Tag Archives: PECR

Information Tribunal increases monetary penalty for company which made spam calls

The trouble with asking for a second opinion is it might be worse than the first one. Reactiv Media get an increased penalty after appealing to the tribunal.

In 2013 the First-tier Tribunal (Information Rights) (“FTT”) heard the first appeal against a monetary penalty notice (“MPN”) imposed by the Information Commissioner’s Office (“ICO”). One of the first things in the appeal (brought by the Central London Community Healthcare NHS Trust) to be considered was the extent of the FTT’s jurisdiction when hearing such appeals – was it, as the ICO suggested, limited effectively only to allowing challenges on public law principles? (e.g. that the original decision was irrational, or failed to take relevant factors into account, or took irrelevant factors into account) or was it entitled to approach the hearing de novo, with the power to determine that the ICO’s discretion to serve an MPN had been exercised wrongly, on the facts? The FTT held that the latter approach (similar to the FTT’s jurisdiction in appeals brought under the Freedom of Information Act 2000 (FOIA)) was the correct one, and, notably, it added the observation (at para. 39) that it was open to the FTT also to increase, as well as decrease, the amount of penalty imposed.

So, although an appeal to the FTT is generally a low-risk low-cost way of having the ICO’s decision reviewed, it does, in the context of MPNs served either under the Data Protection Act 1998 (DPA) or the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), potentially carry the risk of an increased penalty. And this is precisely what happened when a direct marketing company called Reactiv Media recently appealed an ICO MPN. Reactiv Media bad been held to have made a large number of unsolicited telephone calls to people who had subscribed to the Telephone Preference Service (“TPS”) – the calls were thus in contravention of Reactiv Media’s obligations under regulation 21 of PECR. The ICO determined that this constituted a serious contravention of those obligations, and as some at least of those calls were of a kind likely to cause (or indeed had caused) substantial damage or substantial distress, an MPN of £50,000 was served, under the mechanisms of section 55 of the DPA, as adopted by PECR.

Upon appeal to the FTT, Reactiv Media argued that some of the infringing calls had not been made by them, and disputed that any of them had caused substantial damage or distress. However, the FTT, noting the ICO’s submission that not only had the MPN been properly served, but also that it was lenient for a company with a turnover of £5.8m (a figure higher than the one the ICO had initially been given to understand), held that not only was the MPN “fully justified” – the company had “carried on its business in conscious disregard of its obligations” – but also that the amount should be increased by 50%, to £75,ooo. One presumes, also, that the company will not be given a further opportunity (as they were in the first instance) to take advantage of an early payment reduction.

One is tempted to assume that Reactiv Media thought that an appeal to the FTT was a cheap way of having a second opinion about the original MPN. I don’t know if this is true, but it if is, it is a lesson to other data controllers and marketers that, after an appeal, they might find themselves worse off.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

 

Leave a comment

Filed under Data Protection, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR

The Lib Dems’ digital rights bill – an empty promise?

On the 11th of April the Liberal Democrats announced that they would introduce a “Digital Rights Bill” if they were to form part of a coalition government in the next parliament. Among the measures the bill would contain would be, they said

Beefed up powers for the Information Commissioner to fine and enforce disciplinary action on government bodies if they breach data protection lawsLegal rights to compensation for consumers when companies make people sign up online to deliberately misleading and illegible terms & conditions

I found this interesting because the Lib Dems have recently shown themselves particularly unconcerned with digital rights contained in ePrivacy laws. Specifically, they have shown a lack of compliance with the requirement at regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). This regulation forbids the sending of direct marketing by email unless the recipient has notified the sender that she consents to the email being sent. The European directive to which PECR give effect specifies that “consent” should be taken to have been given only by use of

any appropriate method enabling a freely given specific and informed indication of the user’s wishes, including by ticking a box when visiting an Internet website

