Who: Mr Niebel trading as Tetrus Telecoms
When: 14 October 2013
Where: First Tier Tribunal, United Kingdom
Law stated as at: 5 November 2013
What happened:
The First-tier Tribunal has made its first decision on the subject of monetary penalty notices under the Privacy and Electronic Communications Regulations 2003. The appellant, Mr Niebel, successfully overturned a penalty of £300,000 in relation to the sending of unsolicited text messages.
The ICO had issued the monetary penalty notice against Mr Niebel (trading as Tetrus Telecoms) after he engaged in sending unsolicited text messages on a grand scale. The texts offered to pursue PPI mis-selling claims for the recipients.
Mr Niebel did not dispute these facts, or the fact that this activity amounted to a breach of the Privacy and Electronic Communications Regulations 2003 (“PECRs”), but he submitted that the ICO had exceeded its enforcement powers. The Data Protection Act 1998 s.55A, transposed into the PECRs by Regulation 31, only allows the ICO to issue monetary penalty notices if the breach of the PECRs was serious and “of a kind likely to cause substantial damage or substantial distress”.
The Tribunal agreed with Mr Niebel and held that the ICO had failed to establish that the contravention was of a kind likely to cause substantial damage or distress. This was particularly as the notice seemed to be confined to only a few hundred cases in which the recipients had complained to the ICO, although references were made to contravention on a much wider scale in some areas of the notice.
Possibly just 160 people affected
Another difficulty was that most of the 732 texts referred to by the ICO had been sent before 26 May 2011, which was the date when the ICO’s powers to issue penalties came into effect. This left 286 texts and even with these, it was not clear how many people had been affected. Based on the normal ratio of texts to complaints, this would suggest just 160 affected recipients.
Furthermore, the Tribunal did not consider that the small charges likely to be incurred by some individuals in replying “stop” to the messages, or because they received a text while abroad, amounted to “substantial damage”.
In addition, while acknowledging that the contravention was likely to have caused widespread irritation, this was not akin to widespread distress. While there was a possibility of some distress in very unusual circumstances, for example due to a recipient being reminded of a previous accident, the Tribunal held that it could not construct a logical likelihood of substantial distress being caused as a result of the contravention.
The First-Tier Tribunal was critical of the ICO’s penalty notice for its lack of clarity, which meant that the Tribunal ultimately based its decision on a contravention involving only 286 unwanted text messages to perhaps 160 people. It is uncertain whether the Tribunal would have reached a different decision had it been considering the hundreds of thousands of unwanted text messages that were actually sent.
Other appeals against ICO monetary penalty notices
The Tribunal’s decision in the Niebel case follows its decision in August 2013 to set aside a monetary penalty notice issued under the Data Protection Act 1998 against Scottish Borders Council. In that case, SBC’s external contractor placed 1,600 manual files containing ex-employees’ pension records in public paper recycling bins.
The Tribunal held that while the breach was serious and the council’s arrangements with its contractor were “obviously defective”, the contravention by the council was not of a kind likely to cause substantial damage or distress. The Tribunal noted that what happened was in their view “a surprising outcome, not a likely one” and that the council could rightly expect its contractor to properly destroy its records.
The tribunal formally cancelled the monetary penalty notice in September 2013 after the ICO and Scottish Borders Council reached agreement about the placing of data processing contracts and the training given to staff.
Another appeal against a monetary penalty notice issued under the Data Protection Act, this time by the Central London Community Healthcare NHS Trust, is currently before the Upper Tribunal having been dismissed by the First-Tier Tribunal.
In that case, the monetary penalty notice concerned was for £90,000 and was issued in April 2012 in relation to a data breach where highly sensitive patient data was sent to the wrong recipient on forty five (45) separate occasions. The First-Tier Tribunal’s view was that the ICO had issued a penalty that was within a range of reasonable figures it could have considered. A decision from the Upper Tribunal is due imminently.
Why this matters:
The Niebel case and the other cases mentioned above provide a useful reminder that monetary penalty notices can be challenged via an appeal to the First Tier Tribunal. The case also demonstrates the high bar set by the wording in s.55A of the Data Protection Act in relation to when a monetary penalty notice can in fact be issued by the ICO.
The ICO has recently been lobbying the UK government for changes to the law so that it would only need to prove annoyance or nuisance in order to issue a monetary penalty notice for breach of the PECRs. Clearly the Tribunal’s decision, which will have no doubt left the ICO very frustrated, will only strengthen these efforts.
The First-Tier Tribunal ruling in the Niebel case is available in full here.