Keur-boom! ICO shoots down serial spammer for making 99.5 million unlawful calls

A record £400,000 fine issued against a prolific nuisance caller shows that the UK's data protection enforcer is taking a tougher stance than ever against those who flout electronic marketing laws.

The fact that Keurboom Communications Ltd managed to rack up around 99.5 million automated calls over an 18-month period – that's more than a staggering 181,000 per day – must be some sort of record in itself, but what really catches the attention is the relatively eye-watering fine. It's the highest fine ever levied on a nuisance caller.

The UK Information Commissioner's Office (ICO) has the power to slap the worst culprits with fines of up to £500,000, so it clearly considered Keurboom to be well worth a place in the hall of shame, alongside a roll-call of offenders consisting mostly of other serial spammers who contact people without consent and businesses which suffer hacks or data loss as a result of lax data protection practices.

Unfortunately, as is too often the case, recovering the money is going to be another matter. These offenders are commonly set up as limited companies, and once they find themselves under investigation, the directors often shut them down, putting the company into liquidation and making it extremely difficult for the ICO to get at any meaningful assets. Recovering anything at all in these circumstances can be a costly and time-consuming process.

But that's all set to change. The regulations which govern electronic marketing – the Privacy and Electronic Communications (EC Directive) Regulations (PECR), or "pecker", as they are often known – are due to be tweaked to impose personal liability on directors of companies such as Keurboom. That's likely to make some potential offenders think twice before embarking on the sort of activity Keurboom was engaged in, but it's also a wake-up call for others.

Any business which conducts electronic marketing (whether by telephone, fax, email, SMS, voice or picture message or using an automated calling system) needs to familiarise itself with its obligations under PECR and the Data Protection Act to ensure it does not inadvertently find itself on the wrong side of an ICO enforcement notice. The fines are the headline grabber, of course, but there's also the reputation risk to consider. Businesses which depend heavily on the processing of customer data are likely to suffer badly if customers lose confidence in their ability to protect that data.

It is important to remember that all of this is set in the context of a major overhaul of European and UK data protection law that has been developing over the last few years. A new General Data Protection Regulation comes into force next May, ushering in a raft of new and more onerous obligations on both data controllers and data processors alike (not to mention a significant increase in the financial cap on fines). It is therefore more likely than not that we will see more record-breaking enforcement action in the months to come.