The Department for Culture, Media and Sport (“DCMS”) recently launched a consultation to reduce or even remove the threshold of harm the Information Commissioner’s Office (“ICO”) needs to establish in order to fine nuisance callers, texters or emailers.
In 2010 ICO was given powers to issue Monetary Penalty Notices (“MPNs”, or fines to you and me) of up to £500,000 for those companies who breach the Data Protection Act 1998 (“DPA”). In 2011 these were extended to cover breaches of the Privacy and Electronic Communications Regulations 2003 (“PECR”), which sought to control the scourge of nuisance calls, texts and emails.
At present the standard ICO has to establish before issuing an MPN is a high one: that there was a serious, deliberate (or reckless) contravention of the DPA or PECR which was of a kind likely to cause substantial damage or substantial distress. Whilst unsolicited marketing calls are certainly irritating, can they really be said to cause “substantial distress”? Getting a text from a number you didn’t know about a PPI claim is certainly annoying, but could it seriously be considered “substantial damage”? Not exactly; and therein lies the problem.
In the first big case where ICO used this power, it issued an MPN of £300,000 to an individual who’d allegedly sent millions of spam texts for PPI claims to users who had not consented to receive them. Upon appeal the Information Rights Tribunal overturned the fine. The First Tier Tribunal found that whilst there was a breach of PECR (the messages were unsolicited, deliberate, with no opt-out link and for financial gain), the damage or distress caused could not be described as substantial. Every mobile user knew what a PPI spam text meant and was unlikely to be concerned for their safety or have false expectations of compensation. A short tut of irritation and then deleting the message solved the problem. The Upper Tribunal agreed: a few spam texts did not substantial damage or distress cause. Interestingly, the judge pointed out that the “substantial” requirement had come from the UK government, was stricter than that required by the relevant EU Directive and suggested the statutory test be revisited.
This does not however mean that ICO has not been able to use the power. Since 2012 it has issued nine MPNs totalling £1.1m to direct marketers who breach PECR. More emphasis is placed on the overall level of distress suffered by hundreds or thousands of victims, which can be considered substantial. ICO concentrates on the worst offenders: cold callers who deliberately and repeatedly call numbers registered with the Telephone Preference Service, (“TPS” – Ofcom’s “do not call” list) even when asked to stop and those that attract hundreds of complaints.
In fact, in this particular case there were specific problems with the MPN document (this will not necessarily come as a surprise for those familiar with ICO MPNs). The Tribunal criticised ICO for a number of reasons: not being specific about the Regulation contravened, omitting important factual information, including in the period of contravention time when ICO did not yet have fining power and changing the claim from the initial few hundred complaints to the much wider body that may have been sent. Once all this was taken into consideration, only 270 unsolicited texts were sent to 160 people.
ICO has been very vocal about having its hands tied in this matter and has long pushed for a change in the law (which is consistent with ICO’s broader campaigning for new powers). Nuisance calls are a cause of great irritation for the public and currently only the worst offenders can be targeted. Statistics compiled by ICO and TPS showed that the most nuisance is caused by large numbers of companies making a smaller number of calls. Of 982 companies that TPS received complaints about, 80% received fewer than 5 complaints and only 20 more than 25 complaints.
Following a select committee enquiry, an All Party Parliamentary Group and a backbench debate, DCMS has launched the consultation, which invites responses on whether the threshold should be lowered to “annoyance, inconvenience or anxiety“. This would bring it in line with the threshold Ofcom must consider when fining telecoms operators for persistent misuse for silent/abandoned calls. ICO estimates that had this threshold been in place since 2012, a further 50 companies would have been investigated/fined.
The three options being considered are: to do nothing, to lower the threshold or to remove it altogether. Both ICO and DCMS favour complete removal. ICO would thus only need to prove a breach was serious and deliberate/reckless.
I was at a seminar last week with the Information Commissioner himself, Chris Graham, at which he announced the consultation. It was pretty clear he is itching to get his hands on these new powers to tackle rogue callers/emailers/texters, but emphasised any new powers would still be used proportionally and in conjunction with other enforcement actions such as compliance meetings and enforcement notices. Even the announcement of any new law should act as a deterrent: typically whenever a large MPN is announced, the number of complaints about direct marketers reduces the following month.
The consultation document is squarely aimed at unsolicited calls, texts and emails and is consistently stated to only apply to certain regulations of PECR. There is no suggestion that the threshold be reduced for other breaches of the PECR or the DPA. It will be interesting to see how any reform will work in practice as the actual threshold is contained within the DPA and so will require its amendment.
The consultation will run until 7 December 2014, the document can be found here. Organisations that are concerned about these proposals now have an opportunity to make their voices heard.
Update 27 February 2015
Following the consultation, DCMS announced that the majority of responses favoured the complete removal of the threshold. As a result, from 6 April 2015 section 55A(1) of the DPA will be amended to remove the need to prove “substantial harm or substantial distress” in respect of regulations 19 to 24 of PECR. ICO will still need to establish that the breach was serious and intentional or reckless, however this reform removes a huge hurdle in the fight against spammers.