Tribunal upholds decision to overturn ICO fine for unsolicited marketing activities

Out-Law News | 23 Jun 2014 | 5:31 pm | 4 min. read

The Information Commissioner's Office (ICO) has lost its appeal against a decision to overturn a £300,000 monetary penalty it served on an individual for his part in what the watchdog claimed was a serious breach of UK privacy laws.

An upper tribunal backed a lower tribunal's ruling in 2013 that the ICO had not shown that the man's sending of unsolicited direct marketing had met the legal threshold for serving fines.

Privacy law expert Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said: "For companies with no reputation to protect, a finding that they are in breach of the law is no deterrent to engage in unlawful activity where there is no consequence for that breach. If the test is too high for justifying the serving of a monetary penalty for a breach of the Privacy and Electronic Communications Regulations (PECR) then it cuts across the ICO's ability to fine rendering that power ineffective and the legislation meaningless."

"In addition, too high a threshold has meant that the ICO has, by its own admission, been unable to take action against businesses in breach of PECR for many months after receiving complaints about unsolicited marketing activities they are engaged in because of the need to build such a weight of evidence to justify serving them with a fine," she said.

Under PECR, the ICO can fine businesses and other organisations up to £500,000 for serious breaches of the rules, which include in relation to the sending of unwanted marketing emails and texts or live and automated marketing phone calls to individuals.

The rules generally prohibit organisations from transmitting or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has notified prior consent for the messages to be sent. The marketing companies also must not disguise or conceal their identity in the messages or use invalid addresses where recipients of the messages would send responses to ask for the messages to stop being sent.

Companies can send direct marketing via electronic mail to consumers if they have "obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient", where the marketing is for "similar products and services only" and providing the recipient has a "simple means" to refuse the use of their contact details for that marketing "at the time of each subsequent communication."

Recipients must not be charged when opting out other than what it costs them for the "transmission" of their refusal, according to the regulations.

In November 2012 the ICO fined Christopher Niebel £300,000 following an investigation into the marketing activities of the company Niebel partly owned, Tetrus Telecoms. The ICO also fined Gary McNeish, who part-owned the business with Niebel, £140,000.

At the time the ICO said that its investigation had uncovered evidence that Tetrus used unregistered pay-as-you-go SIM cards to send up to 840,000 spam texts every day from offices in Stockport and Birmingham, raising income of between £7,000 and £8,000 each day. It said that it made the money by passing on the numbers of those who responded to the texts, even if just to seek to opt out of receiving further messages, to others.

However, Niebel challenged the fine served on him by the ICO and in October last year a first-tier information rights tribunal overturned the penalty after finding that the legal threshold for serving a fine under PECR had not been met.

The test for determining if a fine is justified for the sending of unsolicited direct marketing communications is if the breach is serious and "of a kind likely to cause substantial damage or substantial distress". The threshold is written into the Data Protection Act and also applies where the ICO considers whether to issue civil monetary penalties for breaches to organisations that breach data protection laws.

The first-tier tribunal found that it would be "most unlikely" for the "nature and scale" of Niebel's breach "to cause substantial damage" and that it was also "highly unlikely" that individuals would be disturbed by being reminded about previous accidents as a result of receiving the spam texts or that they would be distressed by the raising of "false expectations of compensation".

Instead, the tribunal judge said that the effect of Niebel's breach of PECR was "likely to be widespread irritation but not widespread distress". The judge said that he could not "construct a logical likelihood of substantial distress as a result of the contravention".

Upper tribunal judge Nicholas Wikeley said that the 'substantial damage or substantial distress' threshold for serving a fine under PECR was "a purely domestic construct" and was not a requirement set out in the EU's Privacy and Electronic Communications Directive, from which PECR is derived.

He said that the outcome of the case against Niebel may have been different if a different threshold test had applied for serving a penalty.

"The formulation of the threshold in those terms was not mandated by EU law; it was a domestic decision to set the bar at that level," the upper tribunal judge said. "If the result of this case is a question mark over whether the Commissioner’s powers are in the terms of the Directive 'effective' and 'dissuasive' (howsoever those terms are defined), then it seems to me there are at least two possible answers."

"The first is for the Commissioner to present a more compelling case. Given the considerable resource and effort that was put into this investigation by the Commissioner’s staff, I suspect it is questionable whether much more could be achieved on that front. The second, and realistically more profitable course of action, is for the statutory test to be revisited with a view to making it better fit the objectives of the [EU's Privacy and Electronic Communications Directive]. So, for example, a statutory test that was formulated in terms of e.g. annoyance, inconvenience and/or irritation, rather than 'substantial damage or substantial distress', might well have resulted in a different outcome," he said.

In March the UK government announced that it would consult later this year on lowering the threshold that must be met before the ICO can serve fines for nuisance calls made by companies.