Electronic direct marketing: lower test for penalties for breach of rules

Practical Law UK Articles 9-605-6005 (Approx. 4 pages)

Electronic direct marketing: lower test for penalties for breach of rules

by Ben Slinn, Baker & McKenzie LLP

Current position

Until 6 April 2015, in order to impose a monetary penalty for any breach of the 2003 Regulations, the ICO would need to be satisfied that:

There has been a serious breach of the 2003 Regulations of a kind that is likely to cause substantial damage or substantial distress.
The breach was deliberate, or the person knew, or ought to have known, that there was a substantial risk that the breach would occur and that it would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent it (section 55A, Data Protection Act 1998, as it applies to the 2003 Regulations) (section 55A).

The ICO can impose monetary penalties of up to £500,000 for these breaches.

What will change

From 6 April 2015, the ICO will be able to impose monetary penalties for breaches of the 2003 Regulations that relate to the following without needing to be satisfied that the breach was likely to cause substantial damage or substantial distress:

Automated calling systems.
Faxes used for direct marketing.
Unsolicited calls used for direct marketing.
Electronic mail (including short messaging service (SMS) texts) used for direct marketing.
Electronic mail (including SMS texts) where the identity or address of the sender is concealed.
The information required to be provided (regulations 19-24, 2003 Regulations).

This means that, in practice, it will be easier for the ICO to impose monetary penalties for serious breaches of regulations 19 to 24 of the 2003 Regulations from 6 April 2015 (see box "Why change was needed").

However, the other elements under section 55A will still need to be satisfied, namely, that: the breach was serious; and that it was either deliberate or the person knew, or ought to have known, that there was a risk that the breach would occur but failed to take reasonable steps to prevent it.

Enforcement focus

The ICO appears to be focused on the issue of nuisance calls and text messages, as demonstrated by the ICO's enforcement action in this area in recent years, including issuing various monetary penalties for serious breaches of the 2003 Regulations. This focus is likely to be driven by the high number of complaints that the ICO receives in relation to nuisance calls and text messages. Given the removal of the substantial damage and substantial distress threshold, this trend is likely to continue, especially in relation to serious breaches of the 2003 Regulations regarding direct marketing calls and text messages.

The changes that apply from 6 April 2015 also apply to serious breaches of the 2003 Regulations in relation to other forms of electronic direct marketing, including email and fax. It will be interesting to see whether, in the future, there is any enforcement action in these areas, in addition to the current focus on direct marketing calls and texts.

Practical steps

From a practical perspective, any organisation that is engaged in direct marketing by telephone or text message should be aware of this change as, from 6 April 2015, the threshold that the ICO is required to meet in order to successfully impose monetary penalties for serious breaches of the 2003 Regulations in relation to these forms of direct marketing will be lower.

Calls and text messages are already an area of focus in terms of enforcement, which is likely to continue and possibly increase in the future given this change. Organisations should consider reviewing their current practices to assess compliance with the electronic direct marketing rules contained in the 2003 Regulations and consider how to address any compliance issues that arise as a result of that assessment.

More widely, this change puts the focus on compliance with the electronic direct marketing rules contained in the 2003 Regulations from an enforcement perspective. Organisations that are engaged in other forms of electronic direct marketing, including emails, should also consider reviewing and assessing their current practices in order to identify and address any compliance issues.

Ben Slinn is an associate at Baker & McKenzie LLP.

Why change was needed

In November 2012, the Information Commissioner's Office (ICO) imposed a monetary penalty of £300,000 on Mr Niebel in relation to a large volume of direct marketing text messages that his company sent in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (2003 Regulations).

In October 2013, the First-tier Tribunal overturned the penalty and observed that the breach was likely to cause irritation but not substantial distress or substantial damage (Christopher Niebel v The Information Commissioner EA/2012/2060). In June 2014, the Upper Tribunal dismissed the ICO's appeal ([2014] UKUT 0255 (ACC)).

The consequence of Niebel is that it makes it more difficult for the ICO to impose, and in some circumstances prevents it from imposing, monetary penalties for serious breaches of the electronic direct marketing provisions under the 2003 Regulations, for example, where there has been a clear breach, but this causes only annoyance, inconvenience or anxiety.

The Department for Culture, Media & Sport consulted in October 2014 on proposals to lower the legal threshold for enforcing breaches of the 2003 Regulations related to electronic direct marketing (www.gov.uk/government/uploads/system/uploads/attachment_data/file/367498/LOWERING_THE_LEGAL_THRESHOLD__.pdf).

Electronic direct marketing: lower test for penalties for breach of rules | Practical Law