Consultation on PECR Monetary Penalty Notice Threshold: Initial Thought

Section 55A of the Data Protection Act 1998 (DPA) confers upon the Information Commissioner the power to issue a Monetary Penalty Notice (MPN) to Data Controllers for serious contraventions of the DPA.  This power is extended to cover contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) by virtue of an amendment made to Regulation 31 of the PECRs.

The test for issuing a MPN for contraventions of either the DPA or the PECRs is as set out in Section 55A of the DPA and it requires a number of boxes to be ticked before the Commissioner can issue one:

  • That the commissioner is satisfied that there has been a serious contravention of section 4(4) of the DPA (or a serious contravention of the PECRs)
  • The contravention was of a kind likely to cause substantial damage or substantial distress
  • and either the contravention was deliberate but failed to take reasonable steps to prevent it; or that the data controller knew (or ought to have known) that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it

It looks complicated, and to an extent it is.  However, what is clear from the way in which the statutory provisions have been drafted and from the binding interpretation given to them by the Upper Tribunal in The Information Commissioner v Niebel [pdf] is that the test is an almost impossibly high one to meet.

The Department of Culture Media and Sport (DCMS) has issued a consultation document seeking the views of those interested as to whether the threshold should be lowered (and to what) for the Commissioner to be able to issue a MPN in respect of breaches of the PECRs (the proposal would see the test remain as is in respect of contraventions of the DPA).

The consultation document makes three proposals:

  1. do nothing
  2. replace the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress with a requirement that the contravention is of a kind likely to cause annoyance, inconvenience or anxiety
  3. remove the requirement for the contravention to be of a kind likely to cause substantial damage or substantial distress altogether and replace it with nothing

The Commissioner favours the third option and the DCMS state in the consultation document that their provisional view is that the third option is their preference too.

I’ve given the consultation some consideration since its publication on Saturday and begun to formulate my response (it’s nor a particularly lengthy consultation document and does present three clear and simple options).  What has struck me though is what is missing from option three.  The current test and the second option within the consultation document both include situations where the Data Controller ought to have known that there was a risk that the contravention would occur and that such a contravention was of a kind likely to cause substantial damage or substantial distress but failed to take reasonable steps to prevent it.  However, this appears to be missing from the third option as expressed within the consultation document.

This apparent omission concerns me.  It creates a defence where someone can demonstrate that they didn’t know that there was a risk the contravention would occur even when it is apparent to all and sundry that they really should have known there was a risk.  It basically excuses negligence.  It allows a completely unreasonable situation to avoid the regulatory sanction of a MPN.

This seems like a glaring omission to me and it’s something I’ll certainly be thinking about the possible ramifications of in more detail before submitting a response to the DCMS.  I thought it was an interesting point that was worth raising in a blog.

The DCMS consultation can be found here [pdf] and the deadline for responses to be received by the DCMS is 7 December 2014.

Direct Marketing by E-mail and Text: the need for consent

The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECRs) are probably not the most widely known piece of legislation, but they are important when it comes to marketing – and everyone who hates spam text messages, telephone calls and E-mails would probably benefit from knowing about them!  The Regulations implement a piece of EU law into domestic law (for those that are interested the relevant EU law is Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)) and are concerned with when and how organisations and individuals (which for ease of reference will simply be referred to as ‘organisations’ throughout) can market directly to individuals via electronic means.  Direct marketing means any form of advertising or marketing which is targeted at a specific individual.

The rules are really very simple, but are regularly not complied with by companies large and small.  The general rule is that unless you have the consent of the individual (and that consent should be freely given and informed) then you cannot market directly to individuals via E-mail, text message, telephone call or any other electronic means.  This post will focus on electronic mail only (such as text messages and E-mail).

What does not qualify as consent for the purposes of the PECRs?  Consent isn’t specifically defined within the PECRs; however, the Regulations provide that where a term is not defined within either the PECRs or the Data Protection Act 1998 (DPA) the terms should be given the definition ascribed to it in the Directive.  The Directive, in turn, directs us to another EU Directive (95/46/EC – the Directive upon which the DPA is based) where the definition is given as:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.

