An amendment to the e-Privacy Regulations (often known as PECR), laid before Parliament last Friday, grants the ICO the power to fine directors of a company which unlawfully sends spam emails or makes nuisance calls.
The Privacy and Electronic Communications (Amendment) Regulations 2018 come into force on 17 December 2018 (although they could still be annulled by Parliament before 11 January).
The ICO has, for many years, had the power to impose fines of up to £500,000 on data controllers for breaches the PECR rules around electronic communications and direct marketing. However, the absence of individual liability and the nature of the organisations that tend to disregard these rules has created a trend of 'phoenixing', whereby the offending company is placed into liquidation and the directors simply carry on their business under a different entity.
After years of lobbying by the ICO, the amended rules allow monetary penalties to be imposed on individual officers where the contravention took place with the "consent or connivance" of the officer, or where it was attributable to any neglect on the part of the officer.
These new powers only apply to breaches of certain rules around automated calling systems and direct marketing by phone, email and SMS (and other electronic means). Whilst individual directors can be prosecuted for the criminal offences introduced in the Data Protection Act (DPA) 2018, the ICO's powers to impose fines for breaches of the GDPR and DPA 2018 are, currently, still limited to the data controllers and processors themselves.