And the Information Commissioner’s Office (ICO), which regulates PECR, explains in guidance [pdf] that

the person must understand what they are consenting to. Organisations must make sure they clearly and prominently explain exactly what the person is agreeing to, if this is not obvious. Including information in a dense privacy policy or hidden in ‘small print’ which is hard to find, difficult to understand, or rarely read will not be enough to establish informed consent…consent must be a positive expression of choice. It does not necessarily have to be a proactive declaration of consent – for example, consent might sometimes be given by submitting an online form, if there was a clear and prominent statement that this would be taken as agreement and there was the option to opt out. But organisations cannot assume consent from a failure to opt out

But in July last year I began conducting an experiment. I put my name (actually, typed my email address) to a statement on the Lib Dem website saying

Girls should never be cut. We must end FGM

I gave no consent to the sending of direct email marketing from the Lib Dems, and, indeed, the Lib Dems didn’t even say they would send direct email marketing as a result of my submitting the email address (and, to be clear, the ICO takes the, correct, view [pdf] that promotion of a political party meets the PECR, and Data Protection Act, definition of “marketing”). Yet since October last year they have sent me 23 unsolicited emails constituting direct marketing. I complained directly to the Lib Dems, who told me

we have followed the policies we have set out ion [sic] our privacy policy which follow the guidance we have been given by the ICO

which hardly explains how they feel they have complied with their legal obligations, and I will be raising this as a complaint with the ICO. I could take the route of making a claim under regulation 30 of PECR, but this requires that I must have suffered “damage”. By way of comparison, around the same time I also submitted my email address, in circumstances in which I was not consenting to future receipt of email marketing, to other major parties. To their credit, none of the Conservatives, the SNP and the Greens have sent any unsolicited marketing. However, Labour have sent 8 emails, Plaid Cymru 10 and UKIP, the worst offenders, 37 (there is little that is more nauseating, by the way, than receiving an unsolicited email from Nigel Farage addressing one as “Friend”). I rather suspect that consciously or not, some political parties have decided that the risk of legal or enforcement action (and possibly the apparent ambiguity – although really there is none – about the meaning of “consent”) is so low that it is worth adopting a marketing strategy like this. Maybe that’s a sensible act of political pragmatism. But it stinks, and the Lib Dems’ cavalier approach to ePrivacy compliance makes me completely doubt the validity and sincerity of Nick Clegg’s commitment to

enshrine into law our rights as citizens of this country to privacy, to stop information about us being abused online

And, as Pat Walshe noticed the other day, even the Lib Dems’ own website advert inviting support for their proposed Digital Rights Bill has a pre-ticked box (in non-compliance with ICO guidance) for email updates. One final point, I note that clicking on the link in the first paragraph of this post, to the Lib Dems’ announcement of the proposed Bill, opens up, or attempts to open up, a pdf file of a consultation paper. This might just be a coding error, but it’s an odd, and dodgy, piece of script.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under consent, Data Protection, Information Commissioner, marketing, PECR, spam

A cookie for your health problems

Imagine this. You enter a shop (let’s call it Shop A) to browse, and you look at an item of interest (let’s call it Item Q). While you do so, an unbeknown to you, a shop assistant places a sticker on your back, revealing that you looked at this item, and when and where. You leave and a few days later enter another shop, where a shop assistant says “I understand a few days ago you were interested in Item Q, here are some similar items you might be interested in”.

You might initially think “how helpful”, but afterwards you might start to wonder how the second shop knew about your interest, and to think that it’s a bit off that they seemed to have been able to track your movements and interests.

But try this as well. You go to your doctor, because you’re concerned about a medical condition – let’s say you fear you may have a sexually transmitted disease. As you leave the doctor secretly puts a sticker on your back saying when and where you visited and what you were concerned about. You later visit a pharmacy to buy your lunch. While you queue to pay an assistant approaches you and says openly “I understand you’ve been making enquiries recently about STDs – here are some ointments we sell”.

