13 June 2022

Almost £13m in data privacy fines have been left unpaid

Spotlight analysis shows a quarter of the fines issued by the ICO since 2017 have not been paid.

British Airways is paying back a £2m ICO fine. Photo courtesy of PASCAL PAVANI/AFP/Getty Images

Almost £13m worth of data privacy fines issued in the past five years by the Information Commissioner’s Office (ICO) have not been paid, according to Spotlight analysis of the privacy watchdog’s enforcement data. This represents more than a quarter of the 160 fines meted out by the ICO since 2017.

Of those 160 fines, which include penalties under the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), 41 were left unpaid, either due to a legal appeal or because companies chose to go into liquidation instead of paying the fine. Since 2017, a total of 34 companies have been liquidated.

The ICO’s DPA targets organisations that have been found guilty of data breaches, with, for example, British Airways being fined £2m in 2020 for leaking the personal data of 420,000 staff and customers. The airline is currently paying off its fine through a structured payment plan, according to the ICO.

The Cabinet Office was also fined – £500,000 in November last year – for disclosing the postal addresses of the 2020 New Year Honours recipients online. The government department is currently going through an appeals process.

Select and enter your email address

The Saturday Read

Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via saturdayread.substack.com

Morning Call

The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via morningcall.substack.com

The Salvo

Our Thursday ideas newsletter, delving into philosophy, criticism, and intellectual history. The best way to sign up for The Salvo is via thesalvo.substack.com

Events and Offers

Stay up to date with NS events, subscription offers & updates.

The Green Transition

Weekly analysis of the shift to a new economy from the New Statesman's Spotlight on Policy team. The best way to sign up for The Green Transition is via spotlightonpolicy.substack.com

Your email address

Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

The ICO’s PECR primarily goes after businesses that make unsolicited marketing calls. On 31 January this year, the ICO handed a £200,000 fine to Home2Sense, a home improvement company, for making more than half a million “nuisance calls”. The fine is currently unpaid and a recovery process is ongoing, says the ICO. Nuisance callers made up more than 70 per cent of companies fined by the ICO since 2017, according to Spotlight's analysis of the watchdog's data.

More recently, the ICO handed Clearview AI, a US facial recognition company, a £7,552,800 fine for collecting more than 20 billion images of people’s faces and data from open sources to create an online database for law enforcement agencies. “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service,” said John Edwards, the UK’s information commissioner. “That is unacceptable.”

While it is unclear if Clearview AI will be appealing the fine, lawyers representing the company have reiterated their stance that the penalty is “incorrect as a matter of law”. They claimed that the company is not subject to the ICO’s jurisdiction since it does not have any business dealings in the UK. But the ICO is arguing that Clearview AI’s database is likely to include a “substantial amount of data from UK residents, which has been gathered without their knowledge”.