It is very clear.  Consent must be:

  • Freely given
  • Specific
  • informed

When it comes to gaining consent different companies do it in different ways, most of which do not in any way come close to satisfying those three basic requirements.  One way, which I have encountered recently, is to simply build it into their Privacy Policy and/or Terms and Conditions that you consent.  That’s probably the most blatant and flagrant way of breaching the PECRs you can get.  The consent is neither freely given nor informed.  While such organisations might give an option to opt-out at a later date that is insufficient to comply with the Regulations.  Consent isn’t consent unless there is an option not to consent.  Refusing should also be free (except for the cost of transmitting the refusal).  In other words, an individual cannot be charged a fee for refusing (or withdrawing) consent to direct marketing by electronic mail, but if there is a cost to transmitting it (e.g. the cost of a text message or a stamp) then that cost is legitimate.

Another common occurrence is for organisations to have an ‘opt-out’ box requiring the individual to tick in order to say that they don’t consent.  This is nothing more than another form of presumed consent, which clearly doesn’t comply with the requirements of the PECRs.  So far as electronic mail is concerned, the only option is a clear decision to opt-in.

Some organisations will have the opt-in box and will have helpfully already ticked it, meaning that individuals need to un-tick it to withhold their consent to direct marketing by electronic mail.  Again, this is not compliant with the Regulations.  Giving consent is a positive action, if the registration, order form, enquiry form, questionnaire etc. goes away with a pre-ticked marketing box still ticked then it is unclear whether the individual has given their consent to the direct marketing or whether they simply  haven’t (for whatever reason) un-ticked the box.

All is not lost though if details have been obtained by stealth.  There ought to be a way of withdrawing consent contained in every text message or E-mail that is received (a requirement of the PECRs).  However, there is another useful right open to individuals.  That right is contained in section 11(1) of the DPA which states:

An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

Simply put, individuals can send a letter or an E-mail or some other form of written notice to the organisation in question requiring them to stop sending direct marketing.  This covers all forms of direct marketing and would include text messages, E-mails, letters, phone calls and such like.  The organisation then has to stop direct marketing within “a reasonable time” – the Information Commissioner gives guidance which states that for direct marketing by electronic means organisations should comply within 28 days, and for postal marketing the guidance is 6 weeks.  These notices are legally enforceable and it is possible to go to Court if an organisation doesn’t comply – alternatively the Information Commisisoner can become involved as there will be breaches of the Data Protection Principles if such a notice is not complied with.

This is just a very basic overview of the requirements of the PECRs, the Information Commissioner has produced a more in-depth guide  to Direct Marketing [pdf] which covers everything in more detail.  I was prompted to write this blog post based on the sheer number of flagrant breaches of the PECRs that there are.  These breaches are by big names.  Major political parties, FTSE 100 companies and major household brands are failing to act in accordance with a basic requirement: that before they can bombard individuals with direct marketing they have to obtain the freely given and informed consent of the individual.

UK Supreme Court: South Lanarkshire Council v Scottish Information Commissioner

On 8 July 2013 the United Kingdom Supreme Court heard its first appeal in a Freedom of Information case under the Freedom of Information (Scotland) Act 2002 since the functions of the Law Lords in the House of Lords transferred to the Supreme Court.  The case concerned the appeal by South Lanarkshire Council agains a decision of the Inner House of the Court of Session.  That appeal was brought by South Lanarkshire Council against decision notice 056/2011 issued by the Scottish Information Commissioner.  The UK Supreme Court (Lady Hale sitting with Lords Kerr, Wilson, Reed and Carnworth)  issued its judgment dismissing the appeal on 29 July 2013.

In Decision 056/2011 the Scottish Information Commissioner had found that South Lanarkshire Council had not been enetitled to withhold information as to the number of persons at specific points on the Council’s pay spine under section 38 of the Freedom of Information (Scotland) Act 2002.  I wrote about this case when the Inner House issued its decision (also dismissing the appeal by South Lanarkshire Council), you can find out more about the case generally (and the Court of Session’s opinion) in that post.

The case is an important one for information law as it provides some important guidance on the tension between the Freedom of Information (Scotland) Act 2002 and the Data Protection Act 1998 (specifically, condition 6 of Schedule 2).  It is clear from this case and others (such as Common Services Agency v Scottish Information Commissioner [2008] UKHL 47, 2008 SC (HL) 184) that there is certainly no presumption in favour of Freedom of Information over the protections in the Data Protection Act 1998.  Indeed, reading the legislation gives the opposite impression.  The protections for personal data in the Freedom of Information (Scotland) Act 2002 are absolute (i.e. once they apply, that is the end of the matter).

The first data protection principle in Schedule 1 to the Data Protection Act 1998 requires that a data controller shall process personal data only in a way that is fair and lawful.  The Act goes on to provide that personal data cannot be processed unless at least one of the conditions in Schedule 2 are met.  The case at had concerned condition 6 in schedule 2 which permits the processing of personal data where it is necessray for the legitimate interests of the data controller or any third party.  There is a qualification, in that the processing must not happen if it would be contrary to the fundamental rights of the data subject.  The case centred on the correct interpretation of ‘necessary’ in condition 6 of schedule 2.

