I’ve written a piece for the Mishcon de Reya website on the some of the key proposals (for our client-base) in today’s data protection reform announcement.
Data protection law reform – major changes, but the (mishcon.com)
Category Archives: nuisance calls
Information Tribunal increases monetary penalty for company which made spam calls
The trouble with asking for a second opinion is it might be worse than the first one. Reactiv Media get an increased penalty after appealing to the tribunal.
In 2013 the First-tier Tribunal (Information Rights) (“FTT”) heard the first appeal against a monetary penalty notice (“MPN”) imposed by the Information Commissioner’s Office (“ICO”). One of the first things in the appeal (brought by the Central London Community Healthcare NHS Trust) to be considered was the extent of the FTT’s jurisdiction when hearing such appeals – was it, as the ICO suggested, limited effectively only to allowing challenges on public law principles? (e.g. that the original decision was irrational, or failed to take relevant factors into account, or took irrelevant factors into account) or was it entitled to approach the hearing de novo, with the power to determine that the ICO’s discretion to serve an MPN had been exercised wrongly, on the facts? The FTT held that the latter approach (similar to the FTT’s jurisdiction in appeals brought under the Freedom of Information Act 2000 (FOIA)) was the correct one, and, notably, it added the observation (at para. 39) that it was open to the FTT also to increase, as well as decrease, the amount of penalty imposed.
So, although an appeal to the FTT is generally a low-risk low-cost way of having the ICO’s decision reviewed, it does, in the context of MPNs served either under the Data Protection Act 1998 (DPA) or the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), potentially carry the risk of an increased penalty. And this is precisely what happened when a direct marketing company called Reactiv Media recently appealed an ICO MPN. Reactiv Media bad been held to have made a large number of unsolicited telephone calls to people who had subscribed to the Telephone Preference Service (“TPS”) – the calls were thus in contravention of Reactiv Media’s obligations under regulation 21 of PECR. The ICO determined that this constituted a serious contravention of those obligations, and as some at least of those calls were of a kind likely to cause (or indeed had caused) substantial damage or substantial distress, an MPN of £50,000 was served, under the mechanisms of section 55 of the DPA, as adopted by PECR.
Upon appeal to the FTT, Reactiv Media argued that some of the infringing calls had not been made by them, and disputed that any of them had caused substantial damage or distress. However, the FTT, noting the ICO’s submission that not only had the MPN been properly served, but also that it was lenient for a company with a turnover of £5.8m (a figure higher than the one the ICO had initially been given to understand), held that not only was the MPN “fully justified” – the company had “carried on its business in conscious disregard of its obligations” – but also that the amount should be increased by 50%, to £75,ooo. One presumes, also, that the company will not be given a further opportunity (as they were in the first instance) to take advantage of an early payment reduction.
One is tempted to assume that Reactiv Media thought that an appeal to the FTT was a cheap way of having a second opinion about the original MPN. I don’t know if this is true, but it if is, it is a lesson to other data controllers and marketers that, after an appeal, they might find themselves worse off.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.
DCMS consulting on lower threshold for “fining” spammers
UPDATE: 08.11.14
Rich Greenhill has spotted another odd feature of this consultation. Options one and two both use the formulation “the contravention was deliberate or the person knew or ought to have known that there was a risk that the contravention would occur”, however, option three omits the words “…or ought to have known”. This is surely a typo, because if it were a deliberate omission it would effectively mean that penalties could not be imposed for negligent contraventions (only deliberate or wilful contraventions would qualify). I understand Rich has asked DCMS to clarify this, and will update as and when he hears anything.
END UPDATE
UPDATE: 04.11.14
An interesting development of this story was how many media outlets and commentators reported that the consultation was about lowering the threshold to “likely to cause annoyance, inconvenience or anxiety”, ignoring in the process that the preferred option of DCMS and ICO was for no harm threshold at all. Christopher Knight, on 11KBW’s Panopticon blog kindly amended his piece when I drew this point to his attention. He did, however observe that most of the consultation paper, and DCMS’s website, appeared predicated on the assumption that the lower-harm threshold was at issue. Today, Rich Greenhill informs us all that he has spoken to DCMS, and that their preference is indeed for a “no harm” approach: “Just spoke to DCMS: govt prefers PECR Option 3 (zero harm), its PR is *wrong*”. How very odd.
