Ordanduu GmbH & Anor, R (On the Application Of) v Phonepayplus Ltd

The Claimants are companies registered and regulated in Germany who provide prize quiz competitions over the internet to several countries in and outside the EU. The UK is one of the Claimants’ biggest markets. They are subsidiaries of eGentic GmbH, an online marketing company.

Consumers in the UK can take part in the Claimants’ competitions by subscribing via their mobile phones using “Payforit” which is a system operated by the UK Mobile Network Operators Services. Payforit is a Controlled Premium Rate Service regulated under sections 120-124 of the Communications Act 2003 (“the 2003 Act”). Ofcom has delegated day-to-day regulation of premium rate services to the Defendant, although final responsibility rests with Ofcom.

The Defendant carries out its functions in accordance with the PhonepayPlus Code of Practice (“the Code”), a set of rules approved by Ofcom pursuant to section 121 of the 2003 Act. It applies, in particular, to “Level 2 providers”, who are the persons responsible for the operation, content and promotion of the relevant premium rate service, and to “Level 1 providers”, who provide the platform to enable premium rate services to be accessed by a consumer. The Claimants are registered with the Defendant as Level 2 providers.

This claim arises out of actions taken by the Defendant against the Claimants, which culminated in the decision notified to the Claimants on 21 August 2013, following the marketing of the Claimants’ online quiz games by an “affiliate marketer” using unlawful means. An affiliate marketer had used software called “ransomware” (which is a form of “malware”) which blocked the internet browsers of users in an attempt to force the user of the computer to subscribe to online services. The website in question invited users to pay to subscribe to the Claimants’ quiz games to unlock their browsers; even when this was done, the browser remained blocked.

The actions taken by the Defendant against the Claimants included a total suspension of the Claimants’ business in the UK from 24 June to 15 July 2013 (and a partial suspension thereafter until mid-August 2013), freezing about £350,000 of the Claimants’ revenue in the hands of third parties, and imposing penalties and administrative charges for breaches of the Code. The extent of the Claimants’ alleged losses and harm sustained are identified at paragraphs 69-79 of Ms Nicole Schmich’s witness statement dated 22 November 2013.

The Claimants contend that the Defendant’s actions were unlawful, principally for three reasons:

Article 56 TFEU provides:

“Within the framework of the provisions set out below, restrictions on freedom to provide services within the Union shall be prohibited in respect of nationals of Member States who are established in a Member State other than that of the person for whom the services are intended.”

Article 16 (Freedom to conduct a business) and Article 17 (Right to property) of the Charter of Fundamental Rights of the European Union (“the Charter”) complement Article 56 TFEU.

The Directive establishes a framework for the regulation of information society services in the EU, based on the fundamental principle that service providers should be regulated in their Member State of establishment, subject to certain derogations in the Directive.

The first two paragraphs of Article 3 of the Directive set out the general principle:

“1.

Each Member State shall ensure that the information society services provided by a service provider established on its territory comply with the national provisions applicable in the Member State in question which fall within the co-ordinated field.

2.

Member States may not, for reasons falling within the co-ordinated field, restrict the freedom to provide information society services from another Member State.”

Article 3(4) of the Directive sets out the conditions under which a Member State may derogate from the country of origin principle:

“Member States may take measures to derogate from paragraph 2 in respect of a given information society service if the following conditions are fulfilled:

(a)

the measures shall be:

(i)

necessary for one of the following reasons:

- public policy, in particular the prevention, investigation, detection and prosecution of criminal offences, including the protection of minors and the fight against any incitement to hatred on the grounds of race, sex, religion or nationality, and violations of human dignity concerning individual persons,

- the protection of public health,

- public security, including the safeguarding of national security and defence,

- the protection of consumers, including investors;

(ii)

taken against a given information society service which prejudices the objectives referred to in point (i) or which presents a serious and grave risk of prejudice to those objectives;

(iii)

proportionate to those objectives;

(b)

Before taking the measures in question and without prejudice to court proceedings, including preliminary proceedings and acts carried out in the framework of criminal investigation, the Member State has:

- asked the Member State referred to in paragraph 1 to take measures and the latter did not take such measures, or they were inadequate,

- notified the Commission and the Member State referred to in paragraph 1 of its intention to take such measures.”

Article 3(5) provides for an exception from compliance with the notification condition in Article 3(4)(b):

“Member States may, in the case of urgency, derogate from the conditions stipulated in paragraph 4(b). Where this is the case, the measures shall be notified in the shortest possible time to the Commission and to the Member State referred to in paragraph 1, indicating the reasons for which the Member State considers that there is urgency.”

Article 3(6) provides:

“Without prejudice to the Member State’s possibility of proceeding with the measures in question, the Commission shall examine the compatibility of the notified measures with Community Law in the shortest possible time; where it comes to the conclusion that the measure is incompatible with Community Law, the Commission shall ask the Member State in question to refrain from taking any proposed measures or urgently to put an end to the measures in question.”

The provisions of Article 3 of the Directive are implemented in the UK by the 2002 Regulations.

Section 121 of the 2003 Act gives the power to Ofcom to approve a code for the regulation of the provision of premium rate services which includes the arrangements made by the providers of premium rate services for promoting and marketing those services. The provisions of the Code must be, inter alia, objectively justified, non-discriminatory, transparent and proportionate to what they are intended to achieve (s.121(2)).

Ofcom has approved the Code under section 121 of the 2003 Act. The scope of the Code and the definition of providers of premium rate services are defined in paragraphs 1.2 and 1.3 (and Part Five) of the Code respectively. Paragraph 1.7 states:

“Save as is provided below, this Code applies to all premium rate services which are accessed by users in the United Kingdom or provided by a Level 1 or Level 2 provider which is situated in the United Kingdom.”

