Archive for the ‘Direct marketing’ Category

Spam texts: “substantially distressing” or just annoying?

Posted on November 11th, 2014 by

The Department for Culture, Media and Sport (“DCMS”) recently launched a consultation to reduce or even remove the threshold of harm the Information Commissioner’s Office (“ICO”) needs to establish in order to fine nuisance callers, texters or emailers.


In 2010 ICO was given powers to issue Monetary Penalty Notices (“MPNs”, or fines to you and me) of up to £500,000 for those companies who breach the Data Protection Act 1998 (“DPA”).  In 2011 these were extended to cover breaches of the Privacy and Electronic Communications Regulations 2003 (“PECR”), which sought to control the scourge of nuisance calls, texts and emails.

At present the standard ICO has to establish before issuing an MPN is a high one: that there was a serious, deliberate (or reckless) contravention of the DPA or PECR which was of a kind likely to cause substantial damage or substantial distress.  Whilst unsolicited marketing calls are certainly irritating, can they really be said to cause “substantial distress”?  Getting a text from a number you didn’t know about a PPI claim is certainly annoying, but could it seriously be considered “substantial damage”?  Not exactly; and therein lies the problem.


In the first big case where ICO used this power, it issued an MPN of £300,000 to an individual who’d allegedly sent millions of spam texts for PPI claims to users who had not consented to receive them.  Upon appeal the Information Rights Tribunal overturned the fine.  The First Tier Tribunal found that whilst there was a breach of PECR (the messages were unsolicited, deliberate, with no opt-out link and for financial gain), the damage or distress caused could not be described as substantial.  Every mobile user knew what a PPI spam text meant and was unlikely to be concerned for their safety or have false expectations of compensation.  A short tut of irritation and then deleting the message solved the problem.  The Upper Tribunal agreed: a few spam texts did not substantial damage or distress cause.  Interestingly, the judge pointed out that the “substantial” requirement had come from the UK government, was stricter than that required by the relevant EU Directive and suggested the statutory test be revisited.

This does not however mean that ICO has not been able to use the power.  Since 2012 it has issued nine MPNs totalling £1.1m to direct marketers who breach PECR.  More emphasis is placed on the overall level of distress suffered by hundreds or thousands of victims, which can be considered substantial.  ICO concentrates on the worst offenders: cold callers who deliberately and repeatedly call numbers registered with the Telephone Preference Service, (“TPS” – Ofcom’s “do not call” list) even when asked to stop and those that attract hundreds of complaints.

In fact, in this particular case there were specific problems with the MPN document (this will not necessarily come as a surprise for those familiar with ICO MPNs).  The Tribunal criticised ICO for a number of reasons: not being specific about the Regulation contravened, omitting important factual information, including in the period of contravention time when ICO did not yet have fining power and changing the claim from the initial few hundred complaints to the much wider body that may have been sent.  Once all this was taken into consideration, only 270 unsolicited texts were sent to 160 people.


ICO has been very vocal about having its hands tied in this matter and has long pushed for a change in the law (which is consistent with ICO’s broader campaigning for new powers).  Nuisance calls are a cause of great irritation for the public and currently only the worst offenders can be targeted.  Statistics compiled by ICO and TPS showed that the most nuisance is caused by large numbers of companies making a smaller number of calls.  Of 982 companies that TPS received complaints about, 80% received fewer than 5 complaints and only 20 more than 25 complaints.

Following a select committee enquiry, an All Party Parliamentary Group and a backbench debate, DCMS has launched the consultation, which invites responses on whether the threshold should be lowered to “annoyance, inconvenience or anxiety“.  This would bring it in line with the threshold Ofcom must consider when fining telecoms operators for persistent misuse for silent/abandoned calls. ICO estimates that had this threshold been in place since 2012, a further 50 companies would have been investigated/fined.

The three options being considered are: to do nothing, to lower the threshold or to remove it altogether.  Both ICO and DCMS favour complete removal.  ICO would thus only need to prove a breach was serious and deliberate/reckless.


