Less than ideal

Last week, Stephen Lee, an academic and former fundraiser was reported as having attacked the Information Commissioner’s Office for their interpretation of direct marketing at a fundraising conference. It was, he said “outrageous” that the Commissioner’s direct marketing guidance stated that any advertising or marketing material that promoted the aims and ideals of a not-for-profit organisation was covered by Data Protection. According to Lee, only fundraising activities should be considered to be marketing.

[NB: Third Sector articles are sometimes open to all and sometimes limited to subscribers. If the links don’t work, please accept my apologies!]

He is quoted as saying “Who says that’s right? Just the ICO. Who did it consult? No one.” and  went on to say “Why and how and in what way should we be compelled to comply with that proposition?”

Who says that’s right? Who did the ICO consult? Well, let me see now.

1) The Council of Europe

In 1985, the Council of Europe issued a Recommendation on the protection of personal data used for the purposes of direct marketing. The definition of direct marketing includes both the offer of goods or services and “any other messages” to a segment of the population. The recommendation predates the guidance Mr Lee disparages by more than 30 years.

2) The 1995 Data Protection Directive

The Directive makes clear that direct marketing rules apply equally to charitable organisations and political parties as they do to commercial organisations, and emphasises the need for people to be able to opt-out of direct marketing. By redrawing the definition, Mr Lee would contradict this fundamental right.

3) The Data Protection Act 1998

Given that Mr Lee feels qualified to make bold statements about the interpretation of the Data Protection Act, it’s odd that he doesn’t seem to have taken the time to read it. Section 11 of the Act states that the definition of Direct Marketing “the communication (by whatever means) of any advertising and marketing material which is directed at particular individuals”. The important word there is “any” – organisations do not get to pick and choose which of their promotional messages are covered and which are not.

4) The Privacy and Electronic Communications Regulations 2003

PECR sets up the rules for consent over electronic direct marketing (consent for automated calls, opt-out and TPS for live calls, consent for emails and texts). It does not define direct marketing, but instead says this “Expressions used in these Regulations that are not defined in paragraph (1) and are defined in the Data Protection Act 1998 shall have the same meaning as in that Act”. Therefore, the DPA definition applies to PECR.

5) The Information Tribunal (now the First Tier Tribunal)

In 2005, the Information Commissioner served an Enforcement Notice on the Scottish National Party after they repeatedly and unrepentantly used automated calls featuring Sean Connery to promote the party in the General Election. The SNP appealed, and in 2006, the Information Tribunal considered the issue. One of the main elements of the SNP appeal was against the ICO’s definition of direct marketing. Although the case is about a political party, the ICO’s submissions are based on the proposition that charities as well as political parties are covered by the definition of direct marketing, and that the definition cannot be restricted to fundraising alone. The Tribunal accepted the ICO’s view in full, and dismissed the appeal.

6) The charity sector and anyone else who wanted to be consulted

The ICO may have issued guidance in the 1980s or 1990s on the definition of direct marketing, but the idea that promoting aims and ideals is part of it has been their view since 1999. In guidance issued on the precursor to PECR, the ICO stated clearly that direct marketing includes “not just to the offer for sale of goods or services, but also the promotion of an organisations aims and ideals”. They specifically mentioned charities, as they have ever since. Virtually every iteration of the ICO’s guidance on PECR and direct marketing has been subject to public consultation – indeed, the very guidance Lee is talking about was subject to a public consultation.

Here’s the problem. Lee is an Honorary Fellow of the Institute of Fundraising, and has a long association with it. The IoF has been the most consistently pernicious influence on the charity sector’s compliance with data protection and privacy law in the past ten years. Their guidance and public utterances on data protection are often misleading, and they recently had to change their own Code of Practice because it was legally incorrect. At best, they haven’t noticed the ICO position on charities and direct marketing for more than 15 years. At worst, they deliberately ignored it in favour of an interpretation that largely suits fundraisers. Lee complained at the conference about the “appalling” communication between the ICO and charity umbrella bodies, but Richard Marbrow of the ICO summed the problem up all too well:

One of the things the sector asked for was clarity, and I will try and bring you that. The trouble is, if you then say ‘we don’t like that clarity, could we have some different clarity please?’, we’re not going to get on very well.”