The perceptive reader may by now have realised I am clunkily trying to illustrate by analogy how cookies, and particularly tracking cookies work. We have all come to curse the cookie warning banners we encounter on web sites based in Europe, but the law mandating them (or at least mandating the gaining of some sort of consent to receive cookies) was introduced for a reason. As the Article 29 Working Party of European Data Protection Authorities noted in 2011

Many public surveys showed, and continue to show, that the average internet user is not aware that his/her behaviour is being tracked with the help of cookies or other unique identifiers, by whom or for what purpose. This lack of awareness contrasts sharply with the increasing dependence of many European citizens on access to internet for ordinary everyday activities

The amendments to the 2002 EC Directive, implemented in domestic law by amendment regulations to the The Privacy and Electronic Communications (EC Directive) Regulations 2003 aimed to ensure that there was “an adequate level of privacy protection and security of personal data transmitted or processed in connection with the use of electronic communications networks” (recital 63). And Article 5 of the Directive specified that

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC [the 1995 Data Protection Directive], inter alia, about the purposes of the processing

Of course, the requirement that users of electronic communications networks should give consent to the storing of or gaining access to information stored in their terminal equipment (i.e. that they should consent to the serving of cookies) has not been an easy one to implement, and even the Information Commissioner’s Office’s in 2013 rowed back on attempts to gather explicit consent, claiming that there was now no need because people were more aware of the existence of cookies. But I made what to me was an interesting observation recently when I was asked to advise on a cookie notice for a private company: it appeared to me, as I compared competitors’ sites, that those which had a prominent cookie banner warning actually looked more professional than those that didn’t. So despite my client’s wariness about having a banner, it seemed to me that, ironically, it would actually be of some professional benefit.

I digress.

Just what cookies are and can achieve is brought sharply home in a piece on the Fast Company website, drawing on the findings of a doctoral research student at the University of Pennsylvania. The paper, and the article, describe the use of web analytics, often in the form of information gathered from tracking cookies, for marketing in the health arena in the US. Tim Libert, the paper’s author discovered that

over 90% of the 80,000 health-related pages he looked at on the Internet exposed user information to third parties. These pages included health information from commercial, nonprofit, educational, and government websites…Although personal data is anonymized from these visits, they still lead to targeted advertisements showing up on user’s computers for health issues, as well as giving advertisers leads (which can be deciphered without too much trouble) that a user has certain health issues and what issues those are

The US lacks, of course, federal laws like PECR and the DPA which seek – if imperfectly – to regulate the use of tracking and other cookies. But given that enforcement of the cookie provisions of PECR is largely non-existent, are there similar risks to the privacy of web users’ health information in the UK?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, cookies, Data Protection, PECR

Attend ICO DP conference, get unsolicited marketing from a hotel…

I greatly enjoyed yesterday’s (2 March 2015) Data Protection Practitioner Conference run by the Information Commissioner’s Office. I was representing NADPO on our stand, and the amount of interest was both gratifying and illustrative of the importance of having a truly representative body for professionals working in the field of information rights. NADPO were at pains – in running our prize draw (winners picked at random on stage by Information Commissioner Christopher Graham) – to make sure we let participants know what would or would not happen with their details. Feedback from delegates about this was also positive, and I’m pleased at least one privacy professional picked up on it.  Therefore the irony of the following events is not lost on me.

I’d stayed overnight on Sunday, in a Macdonald hotel I booked through the agency Expedia. Naturally, I’m not one to encourage the sending to me of direct electronic marketing, and as the unsolicited sending of such marketing is contrary to regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 I didn’t expect to receive any, either from the agent or the hotel. Yet yesterday I did receive some, from the hotel group. So I’ve sent them this complaint:

I booked the hotel through your agent, Expedia.co.uk. As a professional working in the field of privacy and data protection I always make sure I opt out of any electronic marketing. Hence, when making my booking, I checked the Expedia box which said

“Check the box if you do not want to receive emails from Expedia with travel deals, special offers, and other information”.

