Cold calls result in a record fine – will the ICO go even further in future?
The Information Commissioner's Office ("ICO") is the regulatory authority which enforces the principal UK legislation relating to data protection and privacy, and so it falls to the ICO to intervene when telemarketers are in breach of legal restrictions on unsolicited communications. In the case of Keurboom Communications Limited ("Keurboom"), their use of automated calls recently earned them a fine of £400,000 from the ICO. This is the largest fine to date from the ICO for nuisance marketing, though they have the power to impose higher fines – currently, the upper limit is £500,000.
Having made almost 100 million calls over the course of 18 months, Keurboom had committed a particularly serious breach of the Privacy and Electronic Communications Regulations 2003 ("PECR").
The rules under PECR
For direct marketing communications which are unsolicited and sent by electronic means, PECR is the key law. The people who Keurboom were calling had not provided any consent for the automated calls they received, which put Keurboom in breach of PECR Regulation 19. This provides, in brief, that it is unlawful to transmit recordings that amount to marketing material by using an automated calling system, unless prior consent to such communications was provided by the recipient of the transmission. This may be an important lesson for the director of Keurboom, who has acknowledged automated marketing calls as "annoying" but claimed "that doesn't make them illegal".
In addition, PECR requires that for marketing calls of this nature, it is necessary to include the name of the person behind the calls and details for contacting them. This is established in Regulation 24.
Alongside PECR sits the Data Protection Act 1998 ("DPA"), the other key UK legislation which relates to the ICO's role as the privacy regulator. Under DPA section 55A, the ICO can issue fines for serious breaches of PECR where:
(i) the offending party deliberately contravened the rules; or
(ii) the offending party knew or should have known that there was a risk of contravening, but failed to take reasonable steps to prevent this.
Keurboom's actions were deliberate and so the contravention was deemed deliberate. As for what makes a breach a serious one, there are various aspects of a marketer's conduct that the ICO may take into account.
What behaviour warrants a large fine?
Clearly in Keurboom's case, the sheer number of those affected meant that the breach was a major one – the previous record fine (£350,000) was the result of a company making over 46 million calls, but Keurboom had more than doubled that number. Duration is considered as well, so a shorter spell of making such calls would be less serious in the eyes of the ICO.
On top of this, the ICO investigation had discovered that calls were made repeatedly to the same individuals, sometimes more than once in a day, and at unsocial hours. In some cases, the calls included attempts to mislead recipients by indicating that they related to an urgent matter – recent road accidents or current PPI claims. The ICO is more likely to receive complaints in such circumstances, and in Keurboom's case 1,036 complaints were made, which naturally makes the ICO keen to respond.
As a rule, breaches which are deliberate are likely to attract higher penalties than cases with a risk of contravening and no reasonable steps undertaken to prevent it. In a 2014 case involving unsolicited text messages, the texts purported to be from "Mum", so this was a marketer purposefully concealing their identity rather than simply failing to disclose it. There are many other escalating factors which could arise, such as contraventions deriving from negligence, contraventions relating to "issues of public importance", failure to take account of whether recipients are on the Telephone Preference Service's opt-out register, and failure to maintain complaints procedures.
Keurboom has now gone into voluntary liquidation. Though the ICO has declared a commitment to recovering the fine by working with the liquidator and insolvency practitioners, this does raise the question of whether these fines are effective deterrents when the impact of the fines is curtailed in this way.
Last October, the government had announced a plan to address the problem by imposing up to £500,000 of liability on directors of businesses that breach PECR. However this change was supposed to be introduced in Spring 2017, and nothing more has materialised thus far, so it remains to be seen whether this proposal will resurface.
It is also worth noting that significant new legislation in this area is on the horizon, as we gradually approach May 2018 – this is when the General Data Protection Regulation ("GDPR") will enter into force in the UK (and across the EU), and the new ePrivacy regulation is due to enter into force at the same time, although this deadline may slip. Together the GDPR and the new ePrivacy Regulation will supersede the DPA and PECR respectively, and non-compliance is set to be far more costly. Serious fines will amount to millions of pounds, and there is potential for fines as high as 4% of annual worldwide turnover. Therefore once these new powers are in force, we can expect that the ICO will be setting more records with its fines, far exceeding the penalty for Keurboom.
This article was written by Sam Collingwood, Trainee Solicitor.
Fore more information, please contact Sam on +44 (0)20 7427 6507 or at firstname.lastname@example.org.
Online safety – 2022 begins with regulatory developments in both the UK and the EU
Last week saw developments within the UK and EU in their attempts to ensure online businesses do more to address illegal online content.
To flex or not to flex: comparing traditional offices with flexible office space
Is Buy Now, Pay Later creating a new debt crisis?
BNPL providers are quick to claim that their services are offered with “no interest and no fees”, but is this really the case?
Social Tokens: What are the regulatory challenges in the UK?
Social tokens are one of the latest innovations in the crypto space and have grown significantly in recent years.
PRA to further scrutinise cloud computing in 2022
National Security and Investment Act comes into force
The Act has established a new regime for the review of mergers, acquisitions and transactions that could threaten national security.
Richard Davies and Rahim Hirji write for the American Bar Association on tattoos, athletes and image rights
LeBron James. Zlatan Ibrahimović. Mike Tyson. What is the common factor?
Sarah Rowley appears in the Apollo and Charles Russell Speechlys’ art law series on the future of museum governance
Are the responsibilities and duties of museum boards in the UK the same as they were, say, 20 years ago?
Sports Business: Five Current Themes
Nick White goes early with his thoughts on this year's Sports Business themes.
Charles Russell Speechlys advises Puma Private Equity on their investment into Everpress
Puma Private Equity offers a wide range of award-winning investments that help to support investors.
Lloyd v Google – Supreme Court to deliver judgment tomorrow (on 10 November 2021) – a reminder of the issues at stake
Fairhurst v Woodard: Property audio and video surveillance system breached GDPR
A recent judgment from Oxford County Court raises significant questions about the increasing use of smart doorbells and cameras.
Top 5 Data Protection Tips
Jonathan and Marc-Us explore the top 5 data protection tips
Can machines be inventors?
Will JP Morgan’s digital only Chase launch shake up the UK retail banking sector?
Chase is JP Morgan’s consumer brand and is one of the largest retail banks in the United States with over 4,700 branches.
Who? Where? What on earth is an “NFT”!?
An NFT is a “Non-Replaceable Token” meaning only one of its type can ever be created and recorded on the blockchain it is connected to.
How does the FCA Cryptoasset AML/CTF Regime affect UK cryptoasset businesses?
With the notable exception of security tokens, the majority of cryptoassets remain unregulated in the United Kingdom.
Closing the Cookie Jar
Opportunistic claims for misuse of online tracking cookies are on the rise. Proactively ensuring compliance is key to avoiding claims.
Regulating AI – the impact of two key recent proposals: the UK’s National AI Strategy and the EU’s proposed Artificial Intelligence Regulation
With the hype surrounding artificial intelligence continuing to gather pace, we pause and consider some of the proposed regulatory changes.
Review of the Department for Digital, Culture, Media & Sport consultation
On 10 September 2021 the Department of Digital, Cultural, Media and Sport (DCMS) published a consultation titled ‘Data: a new direction’.