Individuals responsible for PECR breaches could face fines

January 08, 2019

0 comments

by Simon Davis Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7706 285054

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) complement the data protection regime set out by the General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 by providing privacy rights in relation to electronic communications.

The PECR (Amendment) Regulations 2018 which came into effect in the UK on 17 December 2018 introduced director liability for breaches of the PECR direct marketing rules. As a result of these changes, in addition to issuing a Monetary Penalty Notice (MPN) on a body for breaches of PECR, the Information Commissioner’s Office (ICO) may now issue an MPN to an ‘officer of the body’ where that officer’s consent, connivance, or neglect led to the contravention.

This change means that individuals of influence1 within organisations who do not take their data protection obligations seriously and fall foul of PECR, will no longer be able to hide behind the corporate veil or take steps to avoid paying the fine. It is anticipated that the change should help reduce the occurrence of “phoenixing”, the term used to describe companies which fold to avoid fines, only for their directors to establish new, similar companies a short while later. Now the ICO will be able to hold individual officers to account if the company fails to pay the fine, even where the organisation no longer exists or the individual no longer holds their position.

It is more important than ever for those involved in e-marketing to be aware of their legal obligations in this area. Following the extensive coverage of GDPR this year, this change also serves as a timely reminder that there is a wider framework of data privacy obligations which must be adhered to. When developing internal compliance and training programmes, organisations must make efforts to ensure that these requirements are all addressed.

If you require any advice or assistance in relation to data protection law, including your obligations under PECR, please do not hesitate to get in contact with Fedelma Good, James Drury-Smith or Sue Gold.


1 Individuals of influence include but are not limited to Directors, Partners and those positions within corporate bodies / unincorporated entities that have similar decision making powers.

by Simon Davis Senior Associate, Data Protection Strategy, Legal and Compliance Services, PwC United Kingdom

Email +44 (0)7706 285054