However, I also consulted their privacy policy, which says:

“Expedia.co.uk may share your information with [suppliers] such as hotel, airline, car rental, and activity providers, who fulfill your travel reservations. Throughout Expedia.co.uk, all services provided by a third-party supplier are described as such. We encourage you to review the privacy policies of any third-party travel supplier whose products you purchase through Expedia.co.uk. Please note that these suppliers also may contact you as necessary to obtain additional information about you, facilitate your travel reservation, or respond to a review you may submit.”

I then consulted Macdonald Hotels’ privacy policy, but this seems to relate only to your website, and is silent on the use of clients’ data passed on by an agent.

Accordingly, I cannot be said to have consented to the sending by you to me of electronic marketing. Yet yesterday at 13.07 I received an email saying “Thank you for registering with Macdonald Hotels and Resorts…As a member of our mailing list you will shortly start to receive [further unsolicited electronic marketing].”

Ironically enough, I was in Manchester to attend the annual Data Protection Practitioners’ Conference run by the Information Commissioner’s Office (ICO). As you will be aware, the ICO regulates compliance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). Before I raise a complaint with the ICO I would appreciate a) your removing me from any marketing database b) not receiving any further unsolicited marketing, and c) receiving your comments regarding your apparent breach of your legal obligations.

Each instance of unsolicited marketing is at best one of life’s minor irritants, but I have concerns that, because of this, some companies treat compliance with legal obligations as, at best, a game in which they try to trick customers into agreeing to receiving marketing, and at worst, as unnecessary. It may be that I received this particular unsolicited marketing from Macdonald Hotels by mistake (although that in itself might raise data protection concerns about the handling of and accuracy of customer data) but it happens too often. The media have rightly picked up on the forthcoming changes to PECR which will make it easier for the ICO to take enforcement actions regarding serious contraventions, but, sadly, I don’t see the lower level, less serious contraventions, decreasing.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under consent, Data Protection, Information Commissioner, marketing, PECR

What’s happening with changes to anti-spam laws?

In October last year the Department for Culture Media and Sport (DCMS) announced a consultation to lower, or even remove, the threshold for the serving financial penalties on those who unlawfully send electronic direct marketing. I wrote at the time that

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge

The Information Commissioner’s Office (ICO) and DCMS both seemed at the time to be keen to effect the necessary legislative changes to amend the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) so that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, either a serious contravention alone of PECR, or a serious contravention likely to cause annoyance, inconvenience or anxiety, could give rise to a monetary penalty without the need to show – as now – likely substantial damage or substantial distress.

However, today, the Information Commissioner himself, Christopher Graham, gave vent to frustrations about delay in bringing about these changes:

Time and time again the Government talks about changing the law and clamping down on this problem, but so far it’s just that – talk. Today they are holding yet another roundtable to discuss the issue, and we seem to be going round in circles. The Government need to lay the order, change the law and bring in a reform that would make a real difference

So what has happened? Have representatives of direct marketing companies lobbied against the proposals? It would be interesting to know who was at today’s “roundtable” and what was said. But there was certainly an interesting tweet from journalist Roddy Mansfield. One hopes a report will emerge, and some record of the meeting.

One wonders why – if they are – marketing industry bodies might object to the proposed changes. The financial penalty provisions would only come into play if marketers failed to comply with the law. Spammers would get punished – the responsible companies would not.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

1 Comment

Filed under Data Protection, Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

Labour’s “HowManyOfMe” – legitimate use of the electoral register?

Is Labour’s shiny new web widget “HowManyOfMe” compliant with the party’s obligations under electoral and ePrivacy law?

Regulations 102 and 106 of the Representation of the People (England and Wales) Regulations 2001 (as amended)mean that registered political parties can apply for a copy of the full electoral register, but they can only supply, disclose or make use of the information therein for “electoral purposes”. As far as I can see “electoral purposes” is nowhere defined, and, accordingly, I suspect it permits relatively broad interpretation, but, nevertheless, it clearly limits the use to which a political party can make use of electoral registration information.