END UPDATE
The Department of Culture, Media and Sport (DCMS) has announced a consultation on lowering the threshold for the imposing of financial sanctions on those who unlawfully send electronic direct marketing. They’ve called it a “Nuisance calls consultation”, which, although they explain that it applies equally to nuisance text messages, emails etc., doesn’t adequately describe what could be an important development in electronic privacy regulation.
When, a year ago, the First-tier Tribunal (FTT) upheld the appeal by spam texter Christopher Niebel against the £300,000 monetary penalty notice (MPN) served on him by the Information Commissioner’s Office (ICO), it put the latter in an awkward position. And when the Upper Tribunal dismissed the ICO’s subsequent appeal, there was binding authority on the limits to the ICO’s power to serve MPNs for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). There was no dispute that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, Niebel’s contraventions were serious and deliberate, but what was at issue was whether they were “of a kind likely to cause substantial damage or substantial distress”. The FTT held that they were not – no substantial damage would be likely to arise and when it came to distress
the effect of the contravention is likely to be widespread irritation but not widespread distress…we cannot construct a logical likelihood of substantial distress as a result of the contravention.
When the Upper Tribunal agreed with the FTT, and the ICO’s Head of Enforcement said it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant” it seemed clear that, for the time being at least, there was in effect a green light for spam texters, and, by extension, other spam electronic marketers. The DCMS consultation is in response to calls from the ICO, and others, such as the All Party Parliamentary Group (APPG) on Nuisance Calls, the Direct Marketing Association and Which for a change in the law.
The consultation proposes three options – 1) do nothing, 2) lower the threshold from “likely to cause substantial damage or substantial distress” to “likely to cause annoyance, inconvenience or anxiety”, or 3) remove the threshold altogether, so any serious and deliberate (or reckless) contravention of the PECR provisions would attract the possibility of a monetary penalty. The third option is the one favoured by DCMS and the ICO.
If either of the second or third options is ultimately enacted, this could, I feel, lead to a significant reduction in the prevalence of spam marketing. The consultation document notes that (despite the fact that the MPN was overturned on appeal) the number of unsolicited spam SMS text message sent reduced by a significant number after the Niebel MPN was served. A robust and prominent campaign of enforcement under a legislative scheme which makes it much easier to impose penalties to a maximum of £500,000, and much more difficult to appeal them, could put many spammers out of business, and discourage others. This will be subject, of course, both to the willingness and the resources of the ICO. The consultation document notes that there might be “an expectation that [MPNs] would be issued by the ICO in many more cases than its resources permit” but the ICO has said (according to the document) that it is “ready and equipped to investigate and progress a significant number of additional cases with a view to taking greater enforcement action including issuing more CMPs”.
There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge. Of course, this only applies to identifiable spammers in the domestic jurisdiction – let’s hope it doesn’t just drive an increase in non-traceable, overseas spam.
Green light for spam texters – for now
The ICO has effectively conceded he has no current powers to issue monetary penalties on spam texters.
In June this year the Upper Tribunal dismissed the appeal by the Information Commissioner’s Office (ICO) against the quashing of a £300,000 monetary penalty notice (the MPN) served on spam texter Christopher Niebel. The MPN had been issued pursuant to the ICO’s powers under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Upper Tribunal held that the First-tier Tribunal had not erred in law in finding that the ICO’s relevant interpretation of “distress” was unsustainable:
the tribunal took issue with the Commissioner’s guidance as to the meaning of “distress” and, in my opinion rightly so. According to that guidance, “Distress is any injury to feelings, harm or anxiety suffered by an individual” (at paragraph [12], emphasis added). The tribunal’s conclusion was that if this “involves the proposition that it is not possible to have ‘any injury to feelings’ which falls short of ‘distress’ then, it seems to us, that the definition is at odds with common experience and with the ordinary use of English [¶60]
As the law required evidence that Niebel’s company’s sending of spam texts had been of a kind likely to cause substantial distress, and as the ICO’s evidence did not match up to this, the MPN had been rightly quashed. Implicitly, the Upper Tribunal was suggesting that further MPNs of this kind would also not be sustainable, and, explicitly, it questioned whether, if Parliament wanted to give the ICO powers to financially punish spam texters, it would require a change in the law
[a] more profitable course of action, is for the statutory test to be revisited…a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome.