I was at a seminar last week with the Information Commissioner himself, Chris Graham, at which he announced the consultation.  It was pretty clear he is itching to get his hands on these new powers to tackle rogue callers/emailers/texters, but emphasised any new powers would still be used proportionally and in conjunction with other enforcement actions such as compliance meetings and enforcement notices.  Even the announcement of any new law should act as a deterrent: typically whenever a large MPN is announced, the number of complaints about direct marketers reduces the following month.

The consultation document is squarely aimed at unsolicited calls, texts and emails and is consistently stated to only apply to certain regulations of PECR.  There is no suggestion that the threshold be reduced for other breaches of the PECR or the DPA.  It will be interesting to see how any reform will work in practice as the actual threshold is contained within the DPA and so will require its amendment.

The consultation will run until 7 December 2014, the document can be found here.  Organisations that are concerned about these proposals now have an opportunity to make their voices heard.

Update 27 February 2015

Following the consultation, DCMS announced that the majority of responses favoured the complete removal of the threshold.  As a result, from 6 April 2015 section 55A(1) of the DPA will be amended to remove the need to prove “substantial harm or substantial distress” in respect of regulations 19 to 24 of PECR.  ICO will still need to establish that the breach was serious and intentional or reckless, however this reform removes a huge hurdle in the fight against spammers.

German Federal Court: “send-to-a-friend” emails are SPAM

Posted on November 7th, 2013 by

In a recent decision of 12 September 2013 (court ref. I ZR 208/12), the German Federal Court of Justice ruled that e-mails sent via “send-to-a-friend” functionality on websites must be considered illegal spam email unless the recipient expressly consented to receive the email. According to the court, responsibility to obtain consent rests with the website service provider, not the user. The court further held that it is irrelevant that the act of sending was initiated by a user, since the indirect promotional nature of ‘send-to-a-friend’ e-mails falls  within the scope of German direct marketing regulation under Sec. 7 German Unfair Competition Act.

“Send-to-a-friend” functionality allows users to send an e-mail from the website to a third-party recipient linking to interesting content on the website.   In this particular case, the e-mail was sent through the mail server of the website provider and in the name of the website provider. As a consequence, the Federal Court ruled that the “send-to-a-friend” functionality must be considered illegal under German law.

The court emphasised illegality where the website provider appears as the sender of the recommendation email, as it is virtually impossible for the provider to meet the requirements for express consent under Sec. 7 Unfair Competition Act.  However, chances are that its reasoning would not have been different had the user been identified as the sender since the court predominantly focussed on the promotional intention of the website provider  in its ruling.    Further, if the user had appeared  as the sender, this could give rise to other claims under unfair competition law on the basis concealing   the identity of the advertiser in a promotional e-mail.

Under German Unfair Competition Law, the sending of commercial e-mails is subject to a strict and express consent requirement, usually following the so-called “double-opt-in” mechanic , i.e. the advertiser must not only obtain consent at the time of collecting the e-mail address, but  also ensure that the user who provided the e-mail address is the owner of the account by sending a confirmation email with a link for the user to click on to confirm his or her consent. In practice, these requirements seem will be very challenging to obtain for “send-to-a-friend” functionality.

Recommendations for marketers

Nevertheless, “send-to-a-friend” marketing remains a popular and powerful tool for advertisers, and this latest ruling is unlikely to diminish its popularity in the short term.  Website providers who wish to continue using “send-to-a-friend” marketing in Germany can mitigate risk by:

1.  Clearly disclosing to the user that he or she should only use the feature if they have sufficient reason to assume that the recipient consents to receive the recommendation email

2.  Identifying the user as the sender of the e-mail, not the website.

3.  Not sending “send-to-a-friend” e-mails to individuals who have previously opted out of receiving marketing communications from the provider.  An opt-out link should also be included in every “send-to-a-friend” e-mail.