With this in mind, it is worth considering whether the apparent use of such information by the Labour Party, in a new website widget, is a use which can be described as “for electoral purposes”. The widget in question invites people to submit their name (or indeed anyone else’s), email address and postcode and it will tell you how many voters in the country have that name. Thus, I find that there are 393 voters who have the name “Christopher Graham”. The widget then encourages users to register to vote. In small print underneath it says

in case you’re interested, this tool uses an aggregate figure from the electoral register and we’ve taken steps to protect the privacy of individuals

Well, I am interested. I’m interested to know whether this use of the electoral register is purely for electoral purposes. If it is, if its purpose is to encourage people to register to vote, then why does it need an email address? The widget goes on to say

The Labour Party and its elected representatives may contact you about issues we think you may be interested in or with campaign updates. You may unsubscribe at any point. You can see our privacy policy here.

But if they are using the electoral register to encourage people to give up email addresses which may then receive political marketing, surely this is stretching the use of “for electoral purposes” too far? Moreover, and despite the small print privacy notice, and the almost-hidden link to a generic privacy policy, any emails received by individuals will be likely to be sent in contravention of Labour’s obligations under The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which give effect to the UK’s obligations under Directive 2002/58/EC. This is because regulation 22 of PECR prohibits, in terms, the sending of electronic direct marketing (and promotion of a political party constitutes such marketing) without the prior consent of the recipient. Consent, the Directive tells us, must be “a freely given specific and informed indication of the user’s wishes”.  A vague description, as the widget here gives us, of what may happen if one submits an email address, and a statement about unsubscribing, do not legitimise any subsequent sending of direct marketing.

The email address I used is one I reserve for catching spammers; I’ve not received anything yet, but I expect to do so. I would be prepared to argue that any email I receive cannot be said to relate to the electoral purpose which permit use of the electoral register, and will be sent in contravention of PECR.  As I said recently, one of the key battlegrounds in the 2015 general election will be online, and unless action is taken to restrain abuse of people’s personal information, things will get nasty.

1The legislation.gov.uk doesn’t provide updated (“consolidated”) versions of secondary legislation, so there’s no point in linking to their version of the regulations.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

4 Comments

Filed under consent, Data Protection, marketing, PECR, privacy notice

Online privacy – a general election battleground

It’s becoming increasingly clear that one of the key battlegrounds in the 2015 General Election will be online. The BBC’s Ross Hawkins reports that the Conservatives are spending large amounts each month on Facebook advertising, and Labour and UKIP, while not having the means to spend as much, are ramping up their online campaigning. But, as Hawkins says

the aim is not to persuade people to nod thoughtfully while they stare at a screen. They want consumers of their online media to make donations or, even better, to get their friends’ support or to knock on doors in marginal constituencies…[but] for all the novelties of online marketing, email remains king. Those Tory Facebook invoices show that most of the money was spent encouraging Conservative supporters to hand over their email addresses. Labour and the Conservatives send emails to supporters, and journalists, that appear to come from their front benchers, pleading for donations

I know this well, because in July last year, after growing weary of blogging about questionable compliance with ePrivacy laws by all the major parties and achieving nothing, I set a honey trap: I submitted an email address to the Conservative, Labour, LibDem, Green, UKIP, SNP and Plaid Cymru websites. In each case I was apparently agreeing with a proposition (such as the particularly egregious LibDem FGM example)  giving no consent to reuse, and in each case there was no clear privacy notice which accorded with the Information Commissioner’s Office’s Privacy Notices Code of Practice (I do not, and nor does the ICO, at least if one refers to that Code, accept that a generic website privacy policy is sufficient in case like this). Since then, the fictional, and trusting but naive, Pam Catchers (geddit??!!) has received over 60 emails, from all parties contacted. A lot of them begin, “Friend, …” and exhort Pam to perform various types of activism. Of course, as a fictional character, Pam might have trouble enforcing her rights, or complaining to the ICO, but the fact is that this sort of bad, and illegal, practice, is rife.