The most important thing about Lee’s outburst is the subtext – if any form of communication is not covered by the definition of direct marketing, then your consent is not required  in the first place and you have no right to stop receiving it. His interpretation is nonsense, but it is also ethically unsound. At its most basic level, privacy means the right to be left alone, the right to have an area of your life which is yours, which others can’t intrude into. Lee seems to want to erode that right. If his view was correct (it’s not), charities could bombard people with phone calls, texts or emails to tell them how marvellous they are, how important their work is, how vital they are for society. As long as they don’t ask for money, the logic of his argument is that people wouldn’t be able to stop them.

Lee’s other question (“Why and how and in what way should we be compelled to comply with that proposition?”) has an easy answer. Ignore it. Carry on breaching the law, ignoring the rules. I went to the cinema last night and saw adverts for two different charities that plainly breached PECR, so that seems to be the plan. Given that the furore over charities began with an innocent person bombarded with unwanted correspondence, it’s remarkable that senior figures in the charity sector are ready for another go, but if Mr Lee wants to drag charities’ reputations deeper into a swamp that they share with PPI scammers and payday loan merchants, he’s welcome.

But the ICO should not listen to their concerns, or open friendly channels of communication with the sector. They should apply the law firmly and regularly until the charities get the message. If this results in more enforcement against charities than other sectors, that will be only because the big charities are among the worst offenders and they haven’t put their houses in order. If charity giving suffers as a result, even amongst the many charities that have not transgressed, they should stop blaming others and look to their fundraisers, their colleagues and themselves.

Optical illusion

It’s a horrible week for news, and even if you ignore that, it’s a horrible week for Data Protection news, with charities up to their usual tricks, WHSmith and HMRC spraying their correspondents with other people’s correspondence, and in the middle of it all, the unforgivable mishandling of sensitive personal data at a sexual health clinic. Nevertheless, despite all of this, the First Tier Tribunal has delivered a little bit of good news which should gladden the heart of anyone who cares about Data Protection.

Last year, the Information Commissioner served an Enforcement Notice on Optical Express under the Privacy and Electronic Communications Regulations. Optical Express were ordered to send marketing emails and texts only to those who had directly given consent. As the appeal makes clear, Optical Express were relying on vague permissions obtained years in the past by different companies. They claimed that if a person has ever consented to marketing from anyone, anywhere, any marketing received from Optical Express was solicited and therefore lawful. This is bollocks, although somehow the Tribunal found different words to rebuff the argument. Optical Express lost, and must now appeal or start actually getting consent from real people before hawking their wares.

I’ve been waiting for the decision ever since the appeal was announced. In late Spring, I started to receive unsolicited emails from a variety of dodgy sounding companies – funeral planners, solar panel vendors, claims management companies, the usual parasites. Although my personal data is spread far and wide because I enter a lot of competitions, I’m as pedantic with T&Cs and tick boxes as you would expect me to be. The only spammer that could remotely count as a household name was Optical Express. They caught my eye (BOOM!) because of the Enforcement Notice and appeal, but also because Optical Express were the only ones to send me texts as well.

I contacted Optical Express to ask them where they had obtained my personal data from, as I have never had any dealings with them, nor have I ever consented for my data to be passed to them.

I don’t know whether Optical Express actually hold my email address because they won’t tell me and in any case, they seem to be using an affiliate marketer. The affiliate model is a marriage of convenience between a company who wants to advertise and a spammer or network of spammers with a list of email addresses. The spammers send the spam, but they’re hard to track down. The companies often don’t hold the data, and get plausible deniability when the recipient complains. Under PECR, the advertiser is still the instigator and is legally responsible, but until there is a clear ICO or court case involving affiliates, the spamming will not stop.