Part Two of the Code sets out required outcomes and rules relating to all premium rate services. Paragraph 2 states:

“The outcomes which premium rate services are expected to achieve are set out below. They are followed by sets of rules which have to be complied with.

References to premium rate service or services in this Code include all aspects of a service including content, promotion and marketing and any technical matters including those relating to the delivery and quality of sound or picture.

Level 2 providers have responsibility for achieving these outcomes by complying with the rules in respect of the provision of the relevant premium rate service. All Network Operators and Level 1 providers involved in providing premium rate services must take all reasonable steps in the context of their roles to ensure the rules are complied with.”

The relevant Rules in respect of which breach is alleged are: consumers of premium rate services must be treated fairly and equitably (Rule 2.3.1); Premium rate services must not mislead or be likely to mislead in any way (Rules 2.3.2); Premium rate services must not induce and must not be likely to induce an unreasonable sense of fear, anxiety, distress or offence (Rule 2.5.5); and Level 2 providers must ensure that their services are not promoted in an inappropriate way (Rule 2.5.6).

Paragraph 3.1 of the Code sets out the general responsibilities of all network operators, Level 1 and Level 2 providers. Paragraph 3.1.3 provides they must

“assess the potential risks posed by any party with which they contract in respect of, inter alia, the promotion, marketing and content of the premium rate services which they provide or facilitate and take and maintain reasonable continuing steps to control those risks.”

Part Four of the Code is concerned with investigations, procedures and sanctions. In appropriate cases where an apparent breach of the Code has caused little or no consumer harm, PhonepayPlus may use the Track 1 procedure (para 4.3). When PhonepayPlus receives or initiates a complaint, the Track 2 procedure will usually be used (para 4.4). In appropriate cases where an apparent breach of the Code has taken place which is serious and requires urgent remedy, PhonepayPlus will use the emergency procedure (para 4.5).

The emergency procedure is set out in paragraph 4.5 of the Code which, in so far as is material, states:

“4.5.1

In appropriate cases where an apparent breach of the Code has taken place which is serious and requires urgent remedy, PhonepayPlus will use the Emergency procedure:

(a)

PhonepayPlus will conduct an immediate preliminary investigation;

(b)

On completion of its preliminary investigation, PhonepayPlus will notify its findings to three members of the CCP [the Code Compliance Panel]. The three people notified will decide whether the situation is sufficiently serious and urgent to warrant the use of the Emergency procedure;

(c)

If all three people agree on the use of the Emergency procedure, PhonepayPlus will:

(i)

Use its best endeavours to inform the relevant party that its service appears to be in breach of the Code, that the Emergency procedure is being used and direct it to suspend the service immediately,

(ii)

Direct any relevant Network operator or Level 1 provider to retain any payments outstanding in respect of the service under investigation,

(iii)

Direct any relevant Network operator or Level 1 provider to bar access to the relevant service or numbers immediately if the party under investigation cannot be contacted or does not immediately suspend the service,

(iv)

Publish its use of the Emergency procedure in such manner as it sees fit;

(d)

Once the service has been suspended, PhonepayPlus will provide the relevant party with all necessary information about the alleged breaches of the Code. This will include details of the service and/or promotional material and will refer to the relevant sections of the Code;

(e)

The relevant party will then have five working days in which to respond and provide any information requested. In exceptional circumstances, PhonepayPlus may set a shorter time limit;

(f)

All relevant information, including any response from the party under investigation, will be placed before a Tribunal as soon as is reasonably practicable after the relevant party has responded, or the deadline for response has passed;

(g)

The relevant party will be informed by PhonepayPlus of the date of the Tribunal consideration and entitled to make informal representations to it on that date in person in order to clarify any matter.”

Paragraph 4.5.3 of the Code provides for review of the Emergency procedure:

“Review of Emergency procedure

(a)

Within two working days following the making of a direction under paragraph 4.5.1(c), or at any time prior to adjudication in the event that new information comes to light suggesting that the use of the Emergency procedure is not appropriate, the relevant party may apply to PhonepayPlus for an urgent review of the use of the Emergency procedure in the particular case.

(b)

The application for review must be made in writing, must include any supporting evidence and must set out:

(i)

the grounds on which the relevant party considers that the Emergency procedure should not have been used; and/or

(ii)

the grounds on which the relevant party considers that access to the service or numbers should no longer be prevented.

(c)

Subject to any requirement for further information, a Tribunal will consider the matter within two working days of receipt of an application for review and will decide, through whatever process it decides, whether the prevention of access to the services or numbers should continue pending completion of the normal Emergency procedure process, or whether access should be permitted to some or all of the services or numbers concerned, and if so upon what, if any, conditions. The Tribunal may also decide whether the Emergency procedure should be changed to a Track 2 procedure and/or whether PhonepayPlus should direct any relevant Network operator, Level 1 provider or Level 2 provider to cease retaining any payments outstanding in respect of the service under investigation.”

Paragraph 4.6 of the Code headed “Adjudication” provides that the Tribunal will make a decision as to whether the Code has been breached on the basis of the evidence presented to it. The power of Tribunals to review determinations made in respect of applications for prior permission, adjudications, sanctions and/or administrative charges is contained in paragraph 4.7 of the Code. The Tribunal can apply a range of sanctions depending on the seriousness with which it regards the breach(es) upheld (see para 4.8 of the Code).