To be honest, I thought Pam would receive more than this number of unsolicited emails (but I’m probably more cynical than her). But the point is that each of these emails was sent in breach of the parties’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which demands that recipients of electronic direct marketing communications must have given explicit consent prior to the sending. By extension, therefore, the parties are also in breach of the Data Protection Act 1998 (DPA), which, when requiring “fair” processing of personal data, makes clear that a valid privacy notice must be given in order to achieve this.

The ICO makes clear that promotion by a political party can constitute direct marketing, and has previously taken enforcement action to try to ensure compliance. It has even produced guidance for parties about their PECR and DPA obligations. This says

In recent years we have investigated complaints about political parties and referendum campaigners using direct marketing, and on occasion we have used our enforcement powers to prevent them doing the same thing again. Failure to comply with an enforcement notice is a criminal offence.

But by “recent” I think they are referring at least six years back.

A data controller’s compliance, or lack thereof, with data protection laws in one area is likely to be indicative of its attitude to compliance elsewhere. Surely the time has come for the ICO at least to remind politicians that online privacy rights are not to be treated with contempt?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under consent, Data Protection, enforcement, Information Commissioner, marketing, PECR, privacy notice

No harm done

Why does nobody listen to me?

Quite a few media outlets and commentators have picked up on the consultation by the Department for Culture, Media and Sport I blogged about recently. The consultation is about the possibility of legislative change to make it easier for the Information Commissioner’s Office (ICO)(ICO) to “fine” (in reality, serve a civil monetary penalty notice) on people or organisations who commit serious contraventions of ePrivacy law in sending unsolicited electronic marketing messages (aka spam calls, texts, emails etc).

However, almost every report I have seen has missed a crucial point. So, we have The Register saying “ICO to fine UNBIDDEN MARKETEERS who cause ‘ANXIETY’…Inconvenience, annoyance also pass the watchdog’s stress test”, and Pinsent Masons, Out-Law.com saying “Unsolicited marketing causing ‘annoyance, inconvenience or anxiety’ could result in ICO fine”. We even have 11KBW’s formidable Christopher Knight saying

the DCMS has just launched a consultation exercise on amending PECR with a view to altering the test from “substantial damage or distress” to causing “annoyance, inconvenience or anxiety”

But none of these spot that the preferred option of DCMS, and the ICO is actually to go further, and give the ICO the power to serve a monetary penalty notice even when no harm has been shown at all

Remove the existing legal threshold of “substantial damage and distress” (this is the preferred option of both ICO and DCMS. There would be no need to prove “substantial damage and distress”, or any other threshold such as ‘annoyance, inconvenience or anxiety’…

So yes, this is a blog post purely to moan about the fact that people haven’t read my previous post. It’s my blog and I’ll cry if I want to.

UPDATE:

Chris Knight is so formidable that he’s both updated the Panopticon post and pointed out the oddness of option 3 being preferred when nearly all of the consultation paper is predicated on option 2 being victorious.

Leave a comment

Filed under Information Commissioner, marketing, monetary penalty notice, PECR, spam texts

DCMS consulting on lower threshold for “fining” spammers

UPDATE: 08.11.14

Rich Greenhill has spotted another odd feature of this consultation. Options one and two both use the formulation “the contravention was deliberate or the person knew or ought to have known that there was a risk that the contravention would occur”, however, option three omits the words “…or ought to have known”. This is surely a typo, because if it were a deliberate omission it would effectively mean that penalties could not be imposed for negligent contraventions (only deliberate or wilful contraventions would qualify). I understand Rich has asked DCMS to clarify this, and will update as and when he hears anything.

