On 17 December 2018, new Regulations came into force meaning that company directors and other corporate officers may be personally fined up to £500,000 for their company’s nuisance calls and similar serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (commonly known as “PECR”).
PECR regulates direct marketing by electronic means, such as e-mail, telephone, text message or automated calls. Generally, a company must not engage in unsolicited direct marketing by email or text unless it has the prior consent of the individual recipient of the communication or has obtained the individual’s contact details in the course of a commercial relationship with that person. Specific rules apply in the context of live and automated marketing calls by telephone. PECR is enforced by the UK’s Information Commissioner’s Office (the “ICO”), with fines of up to £500,000 possible, as well as the issuance of “enforcement orders”. Since coming into force in 2003 PECR has been amended on numerous occasions, in large part driven by the desire to increase their effectiveness in deterring and sanctioning unlawful marketing practices. Such practices are the cause of increasing levels of complaints received by the ICO year on year; they can also cause great distress to individuals, such as from calls in the middle of night or early morning, sometimes claiming to be about accidents which have not occurred.
The evolution of PECR
PECR – which was intended to combat “spam” - has been criticised for its limited effectiveness, although an EU regulation was never going to be capable of solving a global phenomenon. Attempts have been made to modernise it multiple times in its inception. In 2015, amendments were made to PECR to lower the legal threshold at which the Information Commissioner could issue a civil monetary penalty for a serious breach of certain regulations of PECR. Amendments introduced in 2016 brought in a requirement for direct marketing callers to provide Calling Line Identification. Amendments introduced in September 2018 then prohibited live unsolicited calls for the purposes of direct marketing in relation to claims management services, except where the person has given prior consent to receiving such calls. On January 9, 2019, further amendments gave effect to a ban on unsolicited calls, emails and text messages relating to pensions.
However, one shortcoming in all these measures was that companies were able to evade fines by dissolving and then re-emerging under a new name and corporate entity though with the same individuals at the helm (a process known as “phoenixing”). The ICO has reported that from 2015 through to 2018, only 46 of the 93 fines issued to companies for breaches of PECR were ever paid in full and the practice of phoenixing by small and medium sized enterprises has been blamed for this shortfall.
A new approach to personal liability
The amendments which came into force in December are explicitly intended to combat phoenixing and ensure that the penalty regime for breaches is “effective, proportionate and dissuasive”.
The Privacy and Electronic Communications (Amendment) Regulations 2018 (SI 2018/1189) (the “Anti-phoenixing Regulations”), amended PECR by widening the scope of the penalties for breaches of PECR regulations 19 to 24 i.e. those regulations which limit the circumstances in which marketing via automated calls, fax, unsolicited calls and e-mail can be used. Whilst a company itself is still liable under PECR for breaches, the Anti-phoenixing Regulations introduce the concept of personal liability. In short, the ICO may impose financial penalties on an officer of a corporate body, in addition to the company itself, where such breach occurs as a result of action, or inaction, by the officer in question. “Officer” includes a director, secretary, member, manager or other similar officer of the corporate body in question. Accordingly, officers are now at risk of facing personal fines of up to £500,000. However, this will only apply where:
- a monetary penalty notice under PECR has been served on a body, and
- the Commissioner is satisfied that the contravention in respect of which the monetary penalty notice was served on the body — (a) took place with the consent or connivance of the officer, or (b) was attributable to neglect on the part of the officer.
The ICO is also required to state the reason why it considers that the individual holds responsibility for the contravention of PECR.
The notion of personal liability for company officers is not new. The Data Protection Act 2018 (“DPA 2018”), like its predecessor, includes provisions imposing personal criminal liability against a director, manager, secretary, officer or person, as well as the body corporate, in circumstances where: (a) an offence under the DPA is committed by the body corporate; and (b) the offence is proved to have been committed with the consent or connivance of, or is attributable to neglect on the part of that director, manager, secretary or similar officer, or a person who purported to act in such a capacity. However, this is only applicable to criminal offences under the DPA and unlawful marketing – however distressing or aggravating – is unlikely to involve the commission of a criminal offence. This makes the addition of the Anti-phoenixing Amendments to PECR all the more useful as a deterrent.
In February 2019, the ICO reported that its enforcement activities related to nuisance marketing have resulted in 16 company directors being banned from running companies for a total of more than 100 years. The most recent ban, effective from 1 March 2019, was issued against a company director responsible for 220 million automated nuisance calls through his companies which are facing £700,000 in fines levied by the ICO in connection with historic breaches.
The ICO now coordinates its actions with the Insolvency Service, blocking attempts by the director to have sanctioned companies wound up (and thereby avoid the fines). This two-pronged strategy sends a strong message to individuals considering engaging in unlawful marketing activities that they are less likely to escape personal liability by working through a corporate entity.
Challenges remain over activities originating outside of the UK and even the EU; however, close to home, the Anti-phoenixing Amendments will be welcome additions to the ICO’s armoury against companies which deliberately or carelessly set out to make money by flouting the marketing rules and then try to wind themselves up when faced with enforcement action.