Tag: First-Tier Tribunal

Appropriate steps and section 166

Last month I highlighted an interesting decision from the First-Tier Tribunal on the much-litigated section 166 of the Data Protection Act 2018 (a section which often results in data subjects being disappointed as to its scope). Yesterday, the Tribunal gave another interesting decision in relation to section 166.

In August 2021, the applicant made a subject access request to a company called Contactout Limited. In November 2021, the applicant complained to the Information Commissioner as the company had not responded to their subject access request. In February 2022, the Commissioner responded to the applicant essentially telling the applicant that there was nothing that the Commissioner could do as the controller was based in the USA. Another fact of key importance is that the applicant was based in the Netherlands and that nothing had been put forward to connect either the applicant or the controller to the UK.

As the Commissioner had provided a response to the applicant, he asked the tribunal to strike out the application as having no reasonable prospect of success. The Tribunal declined to do this (but ultimately dismissed the application). The applicant argued that no adequate explanation had been provided as to why the Commissioner was not the relevant supervisory authority. The Tribunal considered that such an argument had, at least, the potential to fall within the scope of section 166 application [para 14]. The Tribunal was somewhat critical of the Commissioner’s submission which “failed to engage with the applicant’s actual pleaded case.” [para 14] The Tribunal went on to state that it was not going “so far as holding that a sufficiency of reasoning is required in a public law sense, but the applicant must at least know what the outcome is.” [para 14]

The Tribunal found that the wording of the Commissioner’s response letter to the applicant (quoted in its decision), when taken in isolation, risked misleading the reader of the letter that the commissioner was unable to take regulatory action against a controller based in a third country; Article 3 of the UK GDPR and section 207 of the Data Protection Act 2018 create, at least, some scope for such regulatory action. However, the Tribunal decided that the phrase “In relation to your case” within the decision letter from the Commissioner was sufficient to clear-up any misunderstanding. The complaint disclosed that there was nothing linking the applicant, their personal data or the controller to the United Kingdom and it was for that reason that the Commissioner had no jurisdiction. So, with that misunderstanding cleared up there was nothing left that the Commissioner could do that could form the basis for the Tribunal issuing an order under section 166.

The application was dismissed.

Section 166 continues to be a disappointment to data subjects; the limited scope of its terms has been affirmed repeatedly by both the FtT and Upper Tribunal. It does not afford a mechanism for appeal for a data subject who is unhappy with the outcome of their complaint to the Commissioner. It is clear, however, that where there remains scope for the Commissioner to take reasonable steps to address the complaint, then there may be some scope for orders under section 166. There is a fine line between considering whether appropriate steps have been taken to respond and whether the response itself was appropriate. The Tribunal is tasked with casting “a critical eye to assure itself that the complainant is not using the s.166 process to achieve a different complaint outcome.” (Killock and ors v Information Commissioner [2021 UKUT 229 at [87]).

ColourCoat Ltd v Information Commissioner

Last week, the First-Tier Tribunal issued its decision in an appeal by ColourCoat Limited (“CCL”) against a Monetary Penalty Notice (“MPN”) issued by the Information Commissioner in respect of contraventions of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

Since 2016, CCL has been installing, as a subcontractor, hydrophobic thermal coatings to combat damp and heat loss in residential properties. In 2019, CCL decided that it would start marketing directly to potential customers and bought lists of names and phone numbers for this purpose.

When calls from CCL were answered, the call operator introduced themselves as being from “Homes Advice Bureau”; the script that they followed had the call operators inform the recipient that they were following up on a Government initiative about loft or cavity wall insulation. The call recipient was informed that they qualified for a free “heat loss and moisture check” which would be carried out by “EcoSolve UK”. If the recipient expressed interest, CCL would thereafter inspect the property and attempt to sell installation services. By the end of October 2019, CCL’s turnover had increased seven-fold.

In February 2020, the Information Commissioner noted that their office had received a number of complaints about unsolicited direct marketing calls from a company calling themselves “Homes Advice Bureau”. CCL was identified by the Commissioner, using statutory powers, as the source of these calls. The Commissioner discovered that CCL had made almost 970,000 calls for the purpose of direct marketing between August 2019 and March 2020. Of these calls over 450,000 were made to numbers registered with either the Telephone Preference Service (TPS) or Corporate Telephone Preference Service (CTPS) and had been so registered for more than 28 days.

The Commissioner issued a Notice of Intent and a Preliminary Enforcement Notice in February 2021. After CCL had made representations through its solicitors, the Commissioner served a MPN (in the sum of £130,000) and Enforcement Notice on CCL on 16 June 2021. The Commissioner had found CCL in breach of Regulations 21(1)(a), 21(1)(b), 21(A1) and 24(1)(b) of PECR.

CCL did not dispute that it had breached Regs 21(1)(a) and (b); however, it did dispute the breaches of Regs 21(A1) and 24(1)(b) of PECR; it also appealed the amount of the MPN. However, the FTT held that CCL was in contravention of Regs 21(A1) and 24(1)(b).

