Data Protection Enforcement in the United Kingdom

Administrative Remedies

The UK authority (the Information Commissioner’s Office or ICO) has the power to investigate complaints and cases, to order the suspension of processing, and to take other actions including information and enforcement notices. Since April 2010, the ICO has had the power to impose fines up to £500,000 for serious breaches of the Data Protection Act 1998 (“DPA 1998”), where the contravention is likely to cause substantial damage or distress and either the contravention was deliberate or the data controller knew or ought to have known that there was a risk that this serious contravention would occur and failed to take reasonable steps to prevent it. In May 2011, the power to fine was extended to serious breaches of the Privacy and Electronic Communications Regulations. The notice imposing the fine is published on ICO’s website.

Civil Remedies

Individuals can file complaints with ICO. The DPA 1998 also gives the individual a limited right to compensation for damage caused by a breach. Individuals are also able to obtain a court order for rectification, blocking, erasure or destruction of inaccurate data.

Criminal Remedies

In a few cases, breach of the DPA 1998 can constitute a criminal offence, for example, breach of the obligation to notify or failure to comply with information and enforcement notices. The knowing or reckless obtaining or disclosure of personal data without consent of the data controller is, subject to certain defenses, an offence, as is offering to sell data so obtained or disclosed. Officers of companies which have committed an offence may also be liable to prosecution. Offenders are potentially liable to an unlimited fine.

Other Remedies

Frequently, ICO will resolve cases by accepting undertakings not to commit further breaches.

Selected Enforcement Actions / General Comments

ICO publishes its enforcement activity on its website at https://ico.org.uk/action-weve-taken/enforcement/. Here are some recent examples: 6 January 2015 A green deal energy company, was prosecuted for failing to respond to an information notice. The company was fined was fined £5000. 5 November 2014 A hotel booking website was fined £7,500 following a serious data breach where a vulnerability on the company’s site allowed attackers to access the full payment card details of 3,814 customers. 23 July 2014 An online travel services company, was fined £150,000 after a serious breach of the Data Protection Act revealed thousands of people’s details to a malicious hacker. 16 December 2013 A fine of £175,000 was imposed on a pay day loans company for sending millions of spam text messages. 5 August 2013 A fine of £75,000 was imposed on the Bank of Scotland after customers’ account details were repeatedly faxed to the wrong recipients. The information included pay slips, bank statements, account details and mortgage applications, along with customers’ names, addresses, and contact details 24 January 2013 A fine of £250,000 was imposed on a global consumer products company after its online service was hacked in April 2011, compromising the personal information of millions of customers, including their names, addresses, email addresses, dates of birth, account passwords, and potentially payment card details.