The reach of the Code is defined in paragraph 5.2:

“5.2.1

Some premium rate services may also be ‘information society services’ … Information society services are required to be regulated in accordance with Directive 2000/31/EC on Electronic Commerce (‘the E-Commerce Directive’). The Code will apply to such services when the Level 1 or Level 2 provider responsible for the provision of those services under the Code is:

(a)

established in the United Kingdom; or

(b)

established in another EEA member state, but only where:

(i)

the services are being accessed or may be accessed from within the United Kingdom, and

(ii)

the conditions set out in Article 3.4 (read, as appropriate, in accordance with Article 3.5) of the E-Commerce Directive are satisfied.”

Ms Joanne Prowse, the Defendant’s Acting Chief Executive Officer, explains in her witness statement how the Defendant’s Research and Market Intelligence Team (“RMIT”) came on 12 June 2013 to monitor a number of sites that employ ransomware, having been directed to such sites by messages referring to them on online forums. Ransomware is, she says, a particularly (perhaps the most) aggressive and damaging form of promotion which has been used by a small minority of unscrupulous affiliate marketers to promote Premium Rate Services (“PRS”). RMIT identified that the ransomware site “wifihackpassword.com” was being used to block consumers’ internet browsers and to try to force them to subscribe to PRS of ten different providers, including the Claimants.

Between 12 and 19 June 2013 RMIT carried out further work to assess the scale of the potential consumer harm that existed from the use of ransomware in the PRS market as a whole. Ms Prowse describes much of this work as being “technically complex and time consuming”.

On 19 June RMIT considered the findings of their work with colleagues, including the Defendant’s internal legal team at a meeting at which it was agreed that the use of the ransomware to promote the Claimants’ services should be the subject of a request that the Emergency procedure of the Code (“EP”) (see para 21 above) be invoked.

At 15.40 on 21 June 2013 Mr Chris Bennett of the Defendant’s Investigations Executive wrote to Ms Lee, a legally qualified Chairman of the Code Compliance Panel (“the Panel”), notifying her of the Defendant’s concerns regarding the Claimants’ services and enquiring as to whether she was available to consider authorising use of the Emergency procedure. It appears that she was available, and at 16.14 on the same day, Mr Bennett sent to her and Mr Jessel and Ms Ribbans, two lay members of the Panel, a memorandum headed “Request for the use of the Emergency procedure in relation to two services”, outlining the reasons why the Executive considered the Claimants’ services should merit the use of the Emergency procedure. The “Ransomware monitoring report”, compiled by RMIT (“the Monitoring Report”), was sent to them separately.

The memorandum summarised the in-house monitoring (as recorded in the Monitoring Report) and under the heading “Complainant details” stated:

“In relation to the Level 2 provider called Ordanduu GmbH, PhonepayPlus has received 164 complaints in relation to the above, and other quiz competition services, between June 2012 and June 2013. The complainants have reported the following:

•

Messages received were unsolicited;

•

They were misled into entering the service and

•

They were unaware of any costs.

These complaints had formed a preliminary investigation that was referred to DCMS [Department for Culture, Media and Sport] to gain authorisation from the EU member state (Germany) so that PhonepayPlus could proceed with a regular Track 2 investigation. This was sent to them in October 2012 and PhonepayPlus has yet to receive confirmation we can proceed with the investigation. The service described above in this memorandum was discovered and monitored on 12 June 2013, and now prompts the Executive to seek authorisation to adjudicate against Ordanduu GmbH using the Emergency procedure. The subject of the Emergency procedure case against Ordanduu GmbH would therefore encompass both the earlier service that was referred initially to the DCMS in October 2012 (and has to date generated 164 complaints), and the more recent service that has been discovered by internal monitoring by the RMIE [emphasis added]. For the avoidance of doubt, this more recent second service has not generated complaints, but this is likely to [be] due to its use of Payforit as a payment platform. Payforit codes differ significantly from PRS landlines and shortcodes, as they currently cannot be searched using our number checker function.

In relation to the Optimus service, PhonepayPlus has no complaints logged; however as with the more recent service operated by Ordanduu (above) we believe this may be due to the service being Payforit and not utilising a shortcode which the earlier Ordanduu service did. Due to the misleading nature of entering the service, the Executive considers the service to be serious enough to merit an EP.”

The memorandum continues under the heading “Preliminary investigation – Findings”:

“The Executive concerns are:

2.3.2

(Misleading)

The Executive asserts that users are misled into entering into a premium rate service because affiliate marketers introduce malware to the consumer’s computer device which blocks their internet browser, and falsely informs them that the block is as a result of their attempt to download illegal material. Consumers are then falsely informed that in order to unblock their browser, they have to complete a survey which then enters them into a subscription service. After completing the survey, the browser remains blocked and the only option for consumers to regain full use of their computer is to visit a pc technician.

2.5.5

The Executive asserts that (i) the above ‘scareware’ tactic, whereby consumers are informed that their browser has been locked as a result of attempts to download pirated material, and (ii) the actual blocking of pc internet browsers, are likely to induce an unreasonable sense of ‘fear’, anxiety, distress, or offence. [Emphasis added by the Executive to highlight the Executive’s view that the service is most likely to induce an unreasonable sense of anxiety or distress]

Recommendation

The Executive recommends that, as a result of the above concerns, that these investigations continue under the Emergency procedure and seeks your authorisation to do so.”

