New Regulations have been published that confirm and widen the scope of the monetary penalties that the Information Commissioner can impose and are intended to ensure that the penalty regime for breaches is “effective, proportionate and dissuasive” as required by the EC Directives. They come into force on 17th December 2018.
The Regulations:
- amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“the 2003 Regulations”)
- and modify the application of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010/31) (“the 2010 Regulations”) and the Data Protection (Monetary Penalties) Order 2010 (SI 2010/910) (“the 2010 Order”).
The modification to the 2003 Regulations gives the Information Commissioner the power to impose a fine on an ‘officer’ of a body as well as on the body itself where there have been serious breaches of regulations 19-24 (dealing broadly with automated calling and unsolicited direct marketing) and where the breach “occurs as a result of action, or inaction, by that officer”.
The accompanying Explanatory Memorandum reads as follows:
These Regulations amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“the 2003 Regulations”). They also modify the application of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010/31) (“the 2010 Regulations”) and the Data Protection (Monetary Penalties) Order 2010 (SI 2010/910) (“the 2010 Order”).
The 2003 Regulations implemented the provisions of Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector. The 2003 Regulations were amended in 2004 (SI 2004/1039), 2010 (SI 2010/22), 2011 (SI 2011/1208) (which implemented the European legislative changes contained in provisions of Directive 2009/136/EC), in 2015 (SI 2015/355), in 2016 (SI 2016/524 and SI 2016/1177 and paragraph 14 of Schedule 10 to the Investigatory Powers Act 2016) and in 2018 by section 35 of the Financial Claims and Guidance Act 2018, and section 211 of the Data Protection Act 2018.
Under the 2003 Regulations, the Information Commissioner may impose a monetary penalty, under the Data Protection Act 1998 as applied to, and modified by, the 2003 Regulations, for a serious breach of regulations 19 to 24 of the 2003 Regulations. The effect of the amendments made by regulation 2 is to enable the Commissioner to impose such a penalty on an officer of a body corporate or Scottish partnership in addition to the body itself, where such a breach occurs as a result of action, or inaction, by that officer.
The 2010 Regulations are made in exercise of powers in sections 55A and 55B of the Data Protection Act 1998 which apply in respect of enforcement against data controllers for breach of section 4(4) of that Act. The 2010 Order is made in exercise of the power in section 55E of the 2003 Regulations. Those sections were repealed by the Data Protection Act 2018, but were saved in respect of their application to the 2003 Regulations. Those sections are extended with modifications set out in Schedule 1 to the 2003 Regulations, in respect of contraventions of the 2003 Regulations, by regulation 31 of the 2003 Regulations. The modifications to the instruments made under those sections made by regulations 3 and 4 are consequential to the changes effected by regulation 2.
These amendments are intended to ensure that the penalty regime for breaches is “effective, proportionate and dissuasive” as required by Article 15a of Directive 2002/58/EC, as amended by Directive 2009/136/EC.
The source regulations are available on legislation.gov.uk.