END UPDATE

UPDATE: 04.11.14

An interesting development of this story was how many media outlets and commentators reported that the consultation was about lowering the threshold to “likely to cause annoyance, inconvenience or anxiety”, ignoring in the process that the preferred option of DCMS and ICO was for no harm threshold at all. Christopher Knight, on 11KBW’s Panopticon blog kindly amended his piece when I drew this point to his attention. He did, however observe that most of the consultation paper, and DCMS’s website, appeared predicated on the assumption that the lower-harm threshold was at issue. Today, Rich Greenhill informs us all that he has spoken to DCMS, and that their preference is indeed for a “no harm” approach: “Just spoke to DCMS: govt prefers PECR Option 3 (zero harm), its PR is *wrong*”. How very odd.

END UPDATE

The Department of Culture, Media and Sport (DCMS) has announced a consultation on lowering the threshold for the imposing of financial sanctions on those who unlawfully send electronic direct marketing. They’ve called it a “Nuisance calls consultation”, which, although they explain that it applies equally to nuisance text messages, emails etc., doesn’t adequately describe what could be an important development in electronic privacy regulation.

When, a year ago, the First-tier Tribunal (FTT) upheld the appeal by spam texter Christopher Niebel against the £300,000 monetary penalty notice (MPN) served on him by the Information Commissioner’s Office (ICO), it put the latter in an awkward position. And when the Upper Tribunal dismissed the ICO’s subsequent appeal, there was binding authority on the limits to the ICO’s power to serve MPNs for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). There was no dispute that, per the mechanism at section 55A of the Data Protection Act 1998 (DPA), adopted by PECR by virtue of regulation 31, Niebel’s contraventions were serious and deliberate, but what was at issue was whether they were “of a kind likely to cause substantial damage or substantial distress”. The FTT held that they were not – no substantial damage would be likely to arise and when it came to distress

the effect of the contravention is likely to be widespread irritation but not widespread distress…we cannot construct a logical likelihood of substantial distress as a result of the contravention.

When the Upper Tribunal agreed with the FTT, and the ICO’s Head of Enforcement said it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant” it seemed clear that, for the time being at least, there was in effect a green light for spam texters, and, by extension, other spam electronic marketers. The DCMS consultation is in response to calls from the ICO, and others, such as the All Party Parliamentary Group (APPG) on Nuisance Calls, the Direct Marketing Association and Which for a change in the law.

The consultation proposes three options – 1) do nothing, 2) lower the threshold from “likely to cause substantial damage or substantial distress” to “likely to cause annoyance, inconvenience or anxiety”, or 3) remove the threshold altogether, so any serious and deliberate (or reckless) contravention of the PECR provisions would attract the possibility of a monetary penalty. The third option is the one favoured by DCMS and the ICO.

If either of the second or third options is ultimately enacted, this could, I feel, lead to a significant reduction in the prevalence of spam marketing. The consultation document notes that (despite the fact that the MPN was overturned on appeal) the number of unsolicited spam SMS text message sent reduced by a significant number after the Niebel MPN was served. A robust and prominent campaign of enforcement under a legislative scheme which makes it much easier to impose penalties to a maximum of £500,000, and much more difficult to appeal them, could put many spammers out of business, and discourage others. This will be subject, of course, both to the willingness and the resources of the ICO. The consultation document notes that there might be “an expectation that [MPNs] would be issued by the ICO in many more cases than its resources permit” but the ICO has said (according to the document) that it is “ready and equipped to investigate and progress a significant number of additional cases with a view to taking greater enforcement action including issuing more CMPs”.

There appears to be little resistance (as yet, at least) to the idea of lowering or removing the penalty threshold. Given that, and given the ICO’s apparent willingness to take on the spammers, we may well see a real and significant attack on the scourge. Of course, this only applies to identifiable spammers in the domestic jurisdiction – let’s hope it doesn’t just drive an increase in non-traceable, overseas spam.