In the Supreme Court’s judgment, Lady Hale made reference to a number of decicions of the European Court of Justice which supported the view taken by the Divisional Court in Corporate Office of the House of Commons v The Information Commisisoner [2008] EWHC 1084 (Admin) that the word ‘necessary’ had to be inrepreted in light of the European Convention on Human Rights and Fundamental Freedoms 1950.

In Rechnungshof v Osterrichischer Rundfunk the European Court of Justice stated, at paragraph 68:

“the provisions of Directive 95/46, in so far as they govern the processing of personal data likely to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of fundamental rights, which, according to settled case law, form an integral part of the general principles of law whose observance the Court ensures.”

The ECJ held that if the national legislation was incompatable with Article 8, it was unable to satisfy the proportionality requirements in article 7(c) or (e) of the EC Directive 95/46 (to which the Data Protection Act 1998 gives effect to in the United Kingdom).

This approach was followed by the ECJ in Huber v Bundesrepublik Deutschland, and so in order to be compatable with the proportionality requirements in the Data Protection Directive, the processing must be compatale with Article 8 of the European Convention on Human Rights and Fundemantal Freedoms.

Lady Hale observed at paragraph 26 that the information which Mr Irvine had requested would not allow him, or anyone else, to identify the individuals in question.  As such it was “quite difficult to see why there is any interference with their right to respect for their private lives.” As such, Lady Hale stated, also at paragraoh 26, that applying article 7(f) and condition 6 in their own terms was sufficient.

Delivering a final blow to the Council, Lady Hale conculded that the Scottish Information Commissioner “had applied a test that was probably more favourable to the Council than was required and certainly no less favourable.” (Paragraph 28).

So, while it was not really necessray to consider Article 8 of the European Convention on Human Rights and Fundamental Freedoms in this case due to the data subjects not being identifiable from the information requested, it is clear from the ECJ case law in lady Hale’s judgment that Article 8 is a consideration that must be taken into consideration when considering disclosing information under the Freedom of Information (Scotland) Act 2002 which is the personal information of an identifiable data subject.

Council appeals taxi recording Enforcement Notice

In July the Information Commissioner’s Office (ICO) served an Enforcement Notice against Southampton City Council over its requirement that all licensed taxi cars must record both audio and visual from within its vehicles on all journeys.  The Enforcement Notice was issued by the ICO using powers conferred on the Information Commissioner under the Data Protection Act 1998.

The City Council’s policy requires that all taxis and private hire vehicles which it licenses are fitted with audio and visual recording equipment and that this is recording at all times regardless of the purpose for which the vehicle is being used.  For example, a private hire taxi driver will likely use the car to transport their family or friends in the way that most people will use their vehicles (e.g. taking their children to school or extra-curricular activities, going to visit family, going for family day trips etc.)  Even in such situations the Council’s policy mandates that the vehicle is recording visual images and audio.  The private telephone conversations of the driver and his passengers will be recorded as will private conversations between passengers and conversations between the driver and his family.  All the recordings will be stored by the Council.

Such a policy is, to any reasonable person, an extreme interference with a person’s right to a private and family life.  It affords no private space to the driver or their passengers.  The driver is unable to switch the equipment off when using the vehicle for personal use or to afford passengers privacy when making or receiving private telephone calls.

The Information Commissioner’s decision that Southampton City Council should stop the practice seemed to be a sensible one.  Certainly in my view the compulsory recording of both visual images and audio in vehicles regardless of the type of journey being made is a step too far.  It is with regret that the City Council has decided to appeal the decision to the First-Tier Tribunal (Information Rights).

The Council contends that it takes steps to protect privacy by ensuring that the data is encrypted and assuring everyone that the recordings are only looked at when a complaint is made to the City Council or the police.  In support of its policy the City Council cited a number of allegations of sexual assault made against a licensed driver in a licensed vehicle where the allegations could not be taken forward due to a lack of evidence.  The City Council intends to use this evidence as well as other examples where the cameras were in use in support of its appeal.