The next day, Saturday 22 June, the Panel approved the use of the EP against the Claimants. The Claimants were informed of that decision on Monday 24 June 2013: (i) the letter to Ordanduu is headed “Re: Emergency Procedure for the subscription competition quiz service(s) ‘www.quiznow.co.uk’, ‘www.quizfever.co.uk’ and all other brand names of this service type that are operating on shortcodes 60700, 64546 and the PayForit platform and ALL other numbers on which these types of services operate”; (ii) the letter to Optimus is headed “Re: Emergency Procedure for the competition quiz service(s) ‘www.vid2win.co.uk’ and ‘www.quiz2win.co.uk’ operating on a PayForit platform and ALL other platforms on which these types of services operate”. In accordance with the Code the Defendant also directed the Claimants to suspend access to their subscription competition quiz services immediately. The accompanying letter referred to the Executive’s concerns in respect of Rules 2.3.2 and 2.5.5, and also 2.5.6 of the Code. In relation to Rule 2.5.6 the letter stated:

“The Executive notes that the service was promoted by the affiliate marketer through a malware device which informed consumers that their browser had been blocked as a result of attempts to download pirated material and therefore asserts that the service was promoted in an inappropriate way.”

On 25 June the Claimants gave notice that they wished to appeal the EP decision, enclosing “timelines for the whole period of interest, this includes actions to be taken for a limited service restart where all customers’ subscriptions affected by the rogue affiliates are deleted, as our client has sufficient data to break out those users that entered the service from affected channels/suspect affiliates”.

On 27 June 2013 there was the hearing of the review application before the Tribunal. Following the hearing later that day Ms Nicole Schmich, Managing Director of the Claimants, wrote to the Defendant: “Concerning the request made by the Panel to investigate further down the sub-partner chain and name the responsible partners, there needs to be more time for investigation”. On 28 June at 12.15, the Claimants informed the Defendant that eGENTIC:

“could finally manage to track down and receive approval to name the person who’s receiving the payments for traffic coming from the sub-publisher http://www.wifihackpassword.com/. Please find eGENTIC’s email attached. Please note, that the partners did only name him as the responsible person for the page and former domain holder – there’s of course no proof he implemented or programmed the malware Trojan himself.

To prevent any further harm, the publisher will be banned from all future collaborations with eGENTIC or any of their contracted partners in writing. Although eGENTIC has no contractual relationship to him in person, they will make their legal department contact him proactively. The affected partners or their sub-partners, in case having a contractual relationship to this person, have been called upon taking legal actions against him.

In the meantime, we managed to delete all affected users from our services…”

At 16.48 on 28 June the Claimants were informed that the Tribunal had determined that the EP was appropriate. The decision of the Tribunal is in the following terms:

“Following the instigation of the Emergency procedure [Ordanduu GmbH/Optimus GmbH] requested a review of the use of the procedure in accordance with paragraph 4.5.3(b)(ii) of the Code. The Tribunal considered [Ordanduu GmbH’s/Optimus GmbH’s] written and oral submissions in relation to the grounds on which it asserted that access to the service or numbers should no longer be prevented. The Tribunal was not satisfied that there was sufficient evidence to conclude there was no potential for future (or on-going) consumer harm and decided that the prevention of access to the service and numbers should continue pending completion of the normal Emergency procedure process.”

On 2 July the Defendant sent the Claimants letters setting out the allegations of breach of the Code.

On the same day M Law, on behalf of the Claimants, wrote to the Tribunal asking for a second time that the EP decision be lifted. The grounds upon which the Claimants relied were stated as follows:

“1.

The three potential breaches of the Code highlighted in the Preliminary Investigation were each a product of the unauthorised and possibly fraudulent activities of an Affiliate marketer.

2.

In response our client has agreed to suspend all Affiliate marketing (please see the precise detail of the steps our client has taken below).

3.

Therefore, with links to the Affiliates severed, there is plainly no possibility for ‘future (or ongoing) consumer harm’.”

On 5 July the Claimants were notified that the Tribunal had refused a further review because there was no automatic right to a second review under paragraph 4.5.3(a) of the Code and the letter in support of the application had contained “mere assertions without adequate supporting documentation” and could not be “considered as evidence”. On 9 July the Defendant informed the Claimants that “if your client is able to present the required evidence the Tribunal may consider exercising its discretion to allow a further review of the EP, and as part of that process consider whether or not it would be appropriate to grant limited or full reinstatement of access to [the Claimants’] service shortcodes”.

On 10 July the Claimants made a further application for review to the Tribunal. The letter from the Claimants’ legal advisers stated:

“Our client has informed the Tribunal that all such Affiliate activity has ceased… However, to date we understand that our client has not provided actual evidence of the cessation of such affiliate activity. We now provide this, in two forms:

1.

The Letter to eGentic, our client’s exclusive marketing partner, responsible for engaging the Affiliates. The letter clearly confirms that all Affiliate activity has ceased, and further is countersigned by eGentic.

2.

Extracts from our client’s database which clearly demonstrates that the Affiliate activity has ceased not only in theory (as evidenced by the above letter in point 1 above) but also in practice.”

Following consideration of this documentation by the Tribunal the Defendant on 12 July 2013 directed the relevant platform operators for the Claimants’ services, that is the Level 1 providers, to cease the suspension of the Claimants’ services, subject to certain conditions which the Claimants were able to satisfy by 15 July 2013.

On 25 July the substantive hearing took place before the Tribunal. The Claimants had provided additional written submissions in a document dated 23 July, and they attended the hearing and made informal representations.

On 5 August 2013 the decision of the Tribunal, in summary, was notified to the Claimants. It was published, with reasons, on 22 August 2013. The Tribunal found the Claimants to be in breach of Rules 2.3.1, 2.3.2 and 2.5.5. In summary the reasons given by the Tribunal for their findings were as follows:

Turning to sanctions, the Tribunal stated under the heading “Final Overall Assessment”:

“In determining the final overall assessment for the case, the Tribunal took into account the following aggravating factors:

•

The Level 2 provider failed to follow Guidance on Promotions and promotional material and Competitions and other games with prizes.