4.   Capping the number of messages a user is allowed to send and not incentivising sending by, for example, offering additional competition entries for each e-mail sent (currently common in many prize draw mechanics) .

However, while taking the above measures will limit enforcement risks on a practical level, from a purely legal point of view  it seems that exposure can only be fully avoided by removing “send-to-a-friend” features from websites.  Whether or not this spells the end of “send-to-a-friend” functionality in Germany in the longer term will depend on the level and significance of any enforcement activity by individuals, competitors and/or consumer protection associations  following the court’s ruling.

UK e-privacy enforcement ramps up

Posted on April 29th, 2013 by

The times when one could say that the UK ICO was a fluffy, teethless regulator are over. Recently, the ICO has been going through its most prolific period of enforcement activity – by the end of 2012 it had imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings and 2013 looks set to bring similar activities (in March for example the ICO issued its first monetary penalty for a serious breach of the Privacy and Electronic Communications Regulations 2003 (‘PECR’) relating to live marketing calls – a £90,000 fine for Glasgow-based DM Design for unwanted marketing calls.

To coincide with such activities, the ICO has recently updated the enforcement section of its website. What this tells us is that whilst data security breaches will continue to be a significant area of focus for the ICO, PECR breaches will also figure highly in the ICO’s enforcement agenda. In this regard, the ICO tell us that it has already been active in the areas of ‘spam texts’, sales calls and cookies.

Spam texts are identified as ‘one of the biggest concerns to consumers’ (the ICO refers to texts about accident and ‘PPI’ claims, in particular) and refers to the work it has carried out with members of the mobile phone industry in order to identify an organisation which is now the subject of enforcement action. The ICO also identifes ‘Live’ Sales Calls and ‘Automated Calls’ as other areas of priority, and have explicitly identified (and published) the names of a number of companies where they have either met to discuss compliance issues; or indeed are in the process of activeley monitoring ‘concerns’ about compliance with a view to considering enforcement action. This is not only related to UK-based companies, but also those based overseas who are targeting UK-based consumers. The ICO tell us that they are actively working with the FTC in the US and with other regulators based in Ireland, Belgium and Spain through Consumer Protection Co-operation arrangements.

Finally the ICO tells us that between January and March 2013 it received a further 87 reported concerns via its website from individuals about cookies (many less than the amount of concerns about unwanted marketing communications from individuals, it has to be said). The ICO will continue to focus on those websites that are doing nothing to raise awareness of cookies or obtain users’ consent, and also on those sites they receive complaints about or are ‘visited most by consumers’. However the ICO also say that they have ‘maintained a consumer threat level of ‘low’ in this area due to the low level of concerns reported’.

It is obvious that as consumer technologies such as tablets and smart-phones continue to develop, so too will the ICO’s enforcement strategy in this area. Compliance with PECR should therefore also figure highly on any business’s data protection compliance strategy.

ICO’s enforcement action: what do the cases tell us?

Posted on March 1st, 2013 by

We recently completed our comprehensive analysis of the UK Information Commissioner’s Office (ICO) enforcement actions in 2012. You may find this analysis, along with statistics, pie charts and summaries of the key facts of each case, in our ICO Enforcement Action Tracker 2012.

The analysis highlights some very interesting facts and trends, and provides valuable insights into ICO’s enforcement strategy and how it translates into action. Here are a few examples:

  • - 2012 was the most prolific year yet for ICO enforcement action: ICO imposed 25 fines, issued 3 enforcement notices, secured 6 prosecutions and obtained 31 undertakings
  • - Whilst the public sector has been the main focus of enforcement action, the focus is now shifting to the private sector (which has been confirmed by the enforcement activity in early 2013)
  • - Data security breaches remain the most regulated type of failure (no surprises here). For instance, out of the 25 fines, 22 were for security breaches, 1 was for breach of the data accuracy rule of the Data Protection Act 1998, and 2 were for breach of the direct marketing rules of the Privacy and Electronic Communications Regulations 2003.
  • - Data controllers who voluntarily self report an incident to ICO are not given immunity from enforcement; for instance, 21 of the 25 fines were for self reported breaches.