My own enquiries have led me to believe that Optical Express are using a Moroccan-based affiliate marketer called Youssef Zarouk, although for many months they have refused to tell me why I received their emails or who sent them, despite many emails to their customer service department and a letter to their Chief Executive. Optical Express are welcome to deny and disprove this if they finally have the good manners to answer my questions about the matter. I emailed Mr Zarouk to ask how he got my email address, after I obtained his address from an outfit called ‘Plan My Funeral’ (who are everything you might imagine them to be). He didn’t reply.

One thing Optical Express were willing to tell me is that they bought my mobile number from a company called Interactive Prospect Targeting, which is surely what a company that harvests personal data for marketing purposes would be called in a cartoon. Perhaps in recognition of how needlessly explicit their company name is, IPT is now called MyOffers, which was previously just the name of the competition website they use to hoover up personal data. Long, long ago, I used to enter competitions on MyOffers website, but I haven’t used the site for many years, and in 2013, I exercised my rights under Section 11 of the Data Protection Act to prevent IPT / MyOffers / Whatever They’re Called from processing my data for marketing purposes. This includes selling my data for marketing purposes.

I contacted MyOffers. After the traditional delay requiring me to contact them a second time which appears to be a list-broking industry standard, MyOffers informed me that I had rejoined their service in December 2014, after I allegedly filled in a survey hosted by another company called EDR, where they claim I opted in to receive calls from nPower and offers from MyOffers. MyOffers do not have any evidence of this, and could only provide me with a sample survey that I had never seen before and had not filled in. Weirdly, despite the claim that I consented to receiving marketing from nPower, they have never been in touch.

Having received the data from EDR (who are now trading as Progressive Digital Media), MyOffers sold my number to Optical Express, the Claims Advisory Group, Experian (of whom more later) and Digitonic, a text marketing company based on Scotland. Both CAG and Digitonic were very helpful when I approached them and keen to reassure me that they would neither use or sell my data on. However, they should look at the quality of data that they are buying, and who from, especially in the light of what Experian told me. Experian is inaccurately described as a credit reference agency; credit checking is only one part of its massive data capture and selling activities, which is why I sent Experian a Section 11 in 2012, and they were happy to tell me that it still stands. Experian told me that MyOffers provided my mobile number appended to a postal address that I moved out of in 2001. How this fits with MyOffers claim on its website that “MyOffers Data Rental is the UK’s leading source of fresh lifestyle data for direct marketing campaigns” is not something I can explain. Retaining and selling personal data for 14 years after it is out of date is clearly a breach of the 4th Data Protection principle, but I will leave that between MyOffers and their customers.

MyOffers did not explain to me why their purchase of my data from a third party negated my Section 11 with them. They did not contact me at the time to ask whether I wanted to withdraw the Section 11 or decide to respect it when they received my data. They simply assumed (on the basis of no evidence) that I had given my consent to a third party and they were entitled to sell my data again. The best MyOffers could offer me is that I am now on their ‘do not contact’ list, which will apparently mean that my data will be genuinely suppressed. They have, despite my asking them, not explained why I was not put on this ‘do not contact’ list in 2013. The compliance officer’s approach to due diligence and consent went no further than the claim that the company had bought 155 surveys from Progressive Digital Media, and nobody else had complained. This is the same compliance officer who signed my Section 11 response in 2013. He’s also a director of the company.

I contacted Progressive Digital Media. They held some data on me going back to 2007 which appeared to be from a guarantee I had filled out in 2005, but my mobile number had been obtained on their behalf by a company called Data Marketing and Research (DM&R), who apparently ran a survey hosted on the competitions section of the What’s On TV website. What’s On TV is owned by Time Inc, and their privacy policy describes DM&R as “a supplier engaged by Time Inc. (UK) Ltd to provide a selection process for winners in competitions entered on the site and the provision of prizes”. Whether this adequately covers DM&R running surveys on behalf of PDM on behalf of MyOffers so that personal data can then be sold to Optical Express is a question that I will leave for you to answer.

