The Information Commissioner’s Office (ICO) has updated its guidance on monetary penalty notices issued for breaches of data protection obligations. The right for the ICO to impose monetary penalty notices is derived from sections 55A to 55E of the Data Protection Act 1998. These sections were subsequently inserted into the Privacy and Electronic Communications Regulations 2003 to enable monetary penalty notices to be imposed in relation to breaches of the 2003 Regulations.
The amendment means a person no longer needs to show they have suffered substantial damage or distress before a fine can be imposed under the Privacy Regulations 2003. Fines under the 2003 Regulations most commonly relate to unsolicited direct marketing communications, which are often made through calls, text messages, emails and fax transmissions. The system had previously attracted criticism, given that the substantial nature of damage or distress was seen as an unnecessarily high threshold to meet. Many believed the nuisance element should be given due weight, rather than waiting for substantial damage or distress to occur (if it ever did occur) before any intervention could be undertaken by the ICO.
The amendment to the Regulations has been welcomed by privacy campaigners, although it remains to be seen whether the threat of monetary penalty notices will serve as an effective deterrent. Many will be watching closely to see how effective the amended Regulations are in clamping down on nuisance callers.