It is obvious from the cases that ICO does not hesitate to take serious enforcement action and is becoming a real force to be reckoned with and a driver for change. Looking at the year ahead, we can expect ICO’s enforcement activity to continue at this pace or even intensify, focusing in the areas that ICO has prioritised as posing a higher data protection risk, namely health; internet and mobile; financial services; security; and criminal justice. Although the public sector will remain firmly on ICO’s radar, we expect the regulator to turn more of its attention to the private sector. This is likely to mean more serious enforcement action, but also, we believe, a greater appetite to challenge enforcement actions.

In Session 1 of our Privacy and Security Breakfast Briefings for 2013 (scheduled for April 2013) we will present and expand on the findings of our analysis as set out in the Tracker. We will dissect ICO’s strategy and enforcement action in order to identify the highest risk areas, understand the trajectory of enforcement action and what our organisations should be doing to manage the risk of failure and enforcement action.

To receive a copy of our ICO Enforcement Action Tracker 2012 or to secure an invitation to Session 1 of our Privacy and Security Breakfast Briefings for 2013 please email

Privacy in the global village

Posted on September 4th, 2012 by

There is nothing like the Olympic Games to remind us of the diversity of our global village – from the young fully-clothed Saudi athlete to the veteran Japanese rider, including of course the African marathon runner who ran for the world.  Yet among that diversity, all of those athletes have something in common: passion for sport and desire to succeed.  In the ever changing world of privacy and data protection, global diversity is proven every day by fascinating developments taking place in every corner of the planet.  At the same time, a common pattern can be seen in many of those developments: their attempt to strike the right balance between the exploitation and the protection of the most valuable asset of our time.  So whilst Brussels wakes up from its legislative recess, it is worthwhile having a look at what has been happening in other parts of the world and spot trends and priorities in the regulation of personal information.

The most veteran jurisdiction in this area of law in Asia, Hong Kong, has just had a revamp of its 15 year old Personal Data (Privacy) Ordinance.  Interestingly, the changes represent a considerable toughening of the existing regime, covering things like additional requirements in relation to direct marketing, supervisory duties in respect of data processors and enhanced enforcement powers for the privacy commissioner.  So whilst the regulator will not be able to award compensation to aggrieved individuals as originally requested by the Office of the Privacy Commissioner, new financial penalties as well as the potential for up to five years imprisonment signal a stricter approach to the use of personal information.

Further north, in South Korea, the Personal Information Protection Act has only been in force for a few months but is already being branded as the toughest in Asia.  With requirements that mirror some of the most demanding provisions of the proposed EU data protection regulation – like mandatory privacy officers, detailed security measures and data breach notification – Korea’s new law is not one to be taken lightly.  The local regulator is unlikely to be a quiet one and there are reports about a CNIL-like investigation into Google’s changes to its privacy policy, which if anything, will raise the authority’s standing among its peers.

The rest of Asia is not standing still either as countries like Malaysia, Singapore and the Philippines are also making progress in this area.  Malaysia’s Personal Data Protection Act has just come into force, so it is a bit early to say how far reaching it will be in practice but its pedigree looks rather European.  Singapore’s approach is slightly more modest and the legislative process is less advanced, but the draft bill is not without complexity.  As for the Philippines, after some delay, the new Data Privacy Act has now been formally signed by the country’s president and will be fully in force in about a year’s time.  The Philippines’ law is in line with the European approach to privacy as a fundamental right, but much less prescriptive when it comes to regulating international data transfers.

This particular issue is one that concerns global organisations seeking to adopt a coherent and consistent methodology for compliance in respect of data flows.  The European approach to international data transfers is intimidating to say the least, so it is understandable that those organisations that are investing in programmes like Binding Corporate Rules want to take advantage of that solution on a truly global scale.  Otherwise, it would be hugely frustrating to devise and implement a data protection framework that worked for Europe but didn’t quite cut it in a growing number of jurisdictions.

