On 15 December 2015 the Information Commissioner's Office (ICO) issued Telegraph Media Group Limited (the Telegraph) with a Monetary Penalty Notice (see here) under section 55A of the Data Protection Act 1998 (DPA 1998) following a "serious contravention" of Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR 2003).
On 7 May 2015, the date of last year's general election, a letter from the Editor of The Daily Telegraph was attached to the regular "morning briefing" e-bulletin sent to those who had subscribed to the Telegraph's "editorial content" mailing list. The letter included a copy of that day's lead story endorsing David Cameron, stated that the election was the most important since 1979, asked "do we continue under the Conservatives with the open, enterprise-led economic approach that has underpinned our prosperity for nearly 40 years? Or do we revert to an old-style, "government-knows-best" culture championed by the most leftwing Labour leader for a generation?" and stated "The Daily Telegraph urges its readers to vote conservative".
Regulation 22 of PECR 2003 precludes the transmission of unsolicited communications for the purposes of direct marketing except where the recipient has consented (Regulation 22(2)) and/or where contact details have been obtained in the course of a sale or negotiations for the sale of a product or service to the recipient, the direct marketing is in respect of similar products and services offered by the seller and the recipient has been given a means of refusing (Regulation 22(3)). The latter provision is known as the "soft opt-in rule". The ICO considered that direct marketing included the promotion of particular views or campaigns such as those of a political party.
The ICO held that some of the subscribers to the "editorial content" mailing list had opted out of receiving marketing communications from the Telegraph but others had not and that the "soft-opt in rule" did not apply here as it did not extend to charity fundraising and political campaigning. It found that the letter was promoting the Conservative Party's election campaign and that subscribers to the "editorial content" mailing list had not provided the Telegraph with specific consent to receive such a communication.
In considering whether the requirements for a Monetary Penalty Notice under section 55A were met, the ICO held that the Telegraph was responsible for the contravention of Regulation 22(2) PECR 2003 and that the contravention was "serious" because of its scale. It did not find that the contravention was deliberate, but held that it was negligent as 1) the Telegraph knew or ought reasonably to have known that there was a risk that the contravention would occur given that it sent marketing communications to readers by email on a regular basis and could therefore reasonably be supposed to have been aware of its responsibilities and 2) the Telegraph failed to take reasonable steps to prevent the contravention. In this instance reasonable steps would have included obtaining specific consent.
In reaching a figure of £30,000 for the Monetary Penalty Notice (to be reduced to £24,000 if payment is made by 14 January 2016, the date for payment otherwise being 15 January), the ICO considered that the 17 complaints received by the Telegraph and the ICO constituted an aggravating factor and that the following were mitigating factors:
- the contravention was unprecedented;
- it was unlikely to cause substantial damage or substantial distress to the Telegraph's readers;
- the Telegraph had taken substantial remedial action and fully co-operated with the ICO; and
- there was potential for significant damage to the Telegraph's reputation as a result of the contravention which may affect future business.
The ICO's response indicates a robust approach to enforcement of PECR 2003. Steve Eckersley, Head of Enforcement at the ICO, said "People signed up to The Telegraph's email service so they could catch up on the news or find out about subjects they were interested in. They did not expect to be told who they should be voting for". It appears that the letter was attached after a last minute instruction from editorial staff, but while this was a factor, Mr Eckersley stated that "Regardless of the circumstances, this organisation fell short of the law and we have acted". It is clear that all data controllers must be pro-active in ensuring compliance with the various data protection rules and that all forms of marketing communication should be reviewed for potential legal implications. While the £30,000 fine here was relatively low given the prevalence of mitigating factors, the maximum fine that the ICO can impose on data controllers is £500,000, so the financial implications (not to mention the reputational impact) of a breach can be severe. The ICO guidance on the PECR 2003 can be found here.