In relation to Reg 21(A1), the FTT held that CCL had used mobile numbers from which it could not be identified and that at least one of the numbers used was registered to a pseudonym (“John Smith”).

In relation to Reg 24(1)(b) the FTT found that CCL had failed to provide call recipeints with its name. The FTT said, at para 36, that “[w]hile a company can trade under a trading name, PECR requires anyone making unsolicited direct marketing calls to provide their name – in this case, the registered company name.” The FTT noted that the Commissioner had experienced difficulty in identifying CCL as the source of the call and had only been able to do so by making us of their statutory powers; something that would have been “impossible for the call recipients” [para 36].

CCL had sought to argue that its contravention of Reg 21(1)(a) had been negligent; however, the FTT held that it was deliberate. Names would only go on CCL’s “Do Not Call” list if an individual was particularly forceful or insistent. CCL’s sole director confirmed in oral evidence to the FTT that a call recipient who had told CCL to “go away” would be called again in case they were just in a bad mood or in a rush. [para 39]

In relation to the contravention of Reg 21(1)(b), the FTT held that that was negligent. At paragraph 41 of its decision it states that CCL “knew or ought to have known that there was a risk that calls would be made to” TPS and CTPS registered numbers. The data list invoices received by CCL contained references to TPS and GDPR so although the company lacked actual knowledge of these matters, CCL “could have easily researched the relevant rules and put screening software in place.” [para 41].

In relation to the amount of the MPN, the FTT held, at para 44, “that the Commissioner had taken a careful, detailed and reasonable approach to determining the amount of the penalty” and that it had done so in line with the principles that penalties should be effective, proportionate and dissuasive and whether a fair balance has been struct between means and ends. Furthermore, the decision was in line with the Commissioner’s Regulatory Action Policy and published guidance.

The FTT noted that CCL “had targeted older, and potentially more vulnerable, people and by using a “neutral” trading name and referring to a Government initiative, created the false impression that [CCL] was providing an official or Government authorised service.” [para 48] The FTT also held that during the period of the contraventions that CCL’s turnover had been high and that a “substantial proportion” was likely to have been derived from the marketing campaign. [para 50]

The appeal was dismissed.

The FTT makes some interesting comments in its decision in this appeal that ought to be kept in mind by people undertaking direct marketing and those advising them on the lawfulness and/or privacy aspects of direct marketing. If you’re using a trading name and it is not immediately obvious from that trading name who the actual caller (or instigator, if different) is then that is information that requires to be provided as part of the call.

The FTT also noted what was said by the Upper Tribunal in the Leave.EU appeals that comparisons with other penalties issued by the commissioner is not helpful in assessing whether another penalty is appropriate. While there are principles that underpin how the Commissioner (and FTT) will assess what is an appropriate level of penalty, what that is will vary depending on the facts of each case (although being wildly out of step from other penalties may be an indication that something has gone wrong, but consideration would also need to be given to what material differences exist between each case).

When no complaint is found

Section 166 of the Data Protection Act 2018 has produced a reasonable amount of litigation arising out of what appear to be repeated fundamental misunderstandings by data subjects as to what section 166 provides them with. The Upper Tribunal has authoritatively, on more than one occasion, sated that the right afforded by section 166 of the 2018 Act is limited and does not provide a route for an unhappy data subject to appeal the outcome of their complaint to the Information Commissioner.

A recent FTT decision on section 166 took a slightly different approach, striking out the appeal on the grounds that the applicant had not even made a complaint to the Commissioner and so the Commissioner’s obligation to provide information as to the progress of the complaint was not even engaged.

On 25 May 2021, the applicant copied the Information Commissioner’s Office into an E-mail that had been sent to various other organisations. In that E-mail, the applicant raised a number of issues, none of which seem to have engaged the data protection legislation. There was, attached to the E-mail, an annotated copy of an E-mail that she had received days earlier from the Home Office.

On 8 June 2021, a case officer at the ICO wrote to the applicant to inform her that none of the issues she had raised fell within the jurisdiction of the Commissioner and advised her to complete one of the ICO’s complaint forms if she wished to raise a complaint under the data protection legislation.

The Commissioner argued that as no valid complaint had been made to his office there was no complaint to progress and therefore the application under section 166 of the Data Protection Act 2018 had no reasonable prospect of success.

Judge O’Connor agreed with the Commissioner and concluded that there was no reasonable prospect that the applicant could establish the contrary. Therefore, the application was dismissed. Judge O’Connor did go on to state that even if he was wrong on this, the Commissioner’s letter dated 8 June 2021 was a response and so the Tribunal would have had no jurisdiction under section 166 of the Act in any event.

This case is rather different to the usual section 166 cases that have been seen until now. It suggests that the Information Commissioner is taking a robust approach to what is and what is not a complaint. It has been the case for many years that the ICO would not typically respond to E-mails where they have simply been copied in. The Tribunal appears to be willing, at least in this case, to conclude that no complaint in terms of Article 77 of the UK GDPR or section 165 of the Data Protection Act 2018 has been made to the Commissioner where that is appropriate, and strike out section 166 applications which follow on the back of correspondence not amounting to a proper complaint.