Can a large number of nuisance calls to a large number of people, none of whom inidividually suffers substantial distress, still equate to cumulative substantial distress, for the purposes of the PECR (and the DPA)?
I blogged recently in praise of the enforcement action taken by the Information Commissioner’s Office (ICO) against nuisance-caller companies, and I see that a further penalty notice has been served this week, on a “marketing company”. With considerable reluctance, though, I am drawn to a view that the ICO might be taking a flawed, or at least questionable approach to the enforcement. I say “reluctance” because I think the problem of nuisance calls is one that calls out for strong enforcement powers and the will to exercise those powers (I also think it’s a problem, by the way, that the BBC should, without apparent comment, continue to broadcast a programme which provides a platform for two companies who have received penalties totalling £225,000 for engaging in the practice).
The enforcement action is taken under the ICO’s powers conferred the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011. The latter imported into the former the powers conferred on the ICO by the Data Protection Act 1998 (DPA) to serve, in appropriate circumstances, a civil monetary penalty notice (MPN) on a data controller where
there has been a serious contravention of section 4(4) by the data controller,
(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and
(c)subsection (2) or (3) applies.
(2)This subsection applies if the contravention was deliberate.
(3)This subsection applies if the data controller—
(a)knew or ought to have known —
(i)that there was a risk that the contravention would occur, and
(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but
(b)failed to take reasonable steps to prevent the contravention.
(emphasis added)
What all this means, effectively, is that the ICO has two powers available to serve an MPN (to a maximum of £500,000): firstly, for a qualifying breach of the DPA, secondly for a qualifying breach of the PECR. He has exercised the former several times over the last three years, but has only exercised the latter more recently (the first time was in November last year). MPNs under the DPA have been for egregious breaches (e.g. highly sensitive information faxed numerous times to the wrong recipients, loss of unencrypted memory stick with details of people linked to serious crimes). In these circumstances it has not been difficult for the ICO to be satisfied that
such a contravention would be of a kind likely to cause substantial damage or substantial distress
However, what about when hundreds of nuisance calls have been made to hundreds of individuals? It is surely in the nature of nuisance calling that it is rarely (although not never) going to cause an individual substantial distress. The ICO says, in what appears effectively to be standard wording in PECR MPNs
The Commissioner is satisfied that the contravention is of a kind likely to cause substantial damage or substantial distress as required by section 55 (1) (b) because of the large numbers of individuals who complained about these unsolicited calls and the nature of some of the complaints they gave rise to…Although the distress in every individual complainant’s case may not always have been substantial, the cumulative amount of distress suffered by the large numbers of individuals affected, coupled with the distress suffered by some individuals, with some receiving multiple calls, means that overall the level was substantial.
In adopting this “cumulative distress” approach the ICO refers to his own guidance about the issuing of monetary penalties issued under section 55C (1) of the DPA. This guidance (which applies to PECR as well as DPA) says
The Commissioner does…consider that if damage or distress that is less than considerable in each individual case is suffered by a large number of individuals the totality of the damage or distress can nevertheless be substantial.
As far as I am aware this approach has only been used in when issuing PECR MPNs, not DPA ones. But is it the correct approach? I’m not so sure. The law requires the contravention (of the PECR or DPA) to have been of a kind likely to cause “substantial distress”, not “substantial instances of distress” and one could argue that, if the latter is what Parliament intended, Parliament would have said that (although, as is often the case, one can turn that around and say, if Parliament had not intended the ICO to cumulate instances of distress it would have restrained him from so doing). To me, though, the ICO’s approach seems wrong. But when I put the scenario to two lawyers, they agreed with the ICO, and to two lay-people, they agreed with me. I’m not sure what the lesson to be drawn there is.
I suspect this will be tested, and I note that Christopher Niebel’s appeal of his PECR MPN is listed for a five-day hearing before the First-tier Tribunal in October. And Sony’s appeal of their DPA MPN is listed for a four-day hearing before the First-tier Tribunal in November. Although the “cumulative distress” approach was not explicitly cited by the ICO in Sony’s MPN, one could argue that finding out that a data controller has lost one’s name, address, email address, date of birth and account password is unlikely to be capable of causing individual substantial distress.
I should stress that I think there should be sanctions for organisations which commit serious contraventions affecting large numbers of people, even where individual distress is not subtantial. I think that nuisance caller companies are, er, a nuisance, and deserve to be targetted robustly by a regulator. And I actually hope I’m wrong on the meaning of “substantial distress”.
Postscript:
Very interestingly (well I think so) there are reports that the government is considering proposing legislative changes to alter the threshold whereby substantial damage or substantial threat must be demonstrated. Whether this is simply to bring larger numbers of nuisance-calling companies into the ICO’s sights, or whether it is to address perceived weaknesses in current legislation remains to be seen (it might be both, of course).
Postscript 2:
Recently-published minutes from the ICO’s Management Board of 22 July support my view. They say
Civil monetary penalties for offences under PECR were discussed further. There are concerns about the requirement to show substantial damage and distress when what was happening was minor inconvenience to many people; ie in receiving spam texts.
Niebel’s appeal is happening this week (Sony dropped theirs). We will know soon whether the laudable attempts by the ICO to punish nuisance calling will be defeated by what was perhaps inadequate legislative drafting.
informationrightsandwrongs 
I think the point re legislative intent is quite an important one – certainly in respect to PECR. If you can’t aggregate distress in this way it’s difficult to imagine many PECR breaches could/would ever cause substantial distress?