The response I received from DM&R was long but incoherent. Registration on the What’s On TV website includes a very clear section allowing users to sign up to enter competitions but opt out of any marketing either from Time Inc. itself, or from “carefully selected third parties”. It should be opt-in really, but there is no question that the registration form, and the text that appears if you sign up via an individual competition is very clear. I definitely did sign up to the What’s On TV site in 2012 to enter a competition, but not even DM&R claim that I opted in to receive marketing when I registered and when I checked, my marketing permissions are still set to nothing from anyone.

DM&R are the true source of the claim that I (or someone using my details) opted in to receive marketing from MyOffers and nPower.  The problem is that I didn’t fill in any nPower survey, not least the one that MyOffers showed me. DM&R’s sole piece of evidence that I consented is an IP address which means nothing to me and doesn’t match the one my Mac currently uses. When I asked them to provide the wording that I had allegedly signed up to or real evidence that I had consented, DM&R said they needed to wait for their Data Protection officer to come back from holiday. I’m still waiting.

This is how Optical Express obtained my mobile number: through a congealed, undignified mess of agents and brokers operating with all the finesse of a dodgy garage welding together smashed up cars. When they claim to be sending solicited marketing, this is what they mean.

Type ‘list broker’ or ‘affiliate marketing’ into your search engine of choice (anyone for Ecosia?) and what you get is a swamp. Data is bought and sold from any and every source. Much of it is obtained unfairly and without consent, and then flogged to anyone willing to pay. The Data Protection Act is routinely flouted in pursuit of the bottom line. I would normally use this as an excuse to attack the Information Commissioner for not tackling the problem, but today, that is the wrong line to take. The ICO has done good work here, and the Commissioner’s statements about consent this week in relation to the scandalous case of Samuel Rae are very welcome. The only thing to say is that I would like to see more of it.

Liberal Spamocrats

The Varsity newspaper reports a scandal in academia, as Julian Huppert stands accused of spamming Cambridge’s students with crass emails about revenge porn. As well as reflecting the understandable annoyance of students at the spam and its triggering content, Varsity links Huppert’s spam to a similar incident at Bath University in April. Bath students received unwelcome missives from the outgoing LibDem MP Don Foster (who based on the photo in the Bath Chronicle is presumably stepping down to spend more time running Gringotts Bank).

The question raised by Varsity is whether Huppert, Foster and the LibDems have breached Data Protection and wider privacy law. There is an entirely separate question about election law which I am not qualified to answer, so I won’t. Two piece of legislation could impinge on the LibDem spam – Data Protection and the Privacy and Electronic Communications Regulations. As the emails are plainly marketing, aimed at encouraging students to take the yellow pill, it’s tempting to assume that the more important law is PECR. This is not the case. PECR does require the sender of marketing emails to have consent from the recipient, but only if that recipient is an ‘individual subscriber’. As long as the spam was sent to a student’s university email address (which appears to be the case in both incidents), they are not individual subscribers. The university is a corporate subscriber, and so the requirements of Regulation 22 (which covers email and text marketing) do not apply. So, game over, but only for PECR.

I cannot see a sensible argument that the email addresses that contain a student’s name are not personal data, so even if PECR is off the table, Data Protection is still in play. It’s impossible to tell exactly how the LibDems obtained the addresses in either case, but given that they can’t deny that masses of emails were sent, and there is no suggestion that consent was obtained (which would clear up most of the DP problems at a stroke), I’d be fascinated to hear how Huppert, Foster and their party ensured that the Data Protection requirements were met.

