Data protection enforcement according to British law

Penal provisions, penalties

To ensure that the provisions of the Data Protection Act (DPA) 1998 (ENG) and The Privacy and Electronic Communications (EC Directives) Regulations 2003) PECR) (ENG) are adhered to, a variety of criminal and civil penalties are at the ICO’s disposal’. Part V of the DPA contains provisions on enforcement. According to Article 31 of the PECR, the provisions of the DPA in terms of enforcement also apply to the PECR.

The measures are not mutually exclusive. They can be applied jointly, providing the circumstances justify so.

The penalties available to the ICO include:

  • Information notice with the ICO’s demand to make certain information available within a set deadline (cf. Article 43 of the DPA);
  • Undertaking, which oblige an organisation to certain procedures to improve compliance with legal requirements;
  • Enforcement notice, which oblige an organisation to take the measure mentioned in the notice so as to ensure the legal requirements are complied with (cf. Article 40 of the DPA). For instance, it can be demanded of a service provider to provide a declaration of consent for cookies. Non-observance of an enforcement notice is punishable as a criminal offence.
  • Monetary penalty notice with the demand to pay a fine which value is set by the ICO up to max £ 500,000. These penalties are used in particularly difficult cases (cf. Articles 55A – 55E of the DPA).

In accordance with Article 5A of the PECR, a service provider must inform the ICO as soon as a data breach occurs. The ICO deems a data breach to be a security violation, which may result in accidental or unlawful destruction, accidental loss, unauthorized modification, unauthorised disclosure or unauthorised access, or any other form of improper processing of personal data. In the event of the information requirement not being met for a data breach, the ICO can impose of set fine of £ 1,000.

More information can be found on the ICO website concerning what is to be observed in the event of a data breach (link).

Even if a violation of the data protection provisions is not punished as a crime, the data subjects can enforce claims for compensation, provided they are attributable to damages or inconveniences. In these cases, the ICO can also impose fines.

The DPA lists a variety of infringements that can be punished as crimes. The ICO has the authority to instigate criminal proceedings in these situations. Generally speaking, strict liability rules apply. Examples include:

  • the illegal procurement, processing and passing on of personal data;
  • the sale, or offer to sell, illegally acquired personal data;
  • processing personal data without having previously registered with the ICO;
  • non-observance of enforcement notices or other information notices issued by the ICO or knowingly or recklessly submitting false declarations to the ICO;
  • obstructing or refusing the execution of a search warrant;