Out-Law News 1 min. read

Terms of data sharing agreement cannot demonstrate compliance with direct marketing rules, says tribunal


Businesses using personal data passed on by third parties for direct marketing purposes cannot claim they are compliant with privacy rules by relying on the terms of their data sharing agreement, an information rights tribunal has confirmed.

Optical Express had a contract with data suppliers, including Thomas Cook, which required those suppliers to only provide it with 'consented data'. It claimed this demonstrated it had the consent necessary to engage in direct marketing activity.

The UK's Privacy and Electronic Communications Regulations (PECR) generally prohibit organisations from sending or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has given their prior consent for the messages to be sent or other limited exceptions apply.

Optical Express sent text messages to consumers relating to laser eye surgery but approximately 7,500 complaints were made about the activity.

The Information Commissioner's Office (ICO) issued an enforcement notice against Optical Express in which it claimed the company had breached PECR. However, Optical Express challenged the notice arguing, among other things, that the terms of its data supplier contracts showed it had "sufficient proof of consent".

However, the ICO said consumers who had received the Optical Express (OE) text messages had not given their consent to them.

"When consent was obtained by Thomas Cook or whomever, it was not stipulated (or at least it has not been shown to have been stipulated) that the personal data would be processed by OE," Brian Kennedy QC said in his First-Tier Information Rights Tribunal ruling. "Neither was the marketing of specific types of product stipulated. In my opinion it should say something about the products to be marketed if they are different from the business of, for example, Thomas Cook."

"If the data subject doesn’t know what other products might be marketed then how can he exercise his right to object to some of them whilst being happy to receive others? … By failing to obtain proper, fully informed and specific consent in accordance with [EU data protection law requirements which PECR provisions must be read in conjunction with], OE fall foul of [the EU's Privacy and Electronic Communications Directive from which PECR stems]," he said.

Brian Kennedy QC also dismissed claims from Optical Express that it is the responsibility of the ICO to provide evidence of non-compliance when issuing enforcement notices. He said it was up to Optical Express to demonstrate its compliance to rebuff the enforcement notice but that it had failed to do so.

"For the sake of clarity, the Tribunal finds that the onus or burden of proof that the texts were not unsolicited and/or made with consent is and was at all times with OE," he said.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.