The first Data Protection principle requires that data be obtained fairly, lawfully and according to a set of conditions. If they wanted to harvest the emails for marketing purposes, the LibDems at either university would need to do so fairly. The only hint about how the data was obtained comes in the Bath story, where the LibDems state that the email system was not accessed without university authorisation, and that emails addresses were “all in the public domain”. The public domain issue would be irrelevant if the university had provided the emails to the party, so I assume that the emails were harvested by a LibDem supporting student or staff member from the University address book (any member of the LibDems is welcome to correct me, but only if they’re willing to tell me what happened if this didn’t). The Information Commissioner recently told the Samaritans that data on Twitter was still personal data even though tweets really are in the public domain, but email addresses held in a University address book or similar source are not in the public domain. They’re available to staff and students, but I’m not a Bath or Cambridge student, so I can’t get them. The universities are the Data Controllers for the email addresses, and while I’m sure that it is true that whoever hoovered them up had legitimate access to the system, their use of the data was problematic. Section 55 of the Data Protection Act states that it is a criminal offence for a person to ‘obtain or disclose’ personal data ‘without the consent of the data controller’. I’d be keen to see evidence that the LibDems had consent from the universities to use the emails, and will happily publish it here if it is provided to me.

To use the email address for political marketing is a new purpose, so the LibDems would either need to tell students that their email addresses were being harvested (which they didn’t), they would need an exemption from fair processing (which they don’t have) or they would need to claim that telling students that their email addresses were being harvested for unsolicited marketing purposes involved disproportionate effort (I believe the technical term for that is ‘bollocks’). Moreover, the LibDems would need a condition for processing the email addresses for marketing. They don’t claim that they had consent, so they must think that the use of the email addresses was necessary for a legitimate interest, and their use of the email addresses did not cause any unwarranted prejudice to the rights and freedoms of the students, which is the only available condition. If that’s their argument, they should say so, and be willing to defend it against an equally legitimate argument that sending unsolicited political messages is a breach of students’  privacy. Of course, what I think really happened was that they snorted up the email addresses without any consideration of the DP implications, which is shameful, especially as Huppert claims to be in favour of privacy.

The sense of entitlement here is overwhelming. Cambridge LibDems limply defended their spam with the following: “We have sent a number of emails to students over the last two years to keep them informed of Julian’s activities. All of these have included the appropriate opt-outs“, while the Bath contingent had already said that they would stop sending emails after a previous incident in February. All the political parties are guilty of the same arrogance (although the LibDems have recently been warned off by the ICO, and were the only political party who outright refused to stop sending me marketing). The rules are simple. You cannot obtain personal data and use it for your own purposes just because the data is available or easy to obtain. You have to tell people that you are obtaining and processing their data unless you have an exemption. You cannot send unsolicited marketing to people and justify it purely on the basis that they can opt-out. The subject does not have to do the work: you have to do the work. The sight of political parties who seek to make the law acting as if it does not apply to them is one of the worst aspects of the election season, and whatever happens after May 7th, at least we might enjoy a period of being left alone.

Otherwise responsible

Last week, the Information Commissioner issued a civil monetary penalty on Direct Assist Limited, a TPS-busting personal injury firm. As Direct Assist has been wound up by HMRC, all this means is that the ICO has added itself to Direct Assist’s list of creditors and the CMP will never be paid. It turns out the ICO had served its final notice before HMRC delivered the coup de grace, so perhaps the CMP made sense at the time. However, the ICO’s PECR blog stated the following on 2nd April:

When deciding on fines, our office has to consider the financial position of the company involved. Although we need to hold unscrupulous companies to account, the law says we can’t make a company bankrupt causing it to close.

This isn’t true. The statutory Monetary Penalty guidance – the ‘law’ in question – makes clear several times that CMPs cannot “impose undue financial hardship on an otherwise responsible person“. It’s wrong for the ICO to say that they can’t bankrupt their CMP targets; they’re only prevented from crippling an otherwise responsible organisation. So what kind of organisation is Direct Assist?

