It seems that the leap year day – 29 February 2016 – was a favourite day for making announcements affecting those in the information law universe. This year, the quadrennial leap year day was used to announce: a government consultation on data sharing in the public sector; a draft adequacy decision on the EU-US Privacy Shield for the transatlantic flow of personal data; and, perhaps giving rise to some more immediate learning points for those interested in data protection and direct marketing, the ICO's largest ever fine for a company responsible for making over 46 million nuisance calls (ICO news announcement here). The quantum of the ICO's fine was £350,000 – a leap of £100,000 from its previous highest fine, which was issued to Sony Computer Entertainment in January 2013, following revelations that Sony had suffered a large-scale hack (which resulted in its customers' addresses, dates of birth and payment card information all being leaked) in April 2011.
The ICO's latest fine picks up on a theme which has been visited several times in recent editions of Information Matters: that of 'nuisance calling' and other practices in contravention of data protection principles and direct marketing rules. In this case, the perpetrator was a company called Prodial Ltd – although adding a 'g' might have been an apt branding move since the company was certainly carefree, extravagant and reckless in its use of personal data. Prodial operated a systematic campaign of automated marketing calls, largely to do with claiming a "PPI refund" (perhaps you have received such a call yourself). The ICO received thousands of complaints from call recipients, many of whom repeated the same details:
- No individual complainant could recall ever purchasing the PPI which Prodial (or its clients) purported to be able to offer a "refund" for;
- The same automated messages were being delivered in calls repeated over a period of five months;
- It was totally unclear how Prodial had got the individuals' contact details;
- Calls were frequently made to numbers that were registered with the Telephone Preference Service;
- There was no option given for opting out of receiving further calls;
- The calls were received at all times of the day and evening – and caught some individuals in inconvenient situations, including one complainant who was "fitting a new bath and not happy at having to climb out from underneath to answer a marketing call…"; and
- Some individuals said they were distressed by the calls (rather than merely annoyed), especially where calls came through to their mobile phones and/or where those individuals were expecting an important call from someone else at the time they were called by Prodial.
The ICO wrote to Prodial in mid-2015 to remind Prodial of its duties under Regulation 19 of the Privacy and Electronic Communications Regulations 2003 (PECR); essentially, not to telephone people for a direct marketing purpose without their consent. Prodial informed the ICO that it had purchased "opt-in" data from a "reputable supplier" and that the data "had been screened against the TPS list" before it was added to Prodial's database. However, Prodial failed to adduce any evidence of the call recipients' consent to be contacted – and subsequently ceased to trade.
Unsurprisingly, the ICO found that Prodial's activities had contravened Regulation 19 of PECR and so a monetary penalty notice (essentially, a fine) under section 55A of the Data Protection Act 1998 was appropriate.
The ICO's monetary penalty notice records that the serious amount of the fine reflects the ICO's findings that:
- Prodial's contravention of PECR was deliberate (as opposed to negligent – although the ICO recognised that Prodial did not, necessarily, seek deliberately to cause distress for call recipients);
- "The sending of instigating of automated calls is a matter of significant public concern" and so the ICO's fine should act as"a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance, on the part of all persons running businesses currently engaging in these practices";
- Prodial's ability to obtain a "commercial advantage over its competitors" (by generating leads from unlawful direct marketing practices) was a particularly aggravating feature; and
- Prodial also contravened Regulation 24 of PECR in not identifying itself as the caller.
We hope that the lessons to be learned here speak for themselves but, in summary: if you are telephoning individuals for direct marketing purposes, do pretty well the exact opposite of everything Prodial did with its bogus PPI refund calls.
If you require further information on anything covered in this briefing please contact Alan Baker (firstname.lastname@example.org; 020 3375 7441) or your usual contact at the firm on 020 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2016