To no real surprise, since the ICO lost this appeal, no further MPNs have been issued for spam texting (some have been served for spam telephone calls). Now the ICO, in a blog post by their Head of Enforcement Steve Eckersley has effectively conceded that the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, saying it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”. And Eckersley picks up the call for a law change, confirming that there will be a consultation later this year (whether any of this will see results this side of the general election, however, is another question). This call echoes one made by the Information Commissioner himself, who said in February
We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.
There are, of course, other strings to the ICO bow, and Eckersley refers to some of them
we are using our existing powers to hold companies to account and to disrupt their unlawful activities….and we are obtaining undertakings from and issuing enforcement notices, effectively cease-and-desist orders, to companies that breach PECR.
This sounds good, but leaves me rather puzzled: as the ICO has confirmed to me, no enforcement notices have been served and only one undertaking obtained, against companies or individuals who have sent spam texts in breach of PECR. Enforcement notices are a strong power – breach of one is a criminal offence – and only require the ICO to consider whether the PECR contravention has caused or is likely to cause any person damage or distress, not “substantial damage or substantial distress”. This lower threshold should make it much more difficult for enforcement to be resisted. Maybe some enforcement notices are on their way? One rather hopes so, because, for the moment, it looks like spam texters have received a green light.
EDITED TO ADD:
Tim Turner points out to me that a conviction for breach of an enforcement notice is not a recordable offence it will not make its way on to the Police National Computer, and will not therefore generally result in disclosure for, e.g. employment purposes. Tim’s view, and it is a compelling one, is that for a lot of spammers the threat of a minor conviction for breach of a legal notice is not one which is likely to dissuade them from their practice.
Virgin on the ridiculous
UPDATE 15.12.14: I think the comments on this piece take it further, and I do accept (as I did at the time, in fact) that the “password” in question was not likely to relate to customers’ accounts.
END UPDATE.
I got into a rather odd exchange over the weekend with the people running the Virgin Media twitter account. It began when, as is my wont, I was searching for tweets about “data protection” and noticed an exchange in which someone had asked Virgin Media whether their sales people rang customers and asked them to give their passwords. Virgin Media kindly appeared to confirm they did, and that
it’s for security as we can’t make any changes without data protection being passed
I asked for clarification, and this exchange ensued
[ME] Is it true your sales people call customers and ask for their account passwords? If so, are these unsolicited calls?
[VM] Yes this is true, our sales team would call and before entering your account, would need you to pass account security. I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same. If you give us a call on 150/03454541111 we can get this cleared up. Let me know how you get on
[ME] Thanks. Not a customer. Just interested in what seems like questionable practice being defended under guise of data protection
[VM] We contact our customers if there upgrade is due, or for a heath check on accounts, and a few other instances, but I get where your coming from [sic]
There’s nothing unlawful about this practice, and I assume that the accounts in question are service and not financial ones, but it doesn’t accord with normal industry practice. Moreover, one is warned often enough about the risks of phishing calls asking for account passwords. If a legitimate company requires or encourages its sales staff to do this, it adds to a culture of unnecessary risk. There are better ways of verifying identity, as their social media person seems to accept, when they say “I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same”.
One thing I’m certain about, though, is that isn’t any part of “passing data protection” (unless they mean bypassing) to make outbound calls and ask for customer passwords.
On a final note, and in admiration of bare-faced cheek, I highlight the end of my exchange with Virgin Media
If you want, as your not a customer, you can check out our brill offers here [removed] maybe we could save you a few pounds?
That’s an offer I most certainly can refuse.
(By the way, as it’s an official Virgin Media account, I’ve taken what I was told on Twitter at face value. If I have misunderstood any of their policies on this I’d be happy to correct).
UPDATE:
Virgin Media’s Twitter account appears to have confirmed to me a) that they do ask for customers’ passwords on outbound sales calls, and b) that they see nothing wrong with it. And rather hilariously, they say that “we can discuss further” if I will “pop a few details” on their web form for social media enquiries. No thanks.