Well, firstly, they’re the kind of organisation that gets wound up by HMRC. Secondly, they’re the kind of organisation that, according to the ICO press release, called someone 470 times despite them being on the Telephone Preference Service. If you Google them, you will find Direct Assist was also involved in one of the most notorious Data Protection cases of recent years. In 2011, Martin Campell, a Direct Assist employee, plead guilty to using confidential medical information to generate claims. The data was stolen by his then-girlfriend Dawn Makin, who was a nurse at an NHS walk-in centre in Bury. When the thefts were revealed, Makin murdered her daughter and tried to kill herself. I cannot say for certain that Direct Assist knew what their employee was doing, but as the data controller, they were responsible for ensuring that any data used for their purposes was fairly and lawfully obtained. This they clearly failed to do, and one might ask why the ICO didn’t pursue this angle. But in any case, aside from their torrent of illegal cold calls, are Direct Assist otherwise responsible? Don’t make me laugh.

It’s not just Direct Assist. In February, an outfit called HIS Energy was prosecuted at Manchester Minshull Street Crown Court for a single breach of the Health and Safety At Work Act 1974. HIS had installed cavity wall insulation in the home of Joyce Moore, a 82 year old resident of Middleton, a town to the north of Manchester. In the process, they blocked the boiler flue. An HIS employee noticed insulation beads in the flue (apparently a tell-tale sign of the problem), but rather than mention it to Mrs Moore or her son Bob, who also lived in the house, he did nothing. He did mention it to his manager, but a decision was made to take no action that day. That night, Mrs Moore put the heating on, and she was killed by carbon monoxide poisoning caused by the blocked flue. Bob Moore and two paramedics were also taken to hospital, although they recovered.

The jury took 10 minutes to find HIS guilty, and they were fined £500,000, plus prosecution costs, although it is unlikely that the fine will ever be paid, as HIS has gone into liquidation. Until the liquidation, HIS Energy was part of the Save Britain Money Group, an organisation made famous by the BBC’s nauseating programme ‘The Call Centre‘. Indeed, Mrs Moore was originally cold-called by Nationwide Energy Services whose staff featured heavily in the programme, before her details were passed to HIS to carry out the work that killed her. The Save Britain Money Group is currently in administration after a court dispute. Nationwide Energy Services was put into administration after receiving a Civil Monetary Penalty of £125,000 from the Information Commissioner in 2013 for illegal cold calling. Coincidentally, We Claim U Gain, another member of the Save Britain Money family whose staff appeared in ‘The Call Centre’, went into administration after it received a CMP for cold calling. Neither CMP has been paid. Despite the BBC’s despicable decision to celebrate the odious Wilshire, are we seriously supposed to believe he and his companies qualify as ‘otherwise responsible’ people?

On Monday, the PECR rules changed. Gone is the requirement for damage or distress before a PECR CMP is issued – all the ICO needs to do is demonstrate a serious breach. The ICO has a good track record on PECR enforcement, so we can expect further action. I would welcome this. But there are two lessons that can be learned from these awful stories. Firstly, the law change is not enough. Direct Assist is gone, but other equally reprehensible organisations remain and its owners will probably surface in another part of the swamp. Until the ICO has powers to take painful action against the individuals, rather than the hydra-headed organisations they hide behind, they will be putting out fires and no more. However, it’s equally important that the ICO uses its revised powers to the fullest extent. Even if Direct Assist’s owners return to cold calling, HMRC’s actions have at least inconvenienced them. There is no reason why the ICO cannot do the same.

There may be otherwise responsible people breaching PECR through ignorance rather than wilful law-breaking, but I suspect they are the minority. Most cold callers and spammers are parasites, using dodgy data, feeding off the vulnerability of others, and causing misery as they line their pockets. The ICO should not shrink from shutting them down, and nothing prevents them from doing so.

What’s the damage?

