Global menu

Our global pages


The Privacy and Electronic Communications (Amendment) Regulations 2018

  • United Kingdom
  • Privacy, data protection and cybersecurity


We consider the impact of the recently passed Privacy and Electronic Communications (Amendment) Regulations 2018, which empowered the ICO to issue fines of up to £500,000 to directors and other company officers for breaches of the rules governing electronic direct marketing communications.

The Privacy and Electronic Communications (Amendment) Regulations 2018 (the “Regulations”) came into force on 17 December 2018. The Regulations give the Information Commissioner’s Office (“ICO”) powers to fine directors and other officers of companies up to £500,000 for breaches of rules on the carrying out of unsolicited direct marketing by telephone, fax and email/other electronic means, which are set out in Regulations 19 to 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

The ICO has various powers to enforce compliance with the Regulations, including the imposition of fines on companies (up to £500,000), non-criminal enforcement and audit. By providing for potential personal liability of company officers, the Regulations aim to ensure that there is another recourse against companies that make nuisance direct marketing communications (particularly telephone calls) in breach of PECR rules. Whilst directors found to have breached their duties can be disqualified and failure to adhere to disqualification orders can lead to a prison sentence, it was considered that the law did not provide enough (personal) deterrent against unlawful direct marketing practices.

This change to the law means that if a company has been served with a monetary penalty notice for a breach of PECR, the ICO may also serve a monetary penalty notice on an “officer” of the company personally, if the PECR contravention in question “took place with the consent or connivance of the officer” or “was attributable to any neglect on the part of the officer”.

Note that “officer” has a wide meaning and includes directors, managers, secretaries or similar officers of a body corporate or, where a body is managed by its members, a member. In relation to Scottish partnerships, it includes a partner or any person purporting to act as a partner.

In relation to fines, note that the ICO cannot opt to fine an officer of the company instead of the company itself; it must follow on from a finding that the company itself is in serious breach and be in addition to serving a monetary penalty notice on the company.

As a breach of Regulations 19 to 24 of PECR will invariably involve personal data, compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) is also an issue and it provides for much higher fines than PECR for organisations that breach GDPR provisions (up to 4% of annual group worldwide turnover or €20m, whichever is higher). It is possible, therefore, that a company could be fined under both PECR and GDPR (and a director under the Regulations) in relation to the same activity, although the ICO is likely to take a fair and proportionate view on the level of fines if the breach in question involves liability under both PECR and GDPR.

Companies had been circumventing PECR breaches, and avoiding paying fines, by dissolving themselves once issued with a monetary penalty notice and then creating a new company (a practice known as “phoenixing”). The ICO has reported that only 46 out of 93 fines issued to companies in breach of PECR from April 2015 were paid in full (leaving a shortfall of £2.5 million of unpaid fines).

It will be interesting to see how often these new powers will be used by the ICO to pursue officers for breaches of PECR and how effective they will be in practice in deterring such behaviour. In addition, the prospect of the new ePrivacy Regulation and potentially increased fines under the new law, may act as an extra incentive for such companies to fall into line.