•

There have been a significant number (approximately 11) of prior adjudications concerning affiliate marketing.

•

The Level 2 provider benefited and/or would have potentially benefited from fraudulent marketing.

The Level 2 provider had no relevant breach history.

In determining the final overall assessment for the case, the Tribunal took into account the following mitigating factors:

•

The Level 2 provider stated that it had the following measures in place to identify and mitigate against the risks associated with affiliate marketing:

-

Contracts with the marketing partner with which it has a direct relationship. The contract contains a number of restrictions including penalty clauses for non-compliant behaviour.

-

Addendums to the contract with its marketing partner on an ongoing basis in light of Tribunal decisions.

-

Pre-approval of all marketing flows.

-

Some proactive monitoring conducted by eGentic employees… Monitoring was conducted on an ongoing basis …

-

24hr fraud detection alert system.

-

The Level 2 provider engaged with PhonepayPlus by proactively arranging meetings with PhonepayPlus and attending events.

-

Blocking and blacklisting of affiliates marketers and/or publishers who engaged in non-compliant behaviour.

The Tribunal noted the measures taken by the Level 2 provider to control and monitor the risks posed by the use of affiliate marketing but commented that more could still be done to seek out rogue sites in a pro-active manner…

…

… Having taken into account the aggravating and mitigating factors, the Tribunal concluded that the seriousness of the case should be regarded overall as very serious.”

The Tribunal

“noted that the circumstances of the case were unusual as it was the first time that ransomware had been detected to have been used in the promotion of premium rate services. It also noted that there were no complaints from consumers. Having regard to all the circumstances of the case, the Tribunal decided to impose the following sanctions:

•

a formal reprimand;

•

a warning that if the Level 2 provider fails to ensure that it has sufficient measures in place to prevent actual or potential consumer harm being caused by affiliate marketing in future it should expect to receive a significant penalty for any similar breach;

•

a fine of £25,000; and

•

a requirement that the Level 2 provider must refund all consumers who claim a refund, for the full amount spent by them on the Service, within 28 days of their claim, save where there is good cause to believe that such claims are not valid, and provide evidence to PhonepayPlus that such refunds have been made.”

On 20 September 2013 the Claimants’ request for a review of the Tribunal’s decisions was refused. On the issue of liability the Chairman stated: “A review is not a forum to enable unsuccessful arguments to be re-litigated before a different Tribunal”. On sanctions, he stated: “The applicant has not raised a sufficient case to establish that the decision of the Adjudication Tribunal on sanctions was not within its discretion or was sufficiently flawed or perverse to merit a review”.

On 4 October 2013 the Claimants applied for an oral hearing of the application for a review of the Tribunal’s decisions, but the Claimants have not pursued that application.

On 20 November 2013 the Claimants filed their claim for judicial review.

On 3 April 2014 Charles J granted permission to apply for judicial review observing that an oral hearing before the Tribunal is not an appropriate alternative remedy for providing ultimately what the Claimants are seeking in these proceedings.

The Defendant accepts that as the Claimants are established in Germany the Directive applies. Indeed, Mr Tim Ward QC, for the Defendant, asserts that the Defendant acted under the derogation in Article 3(5). However Mr Ward acknowledges that there is no evidence that the Panel or the Tribunal at any time had regard to the terms of the Directive. He contends that makes no difference and moreover the Commission was well aware of the approach taken by the Defendant. It appears that the Executive of the Defendant appreciated that the Directive applied and considered it at their internal meeting on 21 June 2013, but they made no reference to it or the terms of Article 3 in their communications with the Panel requesting authorisation to use the EP.

Ms Dinah Rose QC, for the Claimants, submits that the attention of the decision makers at no stage was drawn to the existence of the Directive or to the legal tests applying under it. The derogations from the country of origin principle are to be strictly construed and as exceptions to the general rule under the Directive they are exhaustive (see eDate Advertising GmbH v X [2012] 3 WLR 227, judgment of the Court at para 59; and Commission v Ireland [2011]ECR 1-140 at para 44). Further, Ms Rose submits that the burden of proving that a restriction serves one of the objectives laid down in Article 3(4) lies on the Defendant (see Article 3(4)(a)(ii)), and that “precise evidence” capable of establishing the potential infringement alleged is required (see Commission v Austria [2009] 2 CMLR 16 at para 36).

In circumstances where the Panel and the Tribunal took their decisions without having regard to the Directive, in particular to Article 3(4), Ms Rose submits that the decisions that were taken were unlawful unless the Defendant can satisfy the court that it is inevitable that the same decisions would have been taken if they had appreciated the legal framework in which they operated (see Jafri v Lincoln College, [2014] 3 WLR 933, per Laws LJ at para 21, and Underhill LJ at para 45). Ms Rose submits that even if the Panel had directed themselves correctly the conditions laid down in Article 3(4) were not satisfied.

There is no evidence from the decision makers in this case. In her witness statement Ms Prowse, as Acting Chief Executive Officer of the Defendant, expresses her own opinion as to why the conditions in Article 3(4) have been satisfied. Her evidence sheds no light on what the decision makers would have done if they had been properly informed of the limitations on their powers. Ms Rose submits that if the decision makers had directed their mind to the threshold tests they would have appreciated they were not satisfied and that the measures proposed and taken were not proportionate.

Ms Rose submits that none of the measures that the Defendant took against the Claimants between 24 June and mid-August 2013 can properly be said to have been necessary on the basis of “urgency”, particularly after the Claimants had taken action on 21 June 2013 to block the offending website.

