The ICO has effectively conceded he has no current powers to issue monetary penalties on spam texters.
In June this year the Upper Tribunal dismissed the appeal by the Information Commissioner’s Office (ICO) against the quashing of a £300,000 monetary penalty notice (the MPN) served on spam texter Christopher Niebel. The MPN had been issued pursuant to the ICO’s powers under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Upper Tribunal held that the First-tier Tribunal had not erred in law in finding that the ICO’s relevant interpretation of “distress” was unsustainable:
the tribunal took issue with the Commissioner’s guidance as to the meaning of “distress” and, in my opinion rightly so. According to that guidance, “Distress is any injury to feelings, harm or anxiety suffered by an individual” (at paragraph [12], emphasis added). The tribunal’s conclusion was that if this “involves the proposition that it is not possible to have ‘any injury to feelings’ which falls short of ‘distress’ then, it seems to us, that the definition is at odds with common experience and with the ordinary use of English [¶60]
As the law required evidence that Niebel’s company’s sending of spam texts had been of a kind likely to cause substantial distress, and as the ICO’s evidence did not match up to this, the MPN had been rightly quashed. Implicitly, the Upper Tribunal was suggesting that further MPNs of this kind would also not be sustainable, and, explicitly, it questioned whether, if Parliament wanted to give the ICO powers to financially punish spam texters, it would require a change in the law
[a] more profitable course of action, is for the statutory test to be revisited…a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome.
To no real surprise, since the ICO lost this appeal, no further MPNs have been issued for spam texting (some have been served for spam telephone calls). Now the ICO, in a blog post by their Head of Enforcement Steve Eckersley has effectively conceded that the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, saying it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”. And Eckersley picks up the call for a law change, confirming that there will be a consultation later this year (whether any of this will see results this side of the general election, however, is another question). This call echoes one made by the Information Commissioner himself, who said in February
We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.
we are using our existing powers to hold companies to account and to disrupt their unlawful activities….and we are obtaining undertakings from and issuing enforcement notices, effectively cease-and-desist orders, to companies that breach PECR.
informationrightsandwrongs 
Good stuff Jon.
I wonder how strongly the ICO could argue telephone calls are likely to cause damage and distress – I’d have thought they broadly fall under the same category as texts in terms of being a nuisance as opposed to distress, albeit more of a nuisance.
I have a minor correction whichI hope doesn’t appear petty. The ICO didn’t need to evidence that Niebel had caused substantial distress, they (merely) had to show his spamming was ‘of a kind likely’ to cause substantial distress. I think it’s a subtle but significant difference.
Tanks Andy, well-spotted, and sloppy from me. Now amended.
Thanks for the interesting post Jon. Just to add to discussion the legal technicalities, when issuing any Enforcement Notice the Information Commissioner doesn’t need to show or even believe that the activity in question has caused anybody damage or distress. He merely has to consider whether this is the case before issuing any such notice (s. 40 (2), Data Protection Act). And that is an extremely low threshold!
Sorry, I forgot to add that a key different in relation to monetary penalties (compared to Enforcement Notices) is that Commissioner must be “satisfied” that the contravention was of a kind likely to cause substantial damage or substantial distress. As we’ve seen, the Tribunal will look to see the basis for the Commissioner’s satisfaction. Simply having such a belief is not enough, let alone merely having considered whether this was the case or not.
Pingback: DCMS consulting on lower threshold for “fining” spammers | informationrightsandwrongs
Pingback: DCMS consulting on lower threshold for “fining” spammers | informationrightsandwrongs
Pingback: PARKLIFE! (and a £70k monetary penalty) | informationrightsandwrongs