Q2’s enforcement action at the Information Commissioner’s Office (“ICO“) indicates that telemarketing and sending SMS messages in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR“) is increasingly becoming a regulatory hotspot. The PECR provides that data controllers cannot lawfully cold call people who have been registered on the Telephone Preference Service (“TPS“) for more than 28 days without the data subject’s specific consent or (with limited exceptions) send SMS messages without the recipient’s consent. The several enforcement actions in Q2 indicate that this is currently the ICO’s number one enforcement area.
The ICO has also continued to implore organisations to offer adequate data protection training and focus on breaches of the 7th data protection principle (“7th DPP”), which provides for appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data.
Please note that the Google Spain decision about the right to be forgotten that will oblige Google and other search engine providers to remove certain links from their search engine is a European Court of Justice decision. Therefore it is the subject of a separate article.
Amber UPVC Fabrications Ltd (T/A Amber Windows) were issued with both a monetary penalty notice and an enforcement notice for making nuisance calls to individuals who had been registered with the TPS more than 28 days and ringing subscribers who had previously asked not to be rung.
The ICO issued enforcement notices against for DC Marketing Limited for making nuisance calls while failing to correctly identify themselves. The ICO will treat any breach of such notice as a criminal offence. The PECR mandates live telemarketers to give their employer’s identity and, if requested, address and telephone number.
The ICO also raided a SIM farm in Wolverhampton which may have sent more than a million nuisance text messages.
In case readers are not aware:
There have also been three further prosecutions regarding failure to register as a data controller (which itself is a criminal offence).
Barry Spencer, a private investigator, was ordered to pay £20,000 in fines and prosecution costs and received a £69,327.32 confiscation order for tricking organisations into revealing personal data about their customers.
The various Q2 undertakings and the Wolverhampton City Council enforcement notice highlight that lack of effective or any data protection training and human error remain a significant cause of breaches of the 7th DPP.
Nathaniel Lane is a Solicitor in Michelmores’ Technology, Media & Communications team who has an ISEB Certificate in Data Protection. For further information on this matter or data protection generally, please contact Nathaniel at email@example.com or on 0207 788 6313.