Who: Information Commissioner’s Office
When: September 2013
Where: UK
Law stated as at: 4th October 2013
What happened:
The Information Commissioner’s Office is now trying to encourage MPs to change the law if they want to see the number of cold calls cut and has asked the Culture, Media and Sport Select Committee to enable the ICO to issue more monetary penalties to companies behind the calls. The ICO has asked the government to reduce the level of harm it needs to prove, so an investigation would have to simply prove annoyance or nuisance before acting.
Background
The ICO’s power to issue fines of up to £500,000 for serious breaches of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR”) came into force in May 2011. This followed an increase in penalties of up to £500,000 for serious breaches of the Data Protection Act 1998 (the “DPA”) in April 2010.
In early 2012, the ICO released guidance to clarify the circumstances under which the ICO will issue fines and it will determine the amount of such fines. The Guidance states that the ICO is “committed to acting consistently, proportionately and in accordance with public law” Before issuing any fine, the ICO must determine that (1) there has been a serious breach of the DPA or PECR (2) the breach is of a kind likely to cause substantial damage or distress and (3) the breach was deliberate, or the transgressor knew or should have known that there was a risk that such a breach would occur and they failed to take reasonable steps to prevent it.
The law currently requires the ICO to prove under PECR that calls or texts are causing substantial damage or substantial distress before issuing a penalty.
Enforcement hamstrung
This often means in practice that they can only target companies responsible for large numbers of calls to demonstrate there is substantial damage or distress. In reality the statistics suggest that the problem of nuisance calls is caused by a large number of companies making hundreds, rather than thousands, of annoying calls.
Complaint figures show that 982 companies prompted complaints to the Telephone Preference Service in June 2013 after making cold calls. Eighty two per cent of the companies were the subject of fewer than five complaints. Only 21 of the companies were the subject of more than 25 complaints, but even those ‘worst offenders’ were responsible for just a quarter of the total number of complaints where a company was named.
The ICO has issued some significant fines in the last year but these are limited in number. Significant fines include £440,000 penalty to the owners of Tetrus Telecoms for spam texts and £90,000 to DM Design for marketing calls. The ICO set up a survey on their website to make reports on unsolicited marketing . In the ICO report in December 2012 on “cookie ” compliance they reported that from May to November 2012 they had received 53,000 reports on unwanted marketing compared to just 550 complaints about “cookies “. The ICO therefore considers unsolicited marketing to be a serious consumer threat.
Simon Entwisle from the ICO said: “The simple fact is that the law only allows the ICO to take action against the worst offenders. A change in the law would allow us to target more of the companies making these cold calls, and would have a noticeable effect for consumers. This could be a game-changing improvement to how we can stop unwanted calls.
“There’s a balance to be struck between a direct marketing industry that relies heavily on making calls, and consumers who feel they’re being bombarded. It’s for MPs to decide where the balance lies, but I think it’s fair to say that most people probably don’t think the law’s getting it right at the moment.”
Why this matters:
On first review this would appear to be a sensible move if it can lead to a reduction in the number of such cold calls and create a real deterrent. The risk is that this change would not be limited to the current onslaught of cold calls we are seeing and could result in monetary penalties being applied in other cases where there may have merely been “annoyance” e.g. delay in responding to an opt out.
In addition, if this change is agreed it seems likely that the ICO will also seek to change the requirements under the DPA (as well as the PECR) to show substantial damage or distress particularly following the recent Scottish Borders case where the First Tier Tribunal overturned an ICO fine of £250,000. The Tribunal concluded that although there was a serious breach it was not of a kind likely to cause substantial damage or distress. This was after a subcontractor left more than 600 employee records in a recycling bin. In addition these proposals indicate the increased focus by the ICO on enforcement and monetary penalties particularly in areas of high consumer risk.
