Almost £13m worth of data privacy fines issued in the past five years by the Information Commissioner’s Office (ICO) have not been paid, according to Spotlight analysis of the privacy watchdog’s enforcement data. This represents more than a quarter of the 160 fines meted out by the ICO since 2017.
Of those 160 fines, which include penalties under the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), 41 were left unpaid, either due to a legal appeal or because companies chose to go into liquidation instead of paying the fine. Since 2017, a total of 34 companies have been liquidated.
The ICO’s DPA targets organisations that have been found guilty of data breaches, with, for example, British Airways being fined £2m in 2020 for leaking the personal data of 420,000 staff and customers. The airline is currently paying off its fine through a structured payment plan, according to the ICO.
The Cabinet Office was also fined – £500,000 in November last year – for disclosing the postal addresses of the 2020 New Year Honours recipients online. The government department is currently going through an appeals process.
The ICO’s PECR primarily goes after businesses that make unsolicited marketing calls. On 31 January this year, the ICO handed a £200,000 fine to Home2Sense, a home improvement company, for making more than half a million “nuisance calls”. The fine is currently unpaid and a recovery process is ongoing, says the ICO. Nuisance callers made up more than 70 per cent of companies fined by the ICO since 2017, according to Spotlight's analysis of the watchdog's data.
More recently, the ICO handed Clearview AI, a US facial recognition company, a £7,552,800 fine for collecting more than 20 billion images of people’s faces and data from open sources to create an online database for law enforcement agencies. “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service,” said John Edwards, the UK’s information commissioner. “That is unacceptable.”
While it is unclear if Clearview AI will be appealing the fine, lawyers representing the company have reiterated their stance that the penalty is “incorrect as a matter of law”. They claimed that the company is not subject to the ICO’s jurisdiction since it does not have any business dealings in the UK. But the ICO is arguing that Clearview AI’s database is likely to include a “substantial amount of data from UK residents, which has been gathered without their knowledge”.