Christopher Niebel challenged whether the Information Commissioner's Office (ICO) was right to issue him with a fine for his part in what the ICO considered was a serious breach of UK privacy laws. Niebel co-owns Tetrus Telecoms with Gary McNeish. Between them the men were last year fined a total of £440,000 by the ICO for breaching the UK's Privacy and Electronic Communications Regulations (PECR) for engaging in unsolicited direct marketing activities.
Niebel appealed against the decision and argued that a threshold for imposing a monetary penalty requiring a breach to be "serious and to be of a kind likely to cause substantial damage or substantial distress" had not been met. The Data Protection Act requires that threshold test to be passed before the ICO is justified in serving a fine under either the DPA or PECR.
Judge NJ Warren upheld Niebel's appeal (7-page / 91KB PDF) despite ruling that Niebel, and Tetrus, had "engaged in sending unwanted text messages on an industrial scale" in breach of PECR. Hundreds of thousands of messages were sent from unregistered sim cards in a bid to find individuals with a claim for being mis-sold payment protection insurance or who were victims in accidents, he said.
The ICO had served the £300,000 on Niebel after finding that he had sent hundreds of thousands of spam texts to individuals who did not consent to receive them, but during the hearing the watchdog admitted that it held evidence of only 286 of the texts being sent after 26 May 2011. The date is significant as prior to then the ICO did not have the power to issue monetary penalties for breaches of PECR rules.
As a result, judge NJ Warren ruled that it would be "most unlikely" for the "nature and scale" of Niebel's breach "to cause substantial damage".
The judge said that it was also "highly unlikely" that individuals would be disturbed by being reminded about previous accidents as a result of receiving the spam texts or that they would be distressed by the raising of "false expectations of compensation".
"In our judgement the effect of the contravention is likely to be widespread irritation but not widespread distress," he said. "Given the scale of the contravention, there is the possibility of some distress in very unusual circumstances but we cannot construct a logical likelihood of substantial distress as a result of the contravention. We conclude that the contravention is not of a kind likely to cause substantial distress."
In August the ICO lost a similar appeal case concerning its justification for imposing a monetary penalty under the Data Protection Act. In that ruling judge NJ Warren said that the ICO was wrong to serve Scottish Borders Council with a £250,000 fine over an allegedly flawed outsourcing arrangement it had with a data disposal contractor.
"There was no liability to a monetary penalty in this case because looking at the facts and circumstances of the contravention, whilst it was serious, it was not of a kind likely to cause substantial damage or substantial distress," judge NJ Warren said at the time.
Under PECR the ICO can fine businesses and other organisations up to £500,000 for serious breaches of the rules, which include in relation to the sending of unwanted marketing emails and texts or live and automated marketing phone calls to individuals. The rules generally prohibit organisations from transmitting or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has notified prior consent for the messages to be sent.
The marketing companies also must not disguise or conceal their identity in the messages or use invalid addresses where recipients of the messages would send responses to ask for the messages to stop being sent.
Companies can send direct marketing via electronic mail to consumers if they have "obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient", where the marketing is for "similar products and services only" and providing the recipient has a "simple means" to refuse the use of their contact details for that marketing "at the time of each subsequent communication."
Recipients must not be charged when opting-out other than what it costs them for the "transmission" of their refusal, according to the Regulations.