Breathe Services winding up shows gravity of data privacy breaches

Despite the repeated warnings from regulators and experts, many companies still struggle to see data privacy beyond abstract terms. According to Harper James specialist Lillian Tsang, the case of Bolton-based Breathe Services should drive home the material impacts unaddressed breaches can have on a company.

Breathe Services is a debt advice company based in Bolton. The firm first came to the attention of the Information Commissioner’s Office (ICO) as part of a wider investigation into complaints received about unsolicited phone calls to potentially vulnerable individuals. A resulting investigation by the ICO found that between March and July, and October and December 2022, BSL bombarded people with 4,376,037 unsolicited direct marketing calls – with the recipients having been registered to the Telephone Preference Service (TPS).

The TPS is a free opt out service enabling people in the UK to record a preference on the official register, and not receive unsolicited sales or marketing calls. Breathe Services’ alleged pursuit of these numbers despite their stated preference resulted in 58 complaints to the TPS and a further 193 complaints to the ICO. The company was also found to have “spoofed its outbound phone number” – presenting over 1,000 different telephone numbers on calls – to hide the firm’s true identity.

Following the investigation by the ICO, the watchdog announced in December 2024 that it would be fining Breathe Services £170,000 for “making over 4 million unlawful direct marketing calls to people registered with the [TPS]”. But according to a statement by the regulator issued on LinkedIn, Breathe Services “failed to pay the fine” – and so, ironically, the debt advice company was referred to the ICO’s financial investigations unit, to push for a winding up order.

A winding up order is a legal mechanism that can compulsorily close a company that has failed to meet its financial obligations. Once granted by the court – as has now been confirmed with Breathe Services – the company must cease trading immediately any assets will be liquidated. The proceeds are then used to repay creditors, including fines owed to regulators like the ICO.

Andy Curry, head of investigations at the ICO, said, “This case sends a clear message: if you break the law and bombard people with nuisance calls, we will hold you accountable. And if you ignore our penalties, we will escalate enforcement to the highest level. Companies cannot simply walk away from their obligations.”

Lessons to be learned

The decisive move from the UK’s data protection regulator serves as an important example of “what can happen when businesses fail to address regulatory penalties”, according to Lillian Tsang, senior solicitor in Harper James’ data protection and privacy team. This is particularly the case, as at various points, Breathe Services had the opportunity to prevent its ultimate closure.

"A winding-up order is a serious outcome, and it shows how quickly things can escalate when problems aren’t addressed early,” Tsang explained. “Naturally, the ICO will first try to recover fines through payment plans, negotiation or other enforcement powers, so it’s not a quick decision for a winding-up order. They only petition for winding-up when there is non-payment, and the organisation is able to pay but refuses or fails to do so. It seems winding-up orders via ICO petitions are rare, so it is not a "light" decision taken by the ICO. For example, in the second quarter of 2024/2025, there were just four court orders for winding-up on ICO petitions.”

Aside from the legal implications, Tsang noted that by the time it reaches the stage of winding up, “the damage is done” anyway – with a company’s reputation and customer trust in tatters. Enforcement at this level is therefore a reminder that “strong compliance protects individuals, reduces risk and builds trusted, lasting relationships.”

She continued, “That’s not just good compliance, it’s good business… This situation could have been avoided with early action and a responsible approach to compliance. Data protection isn’t about fear or red tape – at its heart, compliance is about embedding respect for people’s rights into the way a business operates day to day. Senior leaders also play a crucial role in setting the tone and ensuring marketing practices are lawful and fair.”

Tsang concluded, “This was just as much about reminding all firms that data protection must be taken seriously as it is about penalising an individual business… The ICO’s point here is simple - if a business breaks the law and doesn’t engage with the consequences, it won’t be left to fade away. Direct marketing rules exist for a reason; they’re designed to protect people, particularly those who may be more vulnerable, from unwanted and unlawful contact. These rules aren’t intended to make business harder; they are there to support fair, respectful and transparent communication between organisations and the public.”