After a financial penalty has been imposed it is common for the fined company to shut down and for business to be resumed under a different name. TheSMSWorks refers to this process as “phoenixing.” This approach is not always successful but has been for some companies. In some cases, fined companies have retained their existing staff and business address, and simply liquidated the company and resumed business under a different name. For instance, Black Lion Marketing was fined £170,000 by the ICO in March 2020 for cold-calling activities, then liquidated the company and reformed under a different name and tried to conceal the identifies of the business owners by using false names.

Part of the problem is due to the long appeals process. Many company directors who have been ordered to pay fines have appealed the penalties, and that process can take many months or years. One insurance firm cited in the report appealed a £60,000 GDPR financial penalty and the appeal has still not been resolved 3 years later. According to theSMSWorks, around £1.1 million in fines have been appealed, but in many cases, company directors have simply refused to pay, with the debt collection efforts often dragging on for even longer.

The report indicates the larger the financial penalty, the less likely it is to be paid and the more likely it is for an appeal to be made. TheSMSWorks suggests the solution may be to impose smaller fines, especially in cases where the GRPR Rules have been accidentally violated. For instance, a financial penalty of £100,000 was imposed on EE for sending an SMS message to around 2.5 million customers that combined a service message with direct marketing, when some customers had not opted-in to direct marketing. In that case, the SMS messages generated no complaints. Fines of £100,000 or more are the most likely to be appealed or not paid.


Author: NetSec Editor