United Kingdom

Main takeaways:


  • Some of the highest fines in the UK are in relation to large-scale personal data breaches, highlighting the importance of appropriate technical and organisational measures.
  • Fines are also frequently issued in relation to non-compliant direct marketing activities. These are often applied following ICO investigations that are triggered by a very small number of complaints.
  • The sectors most frequently subjected to enforcement action are: (i) marketing; (ii) finance, insurance and credit; and (iii) retail and manufacture.
  • Fines are typically made public on the ICO website. The information provided can include details such as the name of the organisation, information about the breach, details of the ICO’s investigations and the level of the fine.
  • Class actions represent a significant risk. There are currently several class actions ongoing in relation to personal data breaches and the number of these is expected to increase.

Fining practice

Trend: Have the national data protection authorities in the United Kingdom focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future? Do you see a focus on certain industries/sectors? If so, which ones?

The UK’s data protection regulator is the Information Commissioner and is supported by the Information Commissioner’s Office (“ICO”). The Information Commissioner has led the way in levying fines for breaches of the security provisions of the UK GDPR – namely, failure to implement appropriate technical and organisational measures to keep personal data secure (Article 32), failure to ensure and be able to demonstrate compliance with the UK GDPR (Article 24(1)), and non-compliance with the integrity and confidentiality principle (Article 5(1)(f)). There have been nine such fines to date. These ranged from EUR 11,800 to EUR 22,046,000, with the most recent of these, issued in October 2022, being for EUR 5,033,000.

Two of the largest fines were imposed on companies in the travel and leisure sector. In those cases, however, enforcement action was brought in response to personal data breaches experienced by each of those companies, rather than the ICO specifically setting their sights on the industry. Travel companies process high volumes of personal data, including payment details and travel documents, making them an attractive target for malicious actors. Other companies that received notable fines from the Information Commissioner include: (i) a facial recognition database company for using images of individuals that were obtained from the internet and social media to create a global online database; and (ii) a company in the retail and manufacturing sector, for failing to put in place appropriate technical and organisational measures, which resulted in it being vulnerable to (and becoming subjected to) a cyber-attack.

The ICO also takes a hard line on enforcing breaches of e-Privacy legislation against spammers and nuisance callers. For example, in December 2022, the ICO announced that the Information Commissioner had fined five companies a total of EUR 492,517 for making nearly half a million unlawful marketing calls, some of which appeared to be deliberately targeting the elderly and vulnerable, namely by home appliance repair and insurance companies. Generally, it is not uncommon for the Information Commissioner to take several instances of enforcement action in respect of illegal direct marketing activities per month, and in many cases it only takes only a very small number of complaints (and sometimes just a single complaint) to trigger an ICO investigation in respect of this type of breach.

Out of 108 (in total) instances of enforcement action by the ICO, 31 of these were in the marketing sector, 23 in finance, insurance and credit and 23 in retail and manufacturing. As such, these sectors have been the most affected in terms of the volume of enforcement action.

The ICO has stated that until October 2023 it will focus its investigations and project work on areas such as: (i) children’s privacy (e.g. in the context of social media, video and music streaming and gaming); (ii) the impact of technology on the vulnerable (e.g. in connection with AI-driven discrimination, biometric technologies, online tracking, and CCTV); (iii) deprivation (e.g. issues that aggravate or are aggravated by the cost of living crisis, including AdTech in relation to gambling, and predatory direct marketing calls), and (iv) personal safety (particularly the approach of police forces to collecting personal information from victims of rape and serious sexual assault cases and data sharing to prevent domestic homicide and to support safeguarding).

Overall, what was the most significant fine in the United Kingdom to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

Two of the heftiest GDPR fines on companies were those imposed on British Airways (“BA”) (EUR 22,046,000) and Marriott (EUR 20,450,000) in relation to personal data breaches experienced by each of those companies, whose data had been left vulnerable to attack by hackers due to inadequate security measures. In BA’s case the ICO considered that basic data security measures were not in place and the failures were deemed to be a “serious concern”. The Information Commissioner ultimately reduced the amount of the fines issued to BA and Marriott significantly relative to the ‘notice of intent to fine’, previously issued (down from EUR 204 million in the original proposal for the fine for BA, and Marriott (down from EUR 124 million), in part in consideration of the fact that they had both been particularly hard hit financially by the impact of the COVID pandemic on the travel and hospitality industries. In the case of BA, in addition to the COVID impact mentioned above, the reduction in the fine was also on account of the prompt action taken by BA to mitigate the risk of harm to individuals.

There were also class actions brought against these companies, on behalf of affected data subjects claiming compensation for losses suffered as a result of their information being compromised. The BA class action, with 16,000 claimants, had been described as "the largest group-action personal-data claim in UK history", and was settled for an undisclosed sum in July 2021.

Edinburgh Skyline from Calton Hill at dusk

Organization of authorities, course and publicity of fine proceedings

How is the data protection authority organized in the United Kingdom? In particular: What is the annual budget? What is the number of staff? Is the authority assigned to a specific ministry? If so, which one?

The ICO has budgeted income of EUR 92 million for the year 2022/23.

As of 31 March 2022, the ICO had 944 permanent staff (891.4 full time equivalents).

The ICO is an independent public body but the Department for Digital, Culture Media and Sport is currently the ICO’s sponsoring department within Government. Following a Government reorganisation, the ICO’s sponsoring department within Government may change.

