Support 100 years of independent journalism.

Almost £13m in data privacy fines have been left unpaid

Spotlight analysis shows a quarter of the fines issued by the ICO since 2017 have not been paid.

By Afiq Fitri

Almost £13m worth of data privacy fines issued in the past five years by the Information Commissioner’s Office (ICO) have not been paid, according to Spotlight analysis of the privacy watchdog’s enforcement data. This represents more than a quarter of the 160 fines meted out by the ICO since 2017.

Of those 160 fines, which include penalties under the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), 41 were left unpaid, either due to a legal appeal or because companies chose to go into liquidation instead of paying the fine. Since 2017, a total of 34 companies have been liquidated.

The ICO’s DPA targets organisations that have been found guilty of data breaches, with, for example, British Airways being fined £2m in 2020 for leaking the personal data of 420,000 staff and customers. The airline is currently paying off its fine through a structured payment plan, according to the ICO.

The Cabinet Office was also fined – £500,000 in November last year – for disclosing the postal addresses of the 2020 New Year Honours recipients online. The government department is currently going through an appeals process.

Select and enter your email address Quick and essential guide to domestic and global politics from the New Statesman's politics team. A weekly newsletter helping you fit together the pieces of the global economic slowdown. The New Statesman’s global affairs newsletter, every Monday and Friday. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. Your guide to the best writing across politics, ideas, books and culture - both in the New Statesman and from elsewhere - sent each Saturday. A newsletter showcasing the finest writing from the ideas section, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

The ICO’s PECR primarily goes after businesses that make unsolicited marketing calls. On 31 January this year, the ICO handed a £200,000 fine to Home2Sense, a home improvement company, for making more than half a million “nuisance calls”. The fine is currently unpaid and a recovery process is ongoing, says the ICO. Nuisance callers made up more than 70 per cent of companies fined by the ICO since 2017, according to Spotlight's analysis of the watchdog's data.

Content from our partners
A better future starts at home
How to create an inclusive workplace and embrace neurodiversity
Universal Credit falls short of covering the bare essentials. That needs to change

More recently, the ICO handed Clearview AI, a US facial recognition company, a £7,552,800 fine for collecting more than 20 billion images of people’s faces and data from open sources to create an online database for law enforcement agencies. “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service,” said John Edwards, the UK’s information commissioner. “That is unacceptable.”

While it is unclear if Clearview AI will be appealing the fine, lawyers representing the company have reiterated their stance that the penalty is “incorrect as a matter of law”. They claimed that the company is not subject to the ICO’s jurisdiction since it does not have any business dealings in the UK. But the ICO is arguing that Clearview AI’s database is likely to include a “substantial amount of data from UK residents, which has been gathered without their knowledge”.

Topics in this article :