We Buy Any Car along with Saga Services Ltd, Saga Personal Finance and Sports Direct (the “Companies”) have recently been the recipients of ICO fines for sending over hundreds of million nuisance messages and, in doing so, breaching the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Regulation 22 of PECR covers the use of electronic mail for direct marketing purposes, specifically unsolicited communications to individual subscribers. It states that unsolicited communications for the purposes of direct marketing by means of electronic mail are prohibited unless the recipient of the electronic mail has previously notified the sender that they consent. Many people remain unaware – or choose to ignore – that since GDPR came into force “consent” to receive marketing must usually now be on an opt-in rather than an opt-out basis and the ICO have been keen to issue fines in this area.
Collectively the Companies sent over 354 million nuisance messages that they did not have permission to send and the ICO issued fines totalling £495,000. The ICO’s powers to enforce PECR are varied and include criminal prosecution, non-criminal enforcement and audit. The monetary penalty notice is up to £500,000 and can be issued against the organisation or its directors.
There is a stark comparison between the ICO’s powers for breach of PECR compared to GDPR; up to £500,000 and £17.5 million or 4% of turnover respectively. Significant noise is being made to increase the penalty for a breach of PECR so it is in line with GDPR and breaches like these put this debate in the spotlight. It was anticipated that the much-delayed EU ePrivacy Regulation would bring direct marketing rules in line with the GDPR regime but that has not happened to date and, in light of Brexit, the UK government will not be bound by the new rules once they take effect. Considering each marketing email or text cost less than a 13th of a penny, it is questionable whether fines like these even act as a deterrent? It would be quite remarkable if the sales received from these 354 million direct marketing communications were not considerably higher than the £495,000 fine. As such, the economic negatives of the breach could easily be outweighed by the benefits of the direct marketing.
The Department for Digital, Culture, Media and Sport (DCMS) has recently published its suggested reforms of data protection laws within the UK as part of a government consultation on the UK’s future regime for data protection, only three years after many organisations invested in wholesale changes to comply with GDPR. The report states that the government is interested in views on the effectiveness of PECR’s enforcement regime and specifically asks whether fines under PECR should be raised to be consistent with GDPR and ensure it is ‘effective, proportionate and dissuasive’. The proposals are open until 19 November 2021 and give organisations an opportunity to impact the future legal framework for data protection that is ‘ambitious, pro-growth and innovation friendly’ and that ‘underpins the trustworthy use of data’.
Our Commercial Team provides legal and practical advice on a range of commercial and data protection matters. If you have a query, please contact us.