Filed under Data Protection, Let's Blame Data Protection, marketing, nuisance calls, PECR, social media
Bank-bashing by the Court of Appeal
The conduct was…intimidatory and controlling…If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires
The Court of Appeal has held that the Bank of Scotland is liable for harassment in making hundreds of calls to someone who exceeded her overdaft limit.
With the Information Commissioner taking recent robust action we all know that the making of unwanted calls by commercial organisations can be a breach of The Privacy and Electronic Communications (EC Directive) Regulations 2003 and the Data Protection Act 1998.
However, a recent Court of Appeal judgment has held that this practice can also constitute harassment, even when the calls are made by one’s own bank, in pursuit of a debt.
In Roberts v Bank of Scotland the claimant – a valiant litigant in person – had sought and was awarded damages in the County Court in the sum of £7500, under section 3 of the Protection from Harassment Act 1997. The Bank appealed, both on liability and quantum, and I suspect they wish they hadn’t.
The claim was made after the Bank made 547 calls in little more than a year, arising from minor instances of exceeding overdraft limits. Ms Roberts did not want to speak to call centre operatives, and had apparently sought unsuccessfully to speak to her local branch manager. Many of the calls were intimidatory, albeit couched in polite language. Despite Ms Roberts repeatedly asking for them to cease, she was told the calls would continue.
The Appeal Court had no hesitation in dismissing the Bank’s appeal, and did so in extraordinarily disapproving terms.
This was, undoubtedly, a course of conduct which amounted to harassment and which the bank knew or ought to have known amounted to harassment:
…the bank’s conduct in the present case easily crosses the threshold. It was harassment which could have been prosecuted in the criminal courts. In the event, and fortunately for the bank, this matter simply comes before the civil courts as a claim for damages [¶45]… The bank must have been perfectly well aware of the phone calls which it was making [¶47]
and the Bank could not fall back on the fact that it was pursuing a debt – there were other ways to do this, given that Ms Roberts had repeatedly asked for calls to cease. Although initially “it made perfectly good sense for the bank to write to the claimant and also to telephone her” this did not mean that all future calls were legitimised
The existence of a debt…does not give the creditor the right to bombard the debtor with endless and repeated telephone calls. The debtor is fully entitled to say that he does not wish to talk to the creditor. In those circumstances, the creditor is thrown back upon his full legal remedies. That is what the courts are there to provide…the claimant made it abundantly plain that she did not wish to receive telephone calls from the bank. She was perfectly entitled to adopt this position. Once the bank had tried to telephone the claimant a few times and had received the same response on each occasion, it was obvious that telephoning the claimant would achieve nothing. Thereafter, there was no possible justification for continuing to ring the claimant up [¶32-33]
All three judges were clearly very unsympathetic to the Bank’s arguments. A selection of their asides:
If [counsel for the Bank] is right in saying that the only practicable means by which a bank can contact defaulting customers is the method adopted in this case, then banks had better build into their costings the damages which from time to time they will be called upon to pay to those customers.[¶50]
The conduct was, as the judge said, intimidatory and controlling. In short, it was, in my judgment, obviously unlawful harassment. If that amounts to good banking practice, that is a very sorry misassessment by the banks of what commercial morality and indeed legality requires [¶62]
The bank should respect the rule of law and therefore it should, in the light of the judgments of this court, revise its systems and desist from any tortious conduct, and not simply factor into its working and operating costs the fact that from time to time the bank will have to pay damages for harassment [¶65]
That last comment, and indeed the judgment as a whole, is pretty ominous for any organisation seeking to pursue and persuade debtors by a process of repeated phone calls (for which, now read “potential harassment”) when the recipient has asked them to desist. Lord Justice Jackson suspects his comments might be greeted with “derision in the boardrooms of the banks”: I suspect they may be also be greeted with consternation, and concern about the future of an element of banking practice which has effectively gone on unchecked for years. They would hardly have brought this appeal, over for what is for them a minute sum of money, unless they thought the case had wider implications which threatened their business practices.
They now will need to lick their wounds, and reconsider their approach to commercial morality and legality.
postscript
From this post on the excellent choptheknot blog it appears that similar principles were followed in another case involving the Bank of Scotland: Johnson v Bank of Scotland plc [2013] All ER (D) 193
Filed under damages, Data Protection, harassment, nuisance calls, PECR, Privacy
informationrightsandwrongs 
