DMA calls for custodial sentences for the worst breaches of data protection law

The DMA welcomes the news that the Information Commissioner’s Office (ICO) will, from spring 2017, be able to hold rogue directors personally responsible for breaches under the Privacy and Electronic Communications Regulations (PECR).

Rogue directors could therefore receive a fine of up to £500,000 each. A powerful deterrent to those considering flagrantly breaking the rules to turn a profit.

However, the DMA wants the Government to go one step further and bring in custodial sentences for the worst breaches of data protection law, to ensure that those responsible for nuisance calls and spam texts are held to account.

Rogue marketers blight members of the public and unfairly bring the legitimate industry into disrepute by association.

The ICO has collected only four out of 22 fines issued in the past year as directors liquidate the company to avoid paying. While the new measure for personal director responsibility is a step in the right direction, custodial sentences would a far greater deterrence.

As it stands, the fines issued by the ICO are an insufficient deterrent to rogue companies willing to break data protection law.

Which? found earlier this year, just 4 out of 22 of the fines issued against firms for nuisance calls since April 2015 had been paid in full. It should come as no surprise that individuals willing to skirt the law when it suits them are also ready to do the same to avoid paying their debts. That’s why the powers of the ICO have recently been extended to also allow it to fine the directors that set up multiple companies to avoid justice.

We wholeheartedly support the extension of fines to the individuals that are behind the rogue businesses, but for the worst and repeat offenders we believe the penalties should extend to custodial sentences as well. The Justice Secretary has the powers, which were introduced in the wake of the phone hacking scandal, but it's now time they were used.”

The Digital Economy Bill, which will put the ICO’s direct marketing guidance on a statutory footing, is currently under scrutiny from a Parliamentary committee.

Labour MP, Thangam Debbonaire, asked Which? whether the Bill goes far enough, and whether it ensures that those companies responsible for nuisance calls are held accountable, including the directors of those companies.

There is an appetite for greater action among MPs in this area. After all, it is MPs who receive complaints from their constituents blighted by nuisance calls.

Her ask has now been implemented by the Government. However, personal director responsibility relates only to breaches under PECR and not the Data Protection Act 1998 (DPA).

The root of the problem is bad data, which could be data collected illegally by rogue companies or organisations not doing their due diligence on their data supply.

Breaches under PECR, the nuisance calls and spam texts, are a symptom of rogue companies breaking the law by using bad data.

The DMA is asking for custodial sentences for the worst breaches of data protection law to get to the root of the problem, echoing calls from the ICO, which also supports the introduction of custodial sentences.

Giving evidence to the Digital Economy Bill Committee, Information Commissioner Elizabeth Denham, said: “Yes, I would support extending liability and accountability to directors. Our office has issued fines that totalled about £4 million in the last year, but the problem is that we have been able to collect only a small proportion of those fines because companies go out of business and, as in a game of whack-a-mole, appear somewhere else. It is important for us to be able to hold directors to account for serious contraventions.”

The Justice Secretary has power under the Criminal Justice and Immigration Act 2008 to introduce a new statutory instrument, but it requires a positive vote in both Houses of Parliament to allow custodial sentences for breaches of Section 55 of the DPA. The DMA calls for votes to be taken without delay.

The DMA successfully lobbied for a change in the law, to make it easier for the ICO to successfully prosecute nuisance callers, last year. Previously, the ICO had to prove that nuisance calls had caused ‘substantial damage or distress’ which proved difficult.

The introduction of custodial sentences is the next step in the campaign against nuisance calls and spam texts.

Rogue directors may think twice about breaking data protection law if there is a real threat that they may go to prison.