GDPR Enforcement in United Kingdom

Trend: Have the national data protection authorities in the UK focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

The UK’s data protection regulator is the Information Commissioner and is supported by the Information Commissioner’s Office (“ICO”). Historically, the Information Commissioner has led the way in levying fines for breaches of the security provisions of the UK GDPR – namely, failure to implement appropriate technical and organisational measures to keep personal data secure (Article 32), failure to ensure and be able to demonstrate compliance with the UK GDPR (Article 24(1)) and non-compliance with the integrity and confidentiality principle (Article 5(1)(f)).

Two of the largest fines were imposed on companies in the travel and leisure sector. In those cases, however, enforcement action was brought in response to personal data breaches experienced by each of those companies, rather than the ICO specifically setting their sights on the industry. Other companies that received notable fines from the Information Commissioner include: (i) a facial recognition database company for using images of individuals that were obtained from the internet and social media to create a global online database (this matter is still, however, ongoing); and (ii) a social media platform for non-compliance with general data processing principles.

The ICO also takes a hard line on enforcing breaches of e-Privacy legislation against spammers and nuisance callers. For example, in April 2024, the ICO announced that the Information Commissioner had fined two telemarketing companies an overall £340,000 (approx. EUR 392,000) after the companies made a total of almost 1.43 million calls to people on the UK’s “do not call” register (the Telephone Preference Service). Generally, it is not uncommon for the Information Commissioner to take several instances of enforcement action in respect of illegal direct marketing activities per month, and in many cases it only takes only a very small number of complaints (and sometimes just a single complaint) to trigger an ICO investigation in respect of this type of breach.

The ICO has stated that it will have special focus on areas such as children’s privacy (e.g. in the context of social media, video and music streaming and gaming), online advertising and the non-compliant use of cookies. In conjunction with this, in January 2025, the ICO issued guidance on organisations’ use of “consent or pay” models, which enable users to either provide consent for use of their personal data for personalised advertising, pay a fee to access the service without their data being used or opt not use the service.

It should also be noted that the UK Parliament is in the process of introducing a new Data (Use and Access) Bill, aimed at improving the effectiveness of the data protection regime in the UK and the way the ICO regulates this. As currently drafted, this will clarify the ICO’s powers to request information and documentation (which it typically has not done until now) and increase penalties for e-privacy breaches to up to 4 % of worldwide turnover, in line with the UK GDPR. It is expected that the Bill will receive Royal Assent by the end of May 2025 and that provisions will come into force by the end of the year.

Overall, what was the most significant fine in the UK to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

Two of the heftiest GDPR fines on companies were those imposed on British Airways (“BA”) (EUR 22,046,000) and Marriott (EUR 20,450,000) in relation to personal data breaches experienced by each of those companies, whose data had been left vulnerable to attack by hackers due to inadequate security measures. In BA’s case the ICO considered that basic data security measures were not in place and the failures were deemed to be a “serious concern”. The Information Commissioner ultimately reduced the fines issued to BA and Marriott significantly relative to the ‘notice of intent to fine’ previously issued (down from EUR 204 million in the original proposal for the fine for BA, and down from EUR 124 million for Marriott), in part in consideration of the fact that they had both been particularly hard hit financially by the impact of the COVID-19 pandemic on the travel and hospitality industries. In the case of BA, in addition to the COVID-19 impact mentioned above, the reduction in the fine was also on account of the prompt action taken by BA to mitigate the risk of harm to individuals.

There were also class actions brought against these companies on behalf of affected data subjects claiming compensation for losses suffered as a result of their information being compromised. The BA class action, with 16,000 claimants, had been described as "the largest group-action personal-data claim in UK history" and was settled for an undisclosed sum in July 2021.

How is the data protection authority organised in the UK? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

The ICO has budgeted income of £76.7 million (approx. EUR 88.3 million) for the year 2024/25.

As of 31 March 2024, the ICO had 1,091 permanent staff (1,036.1 full time equivalents).

The ICO is an independent public body but the Department for Science, Innovation and Technology is currently the ICO’s sponsoring department within Government. The sponsoring department changed from the Department for Digital, Culture, Media and Sport to DSIT in February 2023.

How does a fine procedure work in the UK? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

The Information Commissioner has the power to issue fines. The Information Commissioner will issue a notice of intention to impose a fine and will give the respondent an opportunity to make representations before any final penalty notice is issued. The Information Commissioner may, but does not have to, make the fact that it intends to fine a person public. The Information Commissioner also has the power to issue a penalty notice for failure to fully comply with an information notice or an assessment notice.

There is a right of appeal against a penalty notice to the First Tier Tribunal (General Regulatory Chamber). From there, a decision can be appealed on a point of law to the Upper Tribunal and then further on to the Court of Appeal and ultimately to the Supreme Court.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

The ICO does not receive any money from any monetary penalties that it issues. When paid, the ICO sends this money on to His Majesty’s Treasury.

To raise money to fund its activities, the ICO levies a data protection fee on controllers – this makes up around 85% to 90% of the ICO’s annual budget. The government also contributes grant-in-aid to fund the ICO’s regulation of various other laws.

Is there a common, official calculation methodology for fines in the UK (such as the fining models in the Netherlands or Germany)?

The ICO published (March 2024) fining guidance to provide “clarity and certainty” for organisations. The methodology is fairly complex and includes a five-step approach to calculating the penalty with a penalty starting point based on an assessment of the seriousness of the infringement. Adjustments are then made to take into account aggravating and mitigating factors and to ensure the fine is effective, proportionate and dissuasive.

Can public authorities be fined in the UK? If they can: Where does this money go?

Yes, public authorities can be fined in the UK. The money from these fines goes into the Treasury's consolidated fund, which is then distributed as part of wider government spending.

The most recent public authority fine (made in October 2024) was issued to the Police Service of Northern Ireland in the sum of £750,000 (approx. EUR 863,000) as a result of the authority disclosing personal information about its entire workforce in a spreadsheet published online in response to a Freedom of Information request. The fine was imposed as the Information Commissioner considered the case as particularly serious. For non-serious cases, the Information Commissioner has stated that it is more likely to issue a public reprimand than to issue a fine. It should however be noted that the fine originally considered by the ICO was £5.6 million (approx. EUR 6.5 million), but this was reduced due to the infringer being a public body, in line with the ICO’s revised approach to public sector enforcement which has been in place since 2022. 

In the UK, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

Most fines and other enforcement action by the Information Commissioner are published on the ICO website, with the name of the organisation, the facts of the breach, details of the ICO’s investigations, and the level of the fine, all typically being publicly available. However, the ICO has discretion not to publish such information, for example, where doing so would be likely to prejudice ongoing investigations. It will also redact certain information in some cases, for example where this is commercially sensitive.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?

Information on individual fine cases is published by the ICO on its website and is freely accessible.

Does the UK have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

Yes, class actions by groups of data subjects can be brought in the UK. The UK Data Protection Act 2018 (“DPA”) currently allows for the representation of data subjects only with their authority.

What is more relevant in UK: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

Both fines and other types of enforcement action from the Information Commissioner can be significant – for example, if a company is ordered to stop processing data that is key to its business, this can be just as, if not more, disruptive than a large fine.

Claimants are also free to seek injunctive relief for protection of their rights, such as interim injunctions, although this has not been common to date.

Court proceedings from data subjects for damages are a fairly recent trend but are likely to become more popular for high-profile data breaches in particular, as litigation funders and others look to leverage this opportunity where there is a vested interest.