Directors’ personal liability: Privacy and Electronic Communications (EC Directive) Regulations 2003

One of the most frequent areas where the Information Commissioner undertakes enforcement action is in relation to breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). PECR, among other things, governs direct marketing which takes place by way of telephone, SMS and E-mail (but not post). Under the current regime, the Commissioner is able to issue Monetary Penalty Notices (up to a maximum of £500,000) to data controllers who fail to comply with the requirements of PECR; however, the Commissioner has for sometime wanted greater powers. In particular, the Commissioner has been seeking the power to issue monetary penalties to directors of those companies.

When a company is served with a monetary penalty notice for breaching PECR, it is not uncommon for the company to close and for a new company to be created in its place with the same people at its helm, undertaking the same activities. The new company is often referred to as a phoenix company. This often means that (a) the penalty goes unpaid; and (b) the same individuals are continuing with their unlawful activity under a separate and distinct entity which is free from the debts and burdens of the old company.

On Thursday 15th November 2018, the Government made The Privacy and Electronic Communications (Amendment) Regulations 2018; which are due to enter into force as from Monday 17th December 2018. These Regulations amend PECR to allow the Commissioner to also serve a monetary penalty notice on “officer of the body” in certain circumstances. An officer of the body is defined as, in relation to a body corporate, “a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, or where the affairs of the body are managed by its members, a member”; and in relation to a Scottish partnership, “a partner or any person purporting to act as a partner.”

This opens up a wide variety of persons who serve in companies and partnerships to the possibility of being personally served with a monetary penalty notice as well as the company. However, the Regulations do not allow the Commissioner to serve a monetary penalty notice only on the officer; it is a pre-requisite of the amended regulations that the Commissioner must have served a monetary penalty notice on the controller.

Furthermore, the Commissioner can’t just automatically serve a monetary penalty notice on the officer(s) of the body on each occasion that she serves a monetary penalty notice on the body. The power only applies where the contravention of PECR “took place with the consent or connivance of the officer” or where the contravention is “attributable to any neglect on the part of the officer.”

In short, if a body ceases to exist after being served with a monetary penalty for contraventions of PECR; the commissioner could start coming after the officers personally where they consented, or connived, to contravene PECR or where simply negligent in respect of any contravention. It will be interesting to see just how the Commissioner goes about using this power (the possibility of a personal financial penalty of up to £500,000 will be significant for the vast majority of officers). It is more than probable that the Commissioner will utilise this new power where she can as it is one that her office has been seeking for some time.

Alistair Sloan

If you require advice or assistance in respect of a privacy/data protection, or any other information law, matter then contact Alistair Sloan on 0141 229 0880 or you can send him an E-mail. You can also follow our dedicated information law twitter account.