ICO to be given greater scope to crack down on unsolicited marketing under DCMS plans

Out-Law News | 27 Oct 2014 | 11:37 am | 3 min. read

UPDATED: The Information Commissioner's Office (ICO) would no longer have to show that businesses that send spam text messages or make nuisance calls cause substantial damage or substantial distress to recipients of the communications to justifiably serve them with a fine for that activity, under new government plans.

In its consultation, the Department for Culture, Media and Sport (DCMS) said that removing the existing legal threshold of harm that needs to be demonstrated by the ICO to enable it to impose monetary penalties on organisations that breach rules set out under the Privacy and Electronic Communications Regulations (PECR) would help the watchdog to "take robust action" (26-page / 352KB PDF) against companies that engage in unsolicited direct electronic marketing activity.

"There would be no need to prove 'substantial damage and distress', or any other threshold such as ‘annoyance, inconvenience or anxiety’," DCMS said. "The Commissioner would still need to be satisfied that there had been a serious contravention and that this had been deliberate or the person knew that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention."

"This would not only simplify the regulations, but also provide the greatest scope for ICO to issue [fines] as part of its enforcement work. The benefit of this option would be that it will enable the ICO to impose [fines] of up to £500,000 to organisations contravening the PECR, which includes those that currently escape being punished, where for example there may be insufficient complaint numbers registered with the ICO about their conduct," it said.

Currently, the ICO must prove that unsolicited direct electronic marketing causes consumers "substantial damage or substantial distress" to merit it serving businesses responsible for the activity with a monetary penalty.

"The majority of rogue marketing firms make hundreds, rather than thousands, of calls and the nuisance is no less a nuisance for falling short of the ‘substantial’ threshold," Information Commissioner Christopher Graham said. "This change means we could now target those many companies sending unwanted messages – and we think consumers would see a definite drop off in the total number of spam calls and texts."

The ICO previously lost a legal battle with a business owner, Christopher Niebel, over a £300,000 fine it had issued him regarding a breach of PECR rules. An information rights tribunal overturned the fine after finding that the ICO had failed to show that the sending of spam text messages that it held Niebel part-responsible for had not caused the recipients of those messages substantial damage or substantial distress.

An ICO investigation had uncovered evidence that Tetrus, the business part-owned by Niebel, had used unregistered pay-as-you-go SIM cards to send up to 840,000 spam texts every day from offices in Stockport and Birmingham, raising income of between £7,000 and £8,000 each day. However, the tribunal judge said that the effect of Niebel's breach of PECR was "likely to be widespread irritation but not widespread distress".

The ICO appealed the decision but lost its case before an upper information rights tribunal in June. The judge in that case said that had an alternative legal threshold for serving penalties applied in the case, there might have been a "different outcome" in the case. Nicholas Wikeley suggested that the alternative test could be whether unsolicited marketing activities in breach of PECR caused "annoyance, inconvenience and/or irritation".

"The overturning of one of its large [monetary penalties] has made ICO reluctant to issue further penalties in relation to spam texts for fear that they will not be seen as meeting the legal threshold requirements," according to the DCMS consultation. "As a result [the] ICO currently only investigates a small proportion of cases and targets its resources on those that could result in larger penalties, as they would act as a stronger deterrent as well."

The ICO said that it could have taken enforcement action against "approximately 50 more organisations" than it had done for PECR breaches during the period 1 April 2012 to 31 November 2012 had a lower legal threshold for serving fines applied then, according to DCMS' consultation.

The watchdog is currently investigating 35 organisations over PECR violations, it said.

Under PECR, organisations are generally prohibited from transmitting or instigating the transmission of unsolicited electronic communications to consumers for the purposes of direct marketing unless the person receiving those communications has provided prior consent for the messages to be sent. The marketing companies also must not disguise or conceal their identity in the messages or use invalid addresses where recipients of the messages would send responses to ask for the messages to stop being sent.

Companies can send direct marketing via electronic mail to consumers if they have "obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient", where the marketing is for "similar products and services only" and providing the recipient has a "simple means" to refuse the use of their contact details for that marketing "at the time of each subsequent communication."

The ICO has the power to issue fines of up to £500,000 against organisations that breach the PECR rules. DCMS' consultation closes on 7 December.

Editor’s note 11/11/14: this story has been updated. We earlier reported that DCMS was intending to adjust the legal threshold for serving PECR fines to one where the ICO would have to show that unsolicited direct electronic marketing activity caused "annoyance, inconvenience or anxiety". Whilst this remains an option that DCMS is consulting on, its preference is to remove the 'substantial damage and distress' altogether. We apologise for this error.