BTO Solicitors recently marked the publication of the Information Commissioner’s annual report with a blog by two of their advocate solicitors about the Commissioner’s recent enforcement activity. BTO enjoyed a notable coup in 2013 by overturning the ICO’s £250,000 civil monetary penalty against Scottish Borders Council. I agree with the blog’s authors, Laura Irvine and Paul Motion, that the Borders case was hopeless; it is the low point in the ICO’s obsessive pursuit of “data breaches”. For several years, Wilmslow seemed to believe that [incident = breach] was a winning formula, and when tested in the Borders case, they were found wanting. The blog asserts that in several other cases, the ICO would equally have found it difficult to defend their CMPs, and again, I agree. Borders is not the only flawed CMP, and others could probably have been overturned.

Having said that, I think their review of recent action is eccentric, even myopic. They assert that the Commissioner “has not changed his approach to “likelihood” since the Scottish Borders appeal“, selecting two examples (Jala Transport and Bank of Scotland) to support their contention. I don’t know whether these two CMPs are sustainable, but they exemplify the difference between a one-off incident and an ongoing breach. I am certain that both are the latter. Jala’s *director* routinely carried the sole copy of his customer database on an unencrypted hard drive which he placed on the passenger seat of his car, while the Bank of Scotland proved incapable of preventing staff from sending faxes to the wrong destination even after the ICO started to investigate them. I think it’s instructive that neither organisation appealed.

Moreover, the argument that the ICO is on the same track is a lot easier to make if you stick rigidly to action taken in 2013, so that’s what Irvine and Motion’s blog does. There have only been 3 CMPs for Data Protection in 2014, and I believe that each would survive Tribunal scrutiny. As always, the incidents are eye-catching – an anti-abortion hacker gets access to the identity of women potentially seeking abortion, a police station is sold with evidence tapes identifying suspects, victims and witnesses, and a filing cabinet is sold with despite containing personal data about compensation payments paid to victims of terror attacks. However, I think it is likely that if BPAS did not properly maintain their website, it would come under attack from anti-abortion campaigners. It is likely that if Kent Police did not properly organise and monitor the clearance of their buildings, evidence would be left behind – and the same goes for the Department of Justice. In each case, the data was sensitive personal data, and to steal a word from BTO’s own blog, to argue that the loss of such data would not be likely to cause damage is frankly bizarre. The 2014 decisions may not be perfect, but they must have been made with the outcome of the Borders case in mind, and I think these three cases show a more robust process and defensible process at work.

The blog ends by considering Christopher Niebel’s successful appeal over the ICO’s £300,000 CMP for his industrial-scale spamming. It’s unlikely that anyone will mount a campaign larger than Niebel’s, which Judge Wikeley described as “a considerable public nuisance“, so the outcome of his appeal may effectively make the UK’s current PECR regime unenforceable. Wikeley suggested that had the bar been set lower (nuisance, rather than damage or distress), the outcome of the appeal might have been different. In response, the Government is currently consulting on whether to make precisely that change. BTO’s blog opposes this, fitting the Niebel case into the narrative of a wayward, overreaching Commissioner:

The likelihood of damage must be based on more than conjecture and distress has to be more than mere irritation. If evidential thresholds are getting in the way of monetary penalties the answer is to provide the requisite evidence, not to call for the lowering of the threshold and potentially criminalising conduct that is undeserving of such categorisation.

ICO’s use of conjecture is flawed and it’s what lost them the Borders case. But the above statement takes a seemingly ideological position that PECR breaches must go unpunished unless substantial damage can be established, without explaining why the law should not be used protect the public from intrusion and irritation. It’s not clear why Irvine and Motion are keen to keep a regime that lets spam go unpunished, and I’m convinced that leaving the threshold as it is will have that effect. Wikeley did not argue that ICO should have done a better job, but that the evidence wasn’t there to hit the target. By implication, with the test as it is, it won’t ever be. More importantly, neither the ICO or the DCMS (the department responsible for PECR) have suggested ‘criminalising’ any conduct. To claim otherwise is a red herring.

