The ICO said First Financial had sent out millions of text messages to consumers without having their consent (18-page / 202KB PDF) to do so. The company used unregistered SIM-cards when distributing the messages in an effort to conceal their practices, it said. More than 4,000 complaints were submitted to the ICO about First Financial's activity. Adverts the company ran promoting its payday loans service also fell foul of UK advertising rules.
"People are fed up with this menace and they are not willing to be bombarded with nuisance calls and text messages at all times of the day trying to get them to sign up to high interest loans," ICO director of operations Simon Entwisle said in a statement. "We will continue to target these companies that continue to blight the daily lives of people across the UK. We are also currently speaking with the government to get the legal bar lowered, allowing us to take action at a much earlier stage," he said.
Under the Privacy and Electronic Communications Regulations (PECR) the ICO can fine businesses and other organisations up to £500,000 for serious breaches of the rules, which include in relation to the sending of unwanted marketing emails and texts or live and automated marketing phone calls to individuals. The rules generally prohibit organisations from transmitting or instigating the transmission of unsolicited communications to consumers for the purposes of direct marketing by means of electronic mail unless the person receiving the mail has notified prior consent for the messages to be sent.
In order for the ICO to be justified in serving monetary penalties under PECR, or for data protection breaches under the Data Protection Act (DPA), the watchdog must show that a number of legal tests have been satisfied. These include that the nature of the breach they propose to take action on was "serious" and was "of a kind likely to cause substantial damage or substantial distress". The threshold tests are set out under the DPA.
In October an Information Rights Tribunal overturned a previous decision by the ICO to serve a £300,000 fine against an owner of a company the watchdog had found to have unlawfully sent spam messages. The Tribunal ruled that the thresholds for serving a monetary penalty had not been met, although the ICO has appealed against that finding.
The Government is currently considering whether to change the law to make it easier for the ICO to serve monetary penalties under the PECR framework.
Last month a spokesperson for the ICO told Out-Law.com that it backs plans to relax the rules around serving fines. The ICO receives a large number of complaints about spam messages but the current rules mean it has to wait to take action against the perpetrators, they said. This is because the damage and distress caused by those companies does not, until the evidence accumulates, meet the 'substantial damage or substantial distress' threshold for serving fines, the spokesperson added.
The ICO said that the First Financial's former director, Hamed Shabani, was prosecuted in October for failing to inform it that the company was processing personal data. A failure to notify the ICO of such activity is a criminal offence under the DPA. Shabani was fined £1,180.66 for the offence.