How does a fine procedure work in the United Kingdom? In particular: Can the authority itself impose fines? How does the procedure work (e.g., notification of the opening of proceedings (public/only towards company?), notification of the intention to impose a fine (public/only towards companies?), formal penalty notice)? What legal remedies are possible against an imposed fine?

The Information Commissioner has the power to issue fines. The ICO will issue a notice of intention to impose a fine and will give the respondent an opportunity to make representations before any final penalty notice is issued. The ICO may, but does not have to, make the fact that it intends to fine a person public. The Information Commissioner also has the power to issue a penalty notice for failure to fully comply with an information notice or an assessment notice.

There is a right of appeal against a penalty notice to the First Tier Tribunal (General Regulatory Chamber). From there, a decision can be appealed on a point of law to the Upper Tribunal, and then further on to the Court of Appeal and ultimately to the Supreme Court.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?

The ICO does not receive any money from any monetary penalties that it issues. When paid, the ICO sends this money on to Her Majesty’s Treasury.

To raise money to fund its activities, the ICO levies a data protection fee on controllers – this makes up around 85% to 90% of the ICO’s annual budget. The government also contributes grant-in-aid to fund the ICO’s regulation of various other laws.

Is there a common, official calculation methodology of fines in the United Kingdom (such as the fining models in the Netherlands or Germany)?

The ICO has a fairly complex draft methodology for calculating fines in the UK. This is still being finalised, but draft guidance has been published by the ICO on its website. The methodology includes a ‘nine-step approach’ to calculating the penalty with a penalty starting point based on an assessment of factors such as mitigation actions by the data controller and categories of personal data affected. Adjustments are then made to take into consideration factors such as financial means, economic impact and whether the amount of the fine is effective, proportionate and dissuasive. An early payment reduction of 20% will be applied if payment is made within 28 days.

Can public authorities be fined in the United Kingdom? If yes: Where does this money go?

Yes, public authorities can be fined in the UK. The money from these fines goes into the Treasury's consolidated fund, which is then distributed as part of wider government spending. The most recent fine (made in June 2022) was issued to the Tavistock & Portman NHS Foundation Trust, in the sum of EUR 91,000 for disclosing 1,781 email addresses belonging to adult gender identity patients. However, in June 2022 the ICO announced a two-year trial of a new initiative as part of its ICO25 strategic vision, under which it will make greater use of its wider powers in relation to the public sector (including warnings, reprimands and enforcement notices), and reserve fines only for the most serious cases. In connection with this initiative, the ICO intends to work more closely with the public sector with the aim of encouraging compliance with data protection laws and preventing harms from arising in the first place.

In the United Kingdom, does the data protection authority publish information on individual fine cases, including imposed fines or other procedural steps (e.g., on its website or in its annual report)? Are the affected companies identifiable in such publication?

Most fines and other enforcement action by the Information Commissioner are published on the ICO website, with the name of the organisation, the facts of the breach, details of the ICO’s investigations, and the level of the fine, all typically being publicly available. However, the ICO has discretion not to publish such information, for example, where doing so would be likely to prejudice ongoing investigations. It will also redact certain information in some cases, for example where this is commercially sensitive.

If no information on individual fine cases is published: Does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures since 2019?

Information on individual fine cases is published by the ICO on its website and is freely accessible.

London view on Thames

Other legal consequences of non-compliance

Does the United Kingdom have model declaratory proceedings / class actions in data protection law, i.e., the possibility for several data subjects to join forces and take legal action together against the data controller?

Yes, class actions by groups of data subjects can be brought in the UK. The DPA 2018 (“DPA”) currently allows for the representation of data subjects only with their authority. There are a few of these actions pending at the moment, including against EasyJet and Marriott as a result of data breaches that these companies experienced.

The most prominent class action in the UK to date is often considered to be the case of Lloyd v Google LLC, where the Supreme Court (in November 2021) comprehensively dismissed Mr Lloyd’s representative (opt-out) action brought against Google in connection with the Safari Workaround, i.e., Google’s use of a technical workaround to bypass the cookie settings on the Safari browser and place tracking cookies without an individual’s knowledge or consent. A key finding was that section 13(1) of the DPA cannot reasonably be interpreted as conferring a right to compensation for a breach for “loss of control” of personal data without evidence of financial loss or mental distress, whenever a data controller commits a non-trivial breach of the DPA. The decision in this case has been considered a successful and welcome one for businesses operating in the UK that are worried about the emergence of a ‘compensation culture’ resulting from what they might deem to be minor breaches of data protection law. Despite this, there remains cause for caution. This is because, in this case, the Supreme Court also re-evaluated, and broadened, the “same interest” test in the Representative Action class action device. Historically the English courts had interpreted the “same interest” test very strictly, and as such, the Representative Action device had been used rarely. However, court’s rulings on the procedural aspects of Representative Actions may now encourage claimant law firms to file further class actions. The main challenge for claimants in this regard is that damages must be calculated on a compensatory basis, but this could possibly be achieved across a range of types of claim, i.e., one extending beyond only data protection.

What is more relevant in the United Kingdom: Fines from authorities or court proceedings such as claims for damages or injunctions? Is there a trend here for the coming years?

Both fines and other types of enforcement action from the Information Commissioner can be significant – for example, if a company is ordered to stop processing data that is key to its business, this can be just as, if not more, disruptive than a large fine.

It is also open to claimants to seek injunctive relief for protection of their rights, such as interim injunctions, although this has not been common to date.

Court proceedings from data subjects for damages are a fairly recent trend but are likely to become more popular for high profile data breaches in particular, as litigation funders and others look to leverage this opportunity where there is a vested interest.

Previous 29 / 29 Next