UK: Are monetary penalties really a deterrent to data protection violations if few companies actually pay up?
I received an email today that made me think. It promised not to bother me about cottage cheese (see the Footer for context), and indeed, it offered me something of substance with no money exchanging hands at all.
It seems TheSMSWorks had followed up on monetary penalties levied by the U.K.’s Information Commissioner’s Office and found that a troubling 74% of the fines remain unpaid.
So what is going on? The ICO issues monetary penalties with headline-making press releases but doesn’t actually make sure the fines are paid?
The situation seems to be getting worse, too. Last year, they had found that just 32% of the monetary value of ICO fines issued had been paid.
From TheSMSWorks’ findings:
In the period from Jan 2020 to September 2021 the ICO has handed out 47 fines to companies that have broken the rules on spam or data protection.
Out of 47 fines in total, a modest 19 of them have been paid. Out of £7million fined, a mere £1.81 has been successfully collected.
Read more of their findings and analyses on their site.
The ICO provided a statement to The Register about the findings, noting that some entities go into liquidation when fined. In a statement to InfoSecurity, Henry Cazelet, Director of TheSMSWorks indicates that although he is somewhat sympathetic to the regulator, the fining system has been too aggressive. If you’re fining but not collecting the fines, he comments, it’s just posturing.
It is risky to try to generalize from the situation in the U.K. to the U.S. but I have not seen any reports here that show that entities do not pay monetary penalties imposed by regulators (although they may challenge or appeal them, certainly). If any of my readers know of such reports or instances, please use the Comments section below or drop me an email to let me know.