 

 

3 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR, spam texts, Upper Tribunal

Green light for spam texters – for now

The ICO has effectively conceded he has no current powers to issue monetary penalties on spam texters.

In June this year the Upper Tribunal dismissed the appeal by the Information Commissioner’s Office (ICO) against the quashing of a £300,000 monetary penalty notice (the MPN) served on spam texter Christopher Niebel. The MPN had been issued pursuant to the ICO’s powers under section 55A of the Data Protection Act 1998 to serve such a notice if there has been a serious contravention of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) of a kind likely to cause substantial damage or substantial distress. The Upper Tribunal held that the First-tier Tribunal had not erred in law in finding that the ICO’s relevant interpretation of “distress” was unsustainable:

the tribunal took issue with the Commissioner’s guidance as to the meaning of “distress” and, in my opinion rightly so. According to that guidance, “Distress is any injury to feelings, harm or anxiety suffered by an individual” (at paragraph [12], emphasis added). The tribunal’s conclusion was that if this “involves the proposition that it is not possible to have ‘any injury to feelings’ which falls short of ‘distress’ then, it seems to us, that the definition is at odds with common experience and with the ordinary use of English [¶60]

As the law required evidence that Niebel’s company’s sending of spam texts had been of a kind likely to cause substantial distress, and as the ICO’s evidence did not match up to this, the MPN had been rightly quashed. Implicitly, the Upper Tribunal was suggesting that further MPNs of this kind would also not be sustainable, and, explicitly, it questioned whether, if Parliament wanted to give the ICO powers to financially punish spam texters, it would require a change in the law

[a] more profitable course of action, is for the statutory test to be revisited…a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than “substantial damage or substantial distress”, might well have resulted in a different outcome.

To no real surprise, since the ICO lost this appeal, no further MPNs have been issued for spam texting (some have been served for spam telephone calls). Now the ICO, in a blog post by their Head of Enforcement Steve Eckersley has effectively conceded that the result of the Niebel litigation has been to remove their powers to serve MPNs for spam texts, saying it had “largely [rendered] our power to issue fines for breaches of PECR involving spam texts redundant”. And Eckersley picks up the call for a law change, confirming that there will be a consultation later this year (whether any of this will see results this side of the general election, however, is another question).  This call echoes one made by the Information Commissioner himself, who said in February

We have just got to lower that hurdle because I think if you ask most people they would say silent calls and unsolicited spam texts are one of the great curses of the age – and if the Information Commissioner can’t protect you it’s a poor lookout.
There are, of course, other strings to the ICO bow, and Eckersley refers to some of them
we are using our existing powers to hold companies to account and to disrupt their unlawful activities….and we are obtaining undertakings from and issuing enforcement notices, effectively cease-and-desist orders, to companies that breach PECR.
This sounds good, but leaves me rather puzzled: as the ICO has confirmed to me, no enforcement notices have been served and only one undertaking obtained, against companies or individuals who have sent spam texts in breach of PECR. Enforcement notices are a strong power – breach of one is a criminal offence – and only require the ICO to consider whether the PECR contravention has caused or is likely to cause any person damage or distress, not “substantial damage or substantial distress”. This lower threshold should make it much more difficult for enforcement to be resisted. Maybe some enforcement notices are on their way? One rather hopes so, because, for the moment, it looks like spam texters have received a green light.
EDITED TO ADD:
Tim Turner points out to me that a conviction for breach of an enforcement notice is not a recordable offence it will not make its way on to the Police National Computer, and will not therefore generally result in disclosure for, e.g. employment purposes. Tim’s view, and it is a compelling one, is that for a lot of spammers the threat of a minor conviction for breach of a legal notice is not one which is likely to dissuade them from their practice.

7 Comments

Filed under Data Protection, enforcement, Information Commissioner, Information Tribunal, marketing, monetary penalty notice, nuisance calls, PECR, Upper Tribunal