As noted in DPAS’s January Update, PECR (the Privacy and Electronic Communications (EC Directive) Regulations 2003) is likely to be replaced in the new year. This new law, the E-Privacy Regulation (ePR) is in draft status and so for now, PECR still applies.
PECR was amended recently and on 17th December 2018, a small but significant insertion in Schedule 1 came in to force, that creates personal liability for senior members of an organisation that breach PECR’s rules.
Where an organisation has been served a monetary notice under PECR for breach of marketing requirements, the ICO may now also serve a monetary notice on an officer of the body corporate, where the contravention (a) took place with the consent or connivance of the officer, or (b) was attributable to any neglect on the part of the officer.
Here an officer should be taken to mean a director, manager, secretary or other similar officer of the body, or person purporting to act in such a capacity. In essence then, the decision makers, the partners, the controlling members.
This is significant because directors can no longer use the corporate veil to protect themselves against liability or simply wind up a company and set up a similar one a short time later, to avoid payment of the fine.
Whilst “connivance” might be an old-fashioned word, negligence is not so narrow, and directors therefore are likely to want to pay tight attention to their marketing practices, so as to ensure they stay on the right side of the law.