The Information Commissioner's Office ("ICO") is the regulatory authority which enforces the principal UK legislation relating to data protection and privacy, and so it falls to the ICO to intervene when telemarketers are in breach of legal restrictions on unsolicited communications. In the case of Keurboom Communications Limited ("Keurboom"), their use of automated calls recently earned them a fine of £400,000 from the ICO. This is the largest fine to date from the ICO for nuisance marketing, though they have the power to impose higher fines – currently, the upper limit is £500,000.
Having made almost 100 million calls over the course of 18 months, Keurboom had committed a particularly serious breach of the Privacy and Electronic Communications Regulations 2003 ("PECR").
The rules under PECR
For direct marketing communications which are unsolicited and sent by electronic means, PECR is the key law. The people who Keurboom were calling had not provided any consent for the automated calls they received, which put Keurboom in breach of PECR Regulation 19. This provides, in brief, that it is unlawful to transmit recordings that amount to marketing material by using an automated calling system, unless prior consent to such communications was provided by the recipient of the transmission. This may be an important lesson for the director of Keurboom, who has acknowledged automated marketing calls as "annoying" but claimed "that doesn't make them illegal".
In addition, PECR requires that for marketing calls of this nature, it is necessary to include the name of the person behind the calls and details for contacting them. This is established in Regulation 24.
Alongside PECR sits the Data Protection Act 1998 ("DPA"), the other key UK legislation which relates to the ICO's role as the privacy regulator. Under DPA section 55A, the ICO can issue fines for serious breaches of PECR where:
(i) the offending party deliberately contravened the rules; or
(ii) the offending party knew or should have known that there was a risk of contravening, but failed to take reasonable steps to prevent this.
Keurboom's actions were deliberate and so the contravention was deemed deliberate. As for what makes a breach a serious one, there are various aspects of a marketer's conduct that the ICO may take into account.
What behaviour warrants a large fine?
Clearly in Keurboom's case, the sheer number of those affected meant that the breach was a major one – the previous record fine (£350,000) was the result of a company making over 46 million calls, but Keurboom had more than doubled that number. Duration is considered as well, so a shorter spell of making such calls would be less serious in the eyes of the ICO.
On top of this, the ICO investigation had discovered that calls were made repeatedly to the same individuals, sometimes more than once in a day, and at unsocial hours. In some cases, the calls included attempts to mislead recipients by indicating that they related to an urgent matter – recent road accidents or current PPI claims. The ICO is more likely to receive complaints in such circumstances, and in Keurboom's case 1,036 complaints were made, which naturally makes the ICO keen to respond.
As a rule, breaches which are deliberate are likely to attract higher penalties than cases with a risk of contravening and no reasonable steps undertaken to prevent it. In a 2014 case involving unsolicited text messages, the texts purported to be from "Mum", so this was a marketer purposefully concealing their identity rather than simply failing to disclose it. There are many other escalating factors which could arise, such as contraventions deriving from negligence, contraventions relating to "issues of public importance", failure to take account of whether recipients are on the Telephone Preference Service's opt-out register, and failure to maintain complaints procedures.
Keurboom has now gone into voluntary liquidation. Though the ICO has declared a commitment to recovering the fine by working with the liquidator and insolvency practitioners, this does raise the question of whether these fines are effective deterrents when the impact of the fines is curtailed in this way.
Last October, the government had announced a plan to address the problem by imposing up to £500,000 of liability on directors of businesses that breach PECR. However this change was supposed to be introduced in Spring 2017, and nothing more has materialised thus far, so it remains to be seen whether this proposal will resurface.
It is also worth noting that significant new legislation in this area is on the horizon, as we gradually approach May 2018 – this is when the General Data Protection Regulation ("GDPR") will enter into force in the UK (and across the EU), and the new ePrivacy regulation is due to enter into force at the same time, although this deadline may slip. Together the GDPR and the new ePrivacy Regulation will supersede the DPA and PECR respectively, and non-compliance is set to be far more costly. Serious fines will amount to millions of pounds, and there is potential for fines as high as 4% of annual worldwide turnover. Therefore once these new powers are in force, we can expect that the ICO will be setting more records with its fines, far exceeding the penalty for Keurboom.