Ms Rose criticises the written application that was made to the three members of the Panel for authorisation to use the EP in a number of respects. First, no reference should have been made to the previous 164 complaints. There was no basis for including them as part of the EP process for the reasons that the Commission observed (see para 98 below). I consider their inclusion was potentially misleading because it may have given the impression that in some way they were connected with the affiliate issue. I reject Mr Ward’s submission that the focus of the complaints was the ransomware promotion, and that was the only concern of the panel members. Ultimately in any event the Defendant accepted that those complaints could be satisfactorily addressed along the Track 1 procedure (see letter dated 9 September 2013 from Defendant to Claimants’ solicitors).

Second, when seeking authorisation the Defendant did not inform the Panel members that after nine days’ investigation there was only evidence of one rogue affiliate, Blue TrackMedia carrying the wifihack website, and no evidence that any customer of the Claimants had suffered harm or complained. The RMIT had been attempting to ascertain whether or not the ransomware promotion was an isolated occurrence, or whether ransomware was being used more widely to promote other PRS. Ms Prowse said that they were “trying to assess the scale of the potential consumer harm that existed from the use of ransomware”. However RMIT did not locate any other examples of ransomware between 12 and 21 June 2013. The decision of the Tribunal on sanctions confirms this; it refers to the unusual circumstances of the case, being one isolated incident.

Third, the memorandum omits to mention that on becoming aware, through their Level 1 providers, of the Defendant’s concerns the Claimants immediately arranged for the rogue website to be disconnected and the Defendant was informed by Ordanduu’s Level 1 provider that the site had been blocked within one hour of being told of the problem. On 16 December 2014 during the course of the hearing Mr Ward stated that he was instructed that Mr Bennett does not recall receiving the e-mail that the site had been blocked before Monday 24 June. Ms Rose observed that there was no evidence before the court to this effect, despite the fact that she had made the point during the course of the November hearings that the Defendant had been informed that the site had been blocked within one hour of being told of the problem.

Fourth, the Panel was not informed that no customers made any complaint. The Executive suggested this was likely to be due to the use of Payforit (see para 29 above). However the Defendant now accepts that is not correct.

Fifth, Mr Bennett in his e-mail to Ms Lee on 21 June 2013 enquiring as to her availability to authorise the EP described the procedure as giving the Executive “powers” to direct Level 1 providers to immediately suspend the service, withhold outstanding payments owed to the Level 2 provider, and halt consumer harm at the outset of an investigation. This statement incorrectly describes the procedure mechanism. In fact, the EP authorisation resulted automatically in the suspension of the whole of the Claimants’ business in the UK including the freezing of funds in relation to existing customers. The EP envisages, as Ms Rose contends, automatic suspension and automatic freezing of all revenues.

Shortly before 5pm on Friday, 21 June 2013 the Defendant sent an e-mail to the Claimants’ two Level 1 providers informing them of the proposed use of the EP and the fact that the Claimants were likely to be directed to suspend the service and the Level 1 providers directed to withhold revenue and ensure that the service is suspended. The Defendant did not contact the Claimants direct. The first indication the Claimants had of any problems was when the Level 1 providers forwarded to them the Defendant’s e-mail, by which time it was after 6pm in Germany. The Claimants nevertheless took immediate steps to block any traffic from the rogue website, the link was blocked within one hour (see para 55 above) and the Claimants commenced an investigation to ascertain whether any of their subscribers had been affected.

Ms Rose submits that fairness required that the Claimants should have been given advance notice and have had an opportunity to make representations before the EP was invoked. In support of this submission she relies on the speech of Lord Sumption in Bank Mellat v HM Treasury (No.2) [2014] AC 700 at 776. Ms Rose submits that the four reasons given by Lord Sumption (at para 32) for concluding that fairness in that case required that the bank should have had an opportunity to make representations before the direction was made are similarly fulfilled in the present case. First, the measures taken against the Claimants were targeted measures directed at two specific companies, which had, and which were intended to have, a serious effect on their business. Second, the directions took effect immediately. Third, there were no practical difficulties in the way of an effective consultation exercise. The Claimants, as the Defendant knew, were under the same ownership and management, and there were only two persons to be consulted. There was ample time to do that between 12 and 24 June 2013. The Defendant had every reason from the Claimants’ past behaviour to think that they would respond. Ms Rose asks why the Level 1 providers were told about the complaints and not the Claimants directly. Indeed, when they were informed of the Defendant’s actions indirectly on 21 June 2013 they acted immediately. Fourth, the formal directions given to the Claimants were based on specific factual allegations of a kind capable of being refuted, in particular as to the question of consumer harm, the safeguards and measures the Claimants had in place, and the necessity and appropriateness of the proposed suspension of the services.

A further point emphasised by Ms Rose in her oral submissions is the prejudice caused to the Claimants. The Defendant contends that there was no prejudice because the Claimants were able to apply promptly for a review. That, she submits, is no answer. On 25 June the decision to suspend was published. Reference to the 164 complaints was linked to the EP investigation into the malware allegations. The Claimants’ entire business in the UK was suspended. That led, they contend, to clear and irreparable financial damage and reputational harm. Plainly at its lowest the use of the EP was prejudicial to the Claimants.

Ms Prowse puts forward, Ms Rose submits, no good reason for not notifying the Claimants before suspending their business. Ms Rose submits that it was assumed that the Code applied in its entirety to non-UK companies whereas the Defendant was obliged to consider, by reference to Article 3(4) and (5) whether all aspects of the EP should apply in this case. Mr Ward contends that the suspension was required by the Code and it is important for it to be applied with consistency. That may be so in cases involving UK operators, but it is not a good reason to apply it in this way to non-UK operatives unless the conditions of Article 3(4) are satisfied.