The sending of text messages, emails or automated calls without clear consent is already unlawful; the only debate is what the penalty should be for doing so. In wanting to keep the current threshold, Irvine and Motion seem more keen to protect the rights of spammers than the public. There’s a difference between criticising a poor case (Borders) and defending a target that no-one can hit. Damage and distress is not a concept that comes from the Directive – as Wikeley says, setting the bar there was a UK decision. The Directive demands ‘an effective, proportionate and dissuasive penalty‘ and Niebel shows that we don’t have one. Leaving the substantial damage threshold in place is not (as Irvine and Motion put it) “a realistic approach to assessment of the human consequences of data breaches and PECR breaches“; to do so ignores those consequences and by default, protects the illegal spam business model.

Like Irvine and Motion, I think the ICO approach is flawed and inconsistent. However, I support civil monetary penalties for breaches of both Data Protection and PECR and I think they should be maintained and improved. Evidence of the ineffectiveness of the criminal regime abounds. A few weeks ago, the Information Commissioner announced that they had successfully prosecuted Stephen Siddell, manager of an Enterprise car rental outlet in Southport. Mr Siddell was selling data about their clients to a claims management company. When the private sector is sometimes less forthcoming about their security problems than the public sector, Enterprise should be praised for calling the ICO rather than sacking their errant manager and keeping a lid on the problem. Mr Siddell was fined £500 (plus £300 in costs and victim surcharges). The claims management firm remains under investigation and so for the moment is not being named. Meanwhile, the Mail on Sunday reports today that Jayesh Shah, a man who boasted to an undercover reporter that he sent 500,000 spam text messages a day, has been fined £4000 for non-notification (plus costs of around £3000 in costs and surcharges) by magistrates in North London.

Mr Siddell’s future employment prospects are probably bleak, but with such small penalties, someone else will take his place. Police officers are treated fairly mercilessly when caught for data theft, but there is a still a queue of cops willing to raid the PNC. Meanwhile, though the comments about his weight and dress sense in the Mail’s comment section will have been unwelcome, Mr Shah can treat the £7000 outcome as an acceptable business expense. The criminal portion of the DPA provides scant punishment for data thieves (small fines and no criminal record as the offences are not recordable). It is possible for the ICO to issue enforcement notices against spammers and those who breach DP, but the only punishment for breaching an enforcement notice is the same paltry fines. A company prosecuted for breaching an enforcement notice can be closed down and replaced by a clean twin in next to no time.

I enjoy kicking the ICO as much as the next person, and their mishandling of CMP enforcement in recent years is a matter of concern. However, across the UK, Data Protection and privacy are still more honoured in the breach than the observance. There is big money to be made out of exploiting data, and as with health and safety, too many are willing to cut corners, regardless of the harm and distress that might be caused. Indeed, I think CMPs should be broken out of the security stranglehold and applied to damaging inaccuracy and unfairness as well. Rather than keeping the PECR threshold at an unattainable level, I think we should drop it to a straightforward tariff, with a flat rate penalty for every unlawful contact (say £1 per email, £5 per text and £10 per phone call). Post Niebel, private sector organisations that comply with the law will be priced out of the market by those who don’t unless there is a change. Without effective penalties, public sector organisations without a functioning privacy culture will continue to make decisions that put data – and in some cases, the public – at risk.

In their understandable enthusiasm to knock the ICO, I fear Irvine and Motion have lost sight of the purpose of the legislation. It is there to protect the public and to facilitate lawful, legitimate business activities. Personal data should be respected and handled with care. People have a right to a private and a home life without being pestered by spivs. The law and its implementation should penalise and deter misuse, intrusion and abuse. Some organisations will comply without sanction, but we need a strong, effective regime for those who won’t.