Roundup of the ICO Enforcement Action in Q2 2014
Q2's enforcement action at the Information Commissioner's Office ("ICO") indicates that telemarketing and sending SMS messages in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 ("PECR") is increasingly becoming a regulatory hotspot. The PECR provides that data controllers cannot lawfully cold call people who have been registered on the Telephone Preference Service ("TPS") for more than 28 days without the data subject's specific consent or (with limited exceptions) send SMS messages without the recipient's consent. The several enforcement actions in Q2 indicate that this is currently the ICO's number one enforcement area.
The ICO has also continued to implore organisations to offer adequate data protection training and focus on breaches of the 7th data protection principle ("7th DPP"), which provides for appropriate technical and organisational measures to be taken against unauthorised or unlawful processing of personal data.
Please note that the Google Spain decision about the right to be forgotten that will oblige Google and other search engine providers to remove certain links from their search engine is a European Court of Justice decision. Therefore it is the subject of a separate article.
Amber UPVC Fabrications Ltd (T/A Amber Windows) were issued with both a monetary penalty notice and an enforcement notice for making nuisance calls to individuals who had been registered with the TPS more than 28 days and ringing subscribers who had previously asked not to be rung.
The ICO issued enforcement notices against for DC Marketing Limited for making nuisance calls while failing to correctly identify themselves. The ICO will treat any breach of such notice as a criminal offence. The PECR mandates live telemarketers to give their employer's identity and, if requested, address and telephone number.
The ICO also raided a SIM farm in Wolverhampton which may have sent more than a million nuisance text messages.
In case readers are not aware:
- if you received marketing calls having been registered with the TPS more than 28 days or from organisations you have instructed not to ring you, you can report the matter to the ICO via its online reporting tool or TPS;
- mobile phone users can report spam texts by forwarding the messages to 7726 (spelling out SPAM). This is a crucial tool in providing the ICO with intelligence enabling the ICO to gauge levels of SPAM texts sent by organisations and, where appropriate, take regulatory action; and
- the ICO are lobbying the government to get the legal bar for regulatory action against nuisance calls and texts lowered.
There have also been three further prosecutions regarding failure to register as a data controller (which itself is a criminal offence).
Barry Spencer, a private investigator, was ordered to pay £20,000 in fines and prosecution costs and received a £69,327.32 confiscation order for tricking organisations into revealing personal data about their customers.
The various Q2 undertakings and the Wolverhampton City Council enforcement notice highlight that lack of effective or any data protection training and human error remain a significant cause of breaches of the 7th DPP.
Nathaniel Lane is a Solicitor in Michelmores' Technology, Media & Communications team who has an ISEB Certificate in Data Protection. For further information on this matter or data protection generally, please contact Nathaniel at firstname.lastname@example.org or on 0207 788 6313.