Fortunately, here is where the accountability model championed under the APEC Cross-Border Privacy Rules throughout Asia and other countries around the Pacific Ocean does the trick, as it gives organisations the opportunity to decide how best protect the personal information they collect and use around the world.  That way, whether one is trying to meet the expectations of data protection regulators in Europe, Asia or indeed America in respect of international data flows, it is not only possible but advisable, to devise a system like BCR that regards data protection as a global response to a business need and not as a box-ticking exercise.

This article was first published in Data Protection Law & Policy in August 2012.

France: Sending of direct marketing communications: list brokers and clients: CNIL finds liability on both sides

Posted on February 13th, 2012 by

On 12 January 2012, the CNIL imposed a significant fine on a real property reports company which had purchased a list of real estate owners’ personal data, obtained from online advertisements posted by these real estate owners, and which then sent direct marketing communications by SMS to the property owners without having previously obtained their express consent.


The CNIL’s decision is important for three reasons:


  • Firstly, the amount of the fine imposed is relatively high (20,000 €) and the CNIL made its decision public. It is obvious that the CNIL wishes to set an example in order to put an end to this type of practice, which according to it “inundates owners of property for sale and distorts competition“.


  • Secondly, it is the first time a fine has been imposed on the grounds of the direct marketing provisions which result from the Electronic Commerce Directive and which are included in Article 34-5 of the Post and Telecommunications Code.


Although the CNIL’s concern about the issue of obtaining prior consent before sending marketing communications dates from 2009, until now it has only imposed fines on marketing list brokers and always on the grounds of the French Data Protection Act of 6 January 1978, in particular Article 6 on fair collection (Decision no. 2009-148 of 26 February 2009 “Directannonces” [fine of 40.000€] and Decision no. 2011-193 of 28 June 2011 “PM Participation” [fine 10.000€]).


  • And thirdly, because the CNIL clearly states that marketing list brokers’ clients have an obligation to “ensure that they buy only “opt-in” files from their partners, ie, containing the addresses of persons who have given prior consent to receive marketing communications“.  


How should this “ensure” (in French “veiller à“) be interpreted? Unfortunately the CNIL does not provide further details. In the case at hand, the contract made with the marketing list broker did not state that the marketing list broker had obtained prior consent from the persons in question to receive direct marketing communications by SMS. Would the company have avoided a fine if such a clause had been included? We cannot be sure. However, this does seem to be the most practical and reasonable solution.


Following this decision, two questions remain unanswered:


  • Is a contractual clause stating that the persons in question gave their consent to receive direct marketing communications sufficient to protect the purchaser of such list from being fined?


  • Insofar as the CNIL has only given its opinion on data collected from real estate advertisements, will its position be the same for other types of data collection and intended recipients?


It will be worth paying attention to the future decisions rendered by the CNIL in this area.


And finally, it is important to note that this contractual clause will not exempt the client from compliance with the French Data Protection Act and in particular, the obligations to give notification of processing, inform those whose data is processed, and implement an effective system for opposition to processing.

The e-Privacy Directive – when and how does it apply exactly?

Posted on August 11th, 2011 by

One of the most frequent questions we get asked by clients is whether the e-Privacy Directive (2002/58/EC) applies on ‘country of origin’ or ‘country of destination’ basis.  This is normally in the context of e-marketing: advertisers running a pan-European campaign naturally want to understand whether they have to comply with the national e-privacy rules:

(a) only of the Member State in which they are established (the ‘country of origin’ principle); or

(b) of every Member State where their e-marketing recipients are based (the ‘country of destination’ principle).

However, while most commonly raised in an e-marketing context, understanding when and how the e-Privacy Directive applies is also relevant to determining website operators’ cookie ‘consent’ responsibilities. Do they have to comply with the (as yet to be determined) opt-in or opt-out rules of every Member State?

Why does this uncertainty exist?

