UK Amends Requirements For Issuing Monetary Penalty Notice: No Requirement To Prove "Substantial Damage Or Distress"

RS
Reed Smith (Worldwide)

Contributor

Reed Smith (Worldwide) logo
Reed Smith is a dynamic international law firm helping clients move their businesses forward. By delivering smart, creative legal services, we enrich clients' experiences with us and support achievement of their business goals. Our longstanding relationships and collaborative structure enable the speedy resolution of complex disputes, transactions, and regulatory matters.
The early part of 2015 saw major changes to the monetary fines that may be imposed for breaches of the Data Protection Act (‘DPA').
United Kingdom Privacy

The early part of 2015 saw major changes to the monetary fines that may be imposed for breaches of the Data Protection Act ('DPA'). For example, unlimited fines may now be imposed by UK Magistrates' courts for criminal offences under the DPA.

The Information Commissioner's Office ('ICO') has now seen similar changes to its powers. Effective 6 April 2015, the ICO is no longer required to be satisfied that a data controller's contravention of the DPA is likely to cause "substantial damage or substantial distress" before it may impose a monetary fine. This was due, in part, to campaigns by the ICO for stricter and more effective punishments, and also following the decision in the Niebel case, where the high threshold meant that the offender escaped punishment.

Prior to 6 April 2015, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 inserted sections 55A to 55E of the DPA into the Privacy and Electronic Communications (EC Directive) Regulations 2003 ('Privacy Regulations 2003′), which gave the Commissioner the power to impose monetary penalty notices on data controllers if it was satisfied that, among other things, the actions by the data controller were likely to cause "substantial damage or substantial distress". However, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2015 removed the requirement to prove "substantial damage or substantial distress" with respect to serious breaches of regulations 19 to 24 of the Privacy Regulations 2003, relating to unsolicited direct marketing (marketing calls, texts, emails, etc.).

The ICO has detailed guidance on monetary penalty notices, and is currently reviewing and updating this guidance in order to reflect the 2015 amendment.

The recent amendment will be welcomed by direct marketing recipients; however, as heavier penalties are now available, together with a lower burden of proof, organisations will be forced to reassess their risk attitudes and review current and future marketing campaigns.

Going forward, organisations should think long and hard before, and if, hitting the "send" button...

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More