American Express Service Europe Limited (“Amex”) was fined a hefty £90,000 by the Information Commissioner’s Office (“ICO”) as a result of a “serious contravention” of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PECR”).


PECR is a set of regulations in the United Kingdom (“UK“), which implements the EU directive, namely the Privacy and Electronic Communications Directive 2002. The PECR first came into force on 11 December 2003 and sits alongside the UK GDPR and Data Protection Act. Amongst other matters, PECR sets out specific rules on electronic marketing (such as calls, emails, texts and faxes) to protect the privacy rights of customers in relation to electronic communications. The rules under PECR apply to both companies and individuals who market by electronic means and/or uses cookies on their websites.


The ICO is an independent authority in the UK that upholds information rights in the public interest. The ICO offers advice and guidance to service providers to ensure compliance with PECR. It also has the power to enforce any breaches by imposing fines on the contravening company or individual.


During the ICO investigation, it was found that between 1 June 2018 and 21 May 2019, Amex had sent over 4 million unsolicited marketing emails to individual customers without their prior consent. It was held by the ICO that not only did Amex act negligently, but that it has also failed to take reasonable steps to prevent the violation of PECR, in particular regulation 22, which governs specifically the use of email for direct marketing purposes. This offence was held by the ICO to be an even more severe breach considering that Amex has failed to review its marketing model despite receiving complaints from customers.

While regulation 22(3) allows for some exceptions to the rule, none of these was applicable in the present case.

The recipients of these unsolicited marketing emails include customers that have opted out from receiving marketing messages from Amex, and as such, directly contravened the opt-in regime introduced by the regulation. Moreover, the ICO deemed that these emails were sent deliberately, as they had the effect of encouraging recipients to make purchases using their Amex cards, which in turn generates financial gains for Amex. The gravity of the breach was, therefore, reflected in the fine.

You can read the monetary penalty notice here.

For more information, and any guidance or advice on PECR and other data protection laws, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.