Support 110 years of independent journalism.

Almost £13m in data privacy fines have been left unpaid

Spotlight analysis shows a quarter of the fines issued by the ICO since 2017 have not been paid.

By Afiq Fitri

Almost £13m worth of data privacy fines issued in the past five years by the Information Commissioner’s Office (ICO) have not been paid, according to Spotlight analysis of the privacy watchdog’s enforcement data. This represents more than a quarter of the 160 fines meted out by the ICO since 2017.

Of those 160 fines, which include penalties under the Data Protection Act (DPA) and the Privacy and Electronic Communications Regulations (PECR), 41 were left unpaid, either due to a legal appeal or because companies chose to go into liquidation instead of paying the fine. Since 2017, a total of 34 companies have been liquidated.

The ICO’s DPA targets organisations that have been found guilty of data breaches, with, for example, British Airways being fined £2m in 2020 for leaking the personal data of 420,000 staff and customers. The airline is currently paying off its fine through a structured payment plan, according to the ICO.

The Cabinet Office was also fined – £500,000 in November last year – for disclosing the postal addresses of the 2020 New Year Honours recipients online. The government department is currently going through an appeals process.

Select and enter your email address Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via
  • Administration / Office
  • Arts and Culture
  • Board Member
  • Business / Corporate Services
  • Client / Customer Services
  • Communications
  • Construction, Works, Engineering
  • Education, Curriculum and Teaching
  • Environment, Conservation and NRM
  • Facility / Grounds Management and Maintenance
  • Finance Management
  • Health - Medical and Nursing Management
  • HR, Training and Organisational Development
  • Information and Communications Technology
  • Information Services, Statistics, Records, Archives
  • Infrastructure Management - Transport, Utilities
  • Legal Officers and Practitioners
  • Librarians and Library Management
  • Management
  • Marketing
  • OH&S, Risk Management
  • Operations Management
  • Planning, Policy, Strategy
  • Printing, Design, Publishing, Web
  • Projects, Programs and Advisors
  • Property, Assets and Fleet Management
  • Public Relations and Media
  • Purchasing and Procurement
  • Quality Management
  • Science and Technical Research and Development
  • Security and Law Enforcement
  • Service Delivery
  • Sport and Recreation
  • Travel, Accommodation, Tourism
  • Wellbeing, Community / Social Services
Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

The ICO’s PECR primarily goes after businesses that make unsolicited marketing calls. On 31 January this year, the ICO handed a £200,000 fine to Home2Sense, a home improvement company, for making more than half a million “nuisance calls”. The fine is currently unpaid and a recovery process is ongoing, says the ICO. Nuisance callers made up more than 70 per cent of companies fined by the ICO since 2017, according to Spotlight's analysis of the watchdog's data.

More recently, the ICO handed Clearview AI, a US facial recognition company, a £7,552,800 fine for collecting more than 20 billion images of people’s faces and data from open sources to create an online database for law enforcement agencies. “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service,” said John Edwards, the UK’s information commissioner. “That is unacceptable.”

While it is unclear if Clearview AI will be appealing the fine, lawyers representing the company have reiterated their stance that the penalty is “incorrect as a matter of law”. They claimed that the company is not subject to the ICO’s jurisdiction since it does not have any business dealings in the UK. But the ICO is arguing that Clearview AI’s database is likely to include a “substantial amount of data from UK residents, which has been gathered without their knowledge”.

Content from our partners
What you need to know about private markets
Work isn't working: how to boost the nation's health and happiness
The dementia crisis: a call for action