Quite simply, this uncertainty exists because the e-Privacy Directive, unlike the Data Protection Directive (95/46/EC), does not have any provisions that expressly set out its geographical scope of application.

Article 1 of the e-Privacy Directive says only that: “This Directive provides for the harmonisation of the national provisions required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy and confidentiality, with respect to the processing of personal data in the electronic communication sector and to ensure the free movement of such data and of electronic communication equipment and services in the Community.” Article 3 provides some further clarity, adding that the e-Privacy Directive applies “to the processing of personal data in connection with the provision of publicly available electronic communications services.

Both Article 1 and 3 indicate that, in order for the e-Privacy Directive to apply, there must be processing of personal data. Yet, interestingly, regulatory consensus is that processing of personal data is not necessary for the e-Privacy Directive’s cookie ‘consent’ requirements to apply. The Article 29 Working Party said, in their Opinion on Online Behavioural Advertising, that “It is not a prerequisite for the application of this provision that this information is personal data within the meaning of Directive 95/46/EC“.  It’s challenging to resolve this interpretation with the applicability criteria specified in Articles 1 and 3 – but, challenging or not, this is the position that Data Protection Authorities seem to be taking.

So when and how do e-privacy rules apply?

To return to the original question of whether the e-Privacy Directive applies on a ‘country of origin’ or a ‘country of destination’ basis, marketers and website operators might naturally feel that the ‘country of origin’ principle ought to apply. There is precedent for this in the e-Commerce Directive (2000/31/EC), which says that “Each Member State shall ensure that the information society services provided by a service provider established on its territory comply with the national provisions applicable in the Member State in question” (Article 3(1)).

However, despite setting the principle that information society service regulation should generally be determined on a ‘country of origin’ basis in the EU, the e-Commerce Directive subsequently excludes data protection e-marketing rules from this principle.

Country of origin rules for e-marketing

The key clarification about the scope of the e-Privacy Directive can in fact be found in Article 1(2). This points out that the provisions of the e-Privacy Directive “particularise and complement” those of the Data Protection Directive.

Put another way, this means that the e-Privacy Directive can be thought of as a specialised subset of rules that fall under the overall privacy framework established by the Data Protection Directive.  This is confirmed by Recital 10 of the e-Privacy Directive, which clarifies that the Data Protection Directive applies “to all matters concerning protection of fundamental rights and freedoms which are not specifically covered by the provisions of this [e-Privacy] Directive, including the obligations on the controller and the rights of individuals“.

So, in the absence of clear geographical applicability rules in the e-Privacy Directive itself, data controllers must instead look to the applicability rules of the Data Protection Directive.  These are set in Article 4 of the Data Protection Directive and, for EU-based data controllers, make clear that data protection laws apply on a ‘country of origin’ basis.  However, non-EU based data controllers are subject to the national laws of the territories in which they use ‘equipment’ – which potentially includes devices where cookies are served to collect data – and so need to review local EU law risk carefully.

What this means and why it matters

It is a commonly-held misconception that data protection e-marketing rules apply to EU businesses on a ‘country of destination’, not a ‘country of origin’ basis. The consequence of this is that marketers often expend excessive legal budget taking legal advice across multiple EU member states in respect of the pan-European campaigns they want to conduct. Naturally, there will be local laws that apply (e.g. local consumer protection laws, advertising standards rules, and gaming laws), but data protection advice will need normally only to be sought from the from the EU territory in which the marketer is based. A proper understanding of the geographical scope of application of the e-Privacy Directive therefore has the potential to substantially reduce marketing budgets.

The same ought to be true for cookies. That is to say, a website operator established in one EU member state should have to comply with the cookie ‘consent’ requirements of that Member State only – not those of other Member States. However, the advantages of the ‘country of origin’ are lost where the operator is established outside the European Union, because in that case, the national data protection authorities will argue very strongly that where ‘equipment’ in used in their jurisdictions, each of their local laws will most definitely apply.