The ICO fined Christopher Niebel and Gary McNeish £300,000 and £140,000 respectively over a serious breach of the UK's Privacy and Electronic Communications Regulations (PECR). The watchdog said that it had conducted an 18 month investigation into Tetrus Telecoms, the firm owned by the two men, and found that more than 400 complaints it had received from the public about spam text messages could be linked to the business. Niebel has said he will appeal the decision, according to a report by the BBC.
It is the first time the ICO has used its powers to issue fines over unsolicited direct marketing communications under PECR since it was handed the power to serve monetary penalties of up to £500,000 to those responsible for a breach of the regulations in May 2011.
The ICO said it was considering serving fines on three other firms as part of its "crackdown on the illegal marketing industry" and that further enforcement action could be taken against companies that bought data from Tetrus.
"The public have told us that they are distressed and annoyed by the constant bombardment of illegal texts and calls and we are currently cracking down on the companies responsible, using the full force of the law," Information Commissioner, Christopher Graham, said in a statement.
“In March we set up a survey on the ICO website so people can tell us about any unwanted texts and calls they have been receiving. So far we have received over 60,000 responses. We know the majority of these messages and calls have been made by companies who try to remain anonymous in the hope they can profit by selling personal information to claims management companies and other marketing organisations. We are using the information provided by the public to identify those responsible," Graham added.
The ICO said that its investigation had uncovered evidence that Tetrus used unregistered pay-as-you-go SIM cards to send up to 840,000 spam texts every day from offices in Stockport and Birmingham, raising income of between £7,000 and £8,000 each day. It said that it made the money by passing on the numbers of those who responded to the texts, even if just to seek to opt out of receiving further messages, to others.
Under the Privacy and Electronic Communications Regulations (PECR) the ICO can fine businesses and other organisations up to £500,000 for serious breaches of the rules, which include in relation to the sending of unwanted marketing emails and texts or live and automated marketing phone calls.
Under PECR it is generally prohibited for an organisation to transmit or instigate the transmission of unsolicited communications for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has notified prior consent for the messages to be sent. The marketing companies also must not disguise or conceal their identity in the messages or use invalid addresses where recipients of the messages would send responses to ask for the messages to stop being sent.
Companies can send direct marketing via electronic mail if they have "obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient", where the marketing is for "similar products and services only" and providing the recipient has a "simple means" to refuse the use of their contact details for that marketing "at the time of each subsequent communication."
Recipients must not be charged when opting-out other than what it costs them for the "transmission" of their refusal, according to the Regulations.
“The two individuals we have served penalties on ... made a substantial profit from the sale of personal information," Christopher Graham said. "They knew they were breaking the law and the trail of evidence uncovered by my office highlights the scale of their operations."
"We will continue to work with the relevant authorities as well as the network providers to ensure companies like this are punished. We’re also working with the Ministry of Justice to target claims management companies who purchase this information breaching the industry regulations, the Data Protection Act, as well as electronic marketing regulations. Our message to the public is that if you don’t know who sent you a text message then do not respond, otherwise your details may be used to generate profits for these unscrupulous individuals," the Information Commissioner added.
The ICO said that Niebel and McNeish face criminal prosecutions for failing to notify it that Tetrus was a processor of personal data, as is required under the Data Protection Act.