Ms Rose submits the picture given to the Panel was incomplete and misleading (see paras 53-57 above). That is relevant, she submits, when considering Lord Sumption’s “good administration” observation at paragraph 32 in Mellat. The Executive failed to put the case to the Panel fairly when seeking authorisation for the EP. In response Mr Ward refers first to the status and terms of the Code. Section 121 of the 2003 Act provides that Ofcom are not to approve a code for the purposes of regulating PRS unless they are satisfied, inter alia, that the provisions are objectively justifiable, proportionate to what they are intended to achieve, and transparent. He makes the point that the Code is not challenged in these proceedings.

Further Mr Ward refers to Part 4 of the Code which contains procedural safeguards that protect the rights of the Claimants and others during the course of investigations and which includes an immediate right of review when the EP is used. Paragraph 4.5.3(b) requires an application for a review to be made in writing and to include any supporting evidence. Ms Rose criticises the right to a hearing after the event, especially when the burden of proof has shifted. Mr Ward does not accept that there was any reverse burden of proof. He submits it was perfectly proper for the Claimants in making an application to lift the interim order to have to establish their case. However the standard of proof required by the Tribunal was one of certainty, that “there was no potential for future (or on going) consumer harm” (see para 34 above). That was not, in my view, permitted by the Directive (see Article 3(4)).

Second, Mr Ward submits that Mellat was a very different case. He contends that the essential difference between the present case and Mellat is that here an interim measure was imposed with an immediate right of challenge, unlike in Mellat where there was a one-year freezing order only subject to judicial review. In those circumstances the Claimants had no entitlement to make representations before action was taken against them under the EP.

Mellat concerned a statutory instrument which prohibited all persons operating in the UK financial sector from continuing past business or entering into new business with Bank Mellat for a period of one year. HM Treasury had not consulted Bank Mellat before making the order at issue and laying it before Parliament. Lord Sumption noted that this measure “had and was intended to have, a serious effect on [the target’s] business, which might well be irreversible, at any rate for a considerable period of time” (at para 32). Such a measure would remain in effect “unless and until it is set aside by the Court” and such an application “was unlikely to be determined in less than three months and may take considerably longer even without allowing for appeals” (at para 37). By contrast, in the present case when initiating the EP, the Defendant took an interim measure to suspend the Claimants’ relevant services given the risk of consumer harm; rather than being a final decision, this was a temporary suspension. The initiation of the EP triggered a process whereby the Claimants were immediately entitled to request a review, and to have its application determined within two working days. The Claimants exercised those rights and in the end, the suspension lasted three weeks. Mr Ward submits that if the Claimants had been able to provide sufficient reassurance to the Defendant, then the suspension could have been lifted almost immediately.

Further, the Defendant relies upon the evidence of Ms Prowse that there are good reasons why the Code does not provide for any form of earlier “tipping off” of a provider in the course of an investigation (see para 146 of her witness statement). The Defendant needed to carry out its preliminary investigation to understand the scale of the problem and which players were involved, without prejudicing the effectiveness of its investigation.

I reject these submissions. The Defendant conducted an investigation over a nine day period, and on completion of the investigation produced a report which it sent to the Claimants’ Level 1 providers. No good reason has, in my view, been advanced by the Defendant as to why in those circumstances the report could not equally have been provided to the Claimants for their response, or at the very least the essence of the allegations put to them to give them an opportunity to make representations, before the Executive sought authorisation from the Panel to use the EP.

It is in my view no answer to say that the Claimants had opportunities to make representations once the EP had been invoked. By that time their business had been suspended and all their revenues withheld. Further, it is clear that thereafter the Panel proceeded on the basis that it was for the Claimants to satisfy them that no consumer harm had been caused or was likely to be caused. The fact that the Code does not provide for prior notification is also no answer if fairness required it.

I accept Ms Rose’s submission that seeking authorisation from the Panel is analogous to an ex parte application without notice which required candour in its presentation. There was an obligation on the Defendant to give full and frank disclosure, in particular where the interim measure was likely to have a serious effect on the Claimants’ business. In my view when seeking authorisation to use the EP fairness required that the Executive disclosed to the Panel all material facts, which it did not do (see paras 53-57 above).

Proportionality arises as a consideration under the Directive and also as a matter of domestic law (see ss.3 and 121 of the 2003 Act). The measures taken in the present case involved an interference with the Claimants’ EU law rights (free movement of services) and ECHR rights (Article 1, protocol 1). Accordingly, Ms Rose submits that a strict and structured test for proportionality applies. The relevant principles are set out in De Smith’s Judicial Review (7^th Ed., 2013 at paras 11-078—11-079). Where EU law is engaged domestic courts

“ask first whether the measure which is being challenged is suitable to attaining the identified ends (the test of suitability). Suitability here includes the notion of ‘rational connection’ between the means and ends. The next step asks whether the measure is necessary and whether a less restrictive or onerous method could have been adopted (the test of necessity, requiring minimum impairment of the right or interest in question). If the measure passes both tests the court may then go on to ask whether it attains a fair balance of means and ends. It is important to note here that the burden of justification in such cases falls on the public authority which has apparently infringed the rights of the claimant or offended a norm of European Union law.” (Para 11-078).