Alternatively, if we do think a PECR breach (and specifically a TPS breach) can cause such distress, then I think it could be argued that in the above examples the necessary burden has already been achieved. That’s because the ICO doesn’t have to establish that a breach did cause such distess, rather is “would be of a kind likely to cause substantial damage or substantial distress”. Given the offenders had such an obvious disregard for the rules of the game and breached on such a large scale, such substantial distress does become ‘of a kind likely’ (even if perhaps not ‘likely’).
If my above analysis is in anyway correct, I think the attempts to focus on the specific examples of substantial distress might be the weaker part of the ICO’s decision. As with DPA CMP’s there seems an uncomfortable focus on the incident, as opposed to the contravention. I think the fines should be issued for serious contraventions of PECR/DPA that have the potential to cause substantial damage or distress – as opposed to arguing that substantial distress was caused in a specific case.
Aside from all of the above, could the ICO not argue the contravention was deliberate (having themselves described “a complete disregard for PECR”) and therefore sub section 3 need not apply?
I think you may well be right on all points. And I certainly agree that if ICO had to find individual substantial distress in nuisance caller cases we wouldn’t see any MPNs issued. As I say, I’m happy (more than I usually would be) to be proved wrong, but as hard as I try I can’t help but feel that the cumulative distress approach is a contrived one.
I disagree completely. The guidance on MPNs isn’t the usual Wilmslow flannel; it was laid before Parliament, and so is, in that sense, what Parliament intended. I think it’s the MPNs on Data Protection, with their sometimes kneejerk, hysterical response to perceived harm / distress that the ICO has no way of quantifying or demonstrating that might be suspect. Lost laptops are wiped and flogged on car boot sales with no real harm done, whereas so-called ‘nuisance’ callers actively pester the elderly and vulnerable in their own homes.
For some reason, the ICO Annual Report massages the figures – apparently it’s 13,802 DP complaints versus 6,386 complaints for PECR, until you get to the bit that says that 155,425 PECR ‘concerns’ have also been reported. Stripped of the doublespeak, the number of DPA, EIR and FOI complaints received by the ICO put together are dwarfed by PECR. Reflecting that collective view is in the public interest and cumulative distress is – taking the statutory guidance into account – the right way to do it.
Where there is harmony, may he bring discord. Where there is error, may he bring truth…!
If you aren’t told your data has been gifted to Whitevanman to re-sell on Ebay (and I doubt for example the Brighton data subjects were), there’s no distress at all. But that’s still a serious contravention…of a kind likely to cause distress. A Police Force who don’t encrypt witness details on memory stick should be hammered – irrespective of whether the memory stick is discovered discarded or sold to Mr Big for revenge. The ICO isn’t fining to seek redress for the individuals, I think it’s to achieve compliance.
The total number of complaints made on each area of legislation (or worse still presumably unverified expressions of concern) surely can’t measure/determine the level of distress caused by specific contraventions?
I already know you disagree strongly on this final point, but I don’t think it’s for the ICO to punish aggressive and inappropriate sales people. To me, the problem is those sales people who as you say pester the elderly and vulnerable in their own homes – I don’t think that’s right whether those people are on the TPS or not, yet its only the breach of PECR that can really concern the ICO.
Fair point about the fact that the statutory MPN guidance was laid before parliament, but I think that’s persuasive not determinative. As my post says, I think nuisance callers do cause distress (and in some cases substantial distress) but I worry that it might be held by a court that in construing s55A(1)(b) as permitting a cumulative distress approach the ICO has exceeded his powers, notwithstanding what the guidance (which remains just that, despite it having been made pursuant to statutory provisions) says.
All too often, the ICO looks for an excuse to sit on their hands. Fear about cumulative distress not being valid could be such an excuse. The court may not agree with their interpretation (I’m think it will), but I prefer to see enforcement than not enforcement. That’s what I think the ICO should be for.
If the court wants to be the institution that tells the UK public that the issue that they – rather than the Data Protection debating society we’re all members of – care about can’t be enforced on, good luck to them.
The article is interesting and the debate within the comments more so. What struck me about the MPN is that the harm and distress come from a different era, a paper based era, in that cybercrime relating to identity is of a different type and magnitude.
By that I mean, I cannot change my birthdate so when that piece of identity is lost, I can never recover it. To be sure, people provide that all the time, but then I provide my bank with my personal details and expect them to handle it safely. The point is that the effect is unknown but always present. In 5 years, my Sony data may arrive in the form of data theft. Here we seen the other side of the problem, which is why the MPN is needed because the lack of actual damage. The state acts as a proxy.
What I mean by that is that I cannot really sue Sony for their mistake becuase I cannot (yet) show any damage to seek compensation under. s13. I could show distress, but I cannot show damage. As Johnson V. MDU showed, damage is needed and it is nearly ( but not completely) impossible to show damage from most of the data breaches that the MPN has hit. More to the point, even if I am damaged, how easily can I show the causal chain between my alleged damage and the breach? If someone could show damage for breach of personal data, then individuals could sue for restitution. In the way that you can sue if the bank mishandles your account and you end up losing money.
Until such time as the effect from a data breach can be monetized, we will have to hope that the ICO’s enforcement is enough to satisfy those who have been subject to the nuisance (and always potential) damage. I think we will see our privacy monetized so that it can be bought and sold, which may change the regulatory framework with companies seeking to avoid fend off small claims as an incentive to improve services or worse still large scale class action suits.
Jon – not sure if you have seen but the ICO Executive Team minutes from 29/07/13 http://www.ico.org.uk/about_us/boards_committees_and_minutes/~/media/documents/library/Corporate/Notices/20130729-et-meeting-minutes.pdf also mention a proposal to change the threshold for a CMP. It might suggest that they aren’t too confident ahead of the Hearing this week.
Indeed I have (I am nerdy enough to read ICO committe minutes). And I think this refers back to my postcript – will be v interesting to see what comes out of the Tribunal.