There is no doubt that the constant video and audio recording of the inside of taxis and private hire vehicles will produced evidence that can cast light on allegations of criminality and also complaints against drivers.  That, it would appear, is not in dispute.  It seems to me that the City Council are entirely missing the point.  The processing of data (which includes the actual recording and not just the storing and/or watching) must be fair.  While the existence of the recordings could be useful in the investigation of a complaint or an alleged criminal offence one must consider the fairness to record even the private journeys of drivers while they are not on duty.  That at least should be considered as an unfair processing of personal data even if you accept the invasion of privacy involved in recording all journeys made while a driver is on duty.

There are some arguments in favour of requiring all journeys regardless of purpose to be recorded.  For example, it would ensure that drivers cannot “forget” to turn the equipment on when they begin driving officially and it ensures that drivers cannot switch the equipment off or delete recordings in order to evade prosecution for an offence.  However, these considerations do not appear to me to be sufficient justification for a blanket policy such as the one instigated by the Council.

The City Council is entitled to appeal the enforcement notice, but I hope that they see sense and abandon the appeal.  In the event that the City Council decide to continue with the appeal I hope that the Tribunal will reject it and uphold the Commissioner’s enforcement notice.  The City Council really has gone too far with this policy.

Links
Enforcement Notice (pdf)
Council takes ICO to Information Rights Tribunal over cameras in taxis (Local Government Lawyer)

South Lanarkshire Council v The Scottish Information Commissioner

This decision of the Court of Session (Extra Division, Inner House) delivered on 27 March 2012 by Lord Marnoch is in relation to an appeal by South Lanarkshire Council (“the Council”) against decision 056/2011 of the Scottish Information Commissioner (“the Commissioner”).  It concerns a request for information made pursuant to the Freedom of Information (Scotland) Act 2002 (“FOISA”) by Mr Mark Irvine relating to the number of individuals employed by the Council placed at specific points in the pay structure.

The full facts of the case are set out within the Commissioner’s decision.  The Council, after initially ruling Mr Irvine’s requests as vexatious, withheld the information sought by Mr Irvine on the grounds that it was personal data and to disclose the information would be a breach of the Data Protection Principles.  This exemption is provided for within Section 38 of FOISA, specifically the Council applied Section 38(1)(b) of FOISA to the information sought by Mr Irvine.  The Commissioner found that the Council had incorrectly applied Section 38(1)(b) of FOISA and he ordered the Council to disclose the information to Mr Irvine.  The Council exercised its right under Section 56 of FOISA and appealed to the Court of Session.

One of the contentions that the Council made to the Court was that the Commissioner had erred in law by failing to identify Mr Irvine’s “legitimate interest” in obtaining the information sought.  There is not normally a requirement under FOISA to consider the interests or reasons behind a request for Information under FOISA.  However, Schedule 1 to the Data Protection Act 1998 (“DPA”) places an obligation upon the “data controller” (in this case the Council) to ensure that the processing of information is fair and lawful.  It goes on to provide that the data should not be processed unless certain conditions are met.  It should be noted that in this case processing the data would be its disclosure under FOISA.  Relevant in this case is paragraph 6(1) of Schedule 2 to the DPA.  It provides that the data can be processed if it is necessary for the purposes of a legitimate interest of the data controller, or any third party to whom the information would be disclosed (in this case Mr Irvine and the world at large).   There is an exception to this and that is where the processing would be “unwarranted…by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.”  The data subjects in this case would be the employees who fall within the information sought by Mr Irvine.

In essence the Council had to, on this occasion (and unusually in FOISA requests), consider what legitimate interest Mr Irvine had to the information sought.  Furthermore the disclosure of the information had to be “necessary” for the pursuance of that legitimate interest.  The Council also contended that the Commissioner had failed to separately consider the necessity of the disclosure to Mr Irvine’s pursuance of any legitimate interest identified.

The Court of Session rejected both of these arguments.  It found that when viewing the Commissioner’s decision as a whole the Commissioner had identified a legitimate interest and the Court agreed with that legitimate interest.  Furthermore the Court also held that “the Commissioner could only have concluded that necessity was made out.”  Disappointingly, the Court of Session did not say one way or the other whether the Commissioner’s approach in deciding this was correct.  They were satisfied that even had the approach, applying a stricter test, advocated by the Council been followed, necessity would have been made out.

The Court of Session refused the appeal by the Council and upheld the decision of the Information Commissioner.  It remains to be seen whether the Council will further appeal to the United Kingdom Supreme Court.  Such an appeal would need to be filled within 42 days of the Court of Session’s decision and with the leave of the Court of Session.

POSTSCRIPT: 15/04/2013 – South Lanarkshire Council has appealed to the United Kingdom Supreme Court.  The case is due to be heard by that court on 8 July 2013.