Ms Rose submits that the measures imposed on the Claimants were disproportionate for a number of reasons. First, they were not suitable for, or rationally connected to, securing the protection of consumers. The website in question did not pose a risk to any legitimate consumer, but only to those taking active steps to engage in the criminal offence of hacking into wifi networks; the Defendant has produced no evidence that consumers were harmed, or were at serious risk of harm, from the illegal website, let alone from the Claimants’ services; and by 24 June 2013 the Claimants had removed any link to their services from the offending website, and the Defendant had been informed that that was the case.

Second, the problem was not specific to the Claimants. Therefore no measures imposed on the Claimants could prevent internet users from accessing the wifihackpassword.com website and falling victim to the ransomware if they downloaded the hacking software (cf. Bank Mellat at para 27).

Third, at no stage of the process did the Defendant identify or consider any less restrictive measure that might attain the stated consumer protection objective being pursued. The Claimants contend there were a number of less restrictive approaches that the Defendant could have taken, including informing the Claimants, asking them to remove any link to their services, and investigating whether any consumers had in fact been affected, and reimbursing them. Further, to the extent that any suspension was necessary, the Defendant could have adopted a more targeted and time-limited suspension of activity, such as restricting particular affiliate advertising activity, restricting only the services that were affected, and/or capping the revenue withheld at a more reasonable level.

Fourth, the Defendant’s directions were not limited, as the Defendant appears to contend, to the services affected by the wifihackpassword.com site. The Claimants complain that the scope of the measures taken was not limited to the services affected by the wifihackpassword.com site, but included the suspension of a number of distinct services that were unaffected. Ordanduu has seven services in the UK, however only two services of the Claimants were linked to this rogue site. Ms Rose accepts that this point was not taken by the Claimants or their legal advisers at the time. Nevertheless there was, she submits, no justification for suspending services that were unaffected by the malware. There was no evidence that the other five services were affected by malware.

Mr Ward submits that at the time of the impugned decisions, neither the Defendant nor the Claimants knew how extensive the problems were in the Claimants’ affiliate network used to market their services. The Claimants made no submission to the Defendant at the time that there were material differences as to the nature of each of the services, or the way in which they were marketed. Further, during the procedure before the Tribunal the Claimants accepted that their affiliate marketer had breached the Code and acted illegally. The Claimants also accepted their responsibility for this. Indeed, Mr Ward observes that the Claimants do not seek to argue that any of the three findings of breach of the Code made by the Tribunal were wrong. In the circumstances the Defendant was entitled, Mr Ward submits, to treat the Claimants’ quiz services in a composite way.

However the Defendant only sought authorisation from the Panel to use the EP in respect of two services identified as www.vid2win.co.uk and www.quiz2win.co.uk in the case of Optimus, and www.quiznow.co.uk and www.quizfever.co.uk in the case of Ordanduu (see e-mail from Mr Bennett to Ms Lee dated 21 June 2013, and the memorandum sent to the Panel headed “Request for the use of the Emergency Procedure in relation to two services”). Accordingly the authorisation that was given by the Panel related only to those two services. Nevertheless the Defendant used the EP not only in respect of the two quiz services www.quiznow.co.uk and www.quizfever.co.uk, but also for “all other brands of this service type that are operating on shortcodes 60700, 64546 and the Payforit platform and ALL other numbers on which these type of services operate”. Article 3(4) of the Directive permits derogation “in respect of a given information society service” if certain conditions are fulfilled. The Claimants’ business in relation to current customers had no connection with unlawful affiliate marketing. That being so, in my view, it was a breach of the Directive to use the EP (which had not in any event been authorised by the Panel) in relation to that part of the Claimants’ UK business unaffected by the malware. The consequences of using the EP, resulting in the automatic suspension of the whole of the Claimants’ business in the UK made it particularly important that the terms of Article 3(4) be strictly observed.

Fifth, the Claimants had no prior history of regulatory failings; they were given to understand that the 164 complaints had been dropped; and they had safeguards in place which reflected guidance in a Compliance Update on Misleading Digital Marketing of Premium Rate Services which was issued by the Defendant on 16 February 2012.

Sixth, the measures did not strike a “fair balance” between the interests of the Claimants and the objectives sought to be achieved. It was inappropriate to close down two legitimate businesses and freeze all of their revenues in order to protect the interests of a group of persons seeking to engage in criminal activity, in particular in circumstances where there was no evidence that a legitimate consumer had been affected.

Mr Ward responds to the Claimants’ contention that the measures taken by the Defendant went beyond the least restrictive measures necessary to achieve the objective of protecting consumers by emphasising the objective nature of the proportionality test (see R (Sinclair Collis) v Secretary of State for Health [2012] QB 394 per Arden LJ at paras 164 and 167; and Mr Ward referred to a very similar approach adopted in R (SB) v Governors of Denbigh High School [2007] 1 AC 100, per Lord Bingham at paras 29-31). Mr Ward submits that as in Sinclair Collis, which concerned public health, so in the present case concerned with protection from consumer harm, the subject matter of the decision requires a broad margin of appreciation (see Sinclair Collis, per Laws LJ at para 23, and Lord Neuberger MR at paras 199-204).

Mr Ward submits that applying the proportionality test the Defendant should be awarded a substantial margin of discretion because of the subject matter of the decision. What is involved here, he submits, is an evaluation of what is required in the interests of the consumer. In essence, he contends, the present case concerns a difference of opinion as to the least restrictive alternatives to be adopted. A risk averse approach was adopted by the Defendant. Less intrusive alternatives would, the Defendant suggests, have led to a greater risk. Which approach is preferable is, Mr Ward submits, a matter for the regulator.

I accept Ms Rose’s submission that a wide margin of discretion is not appropriate in the present case for three reasons: (1) derogation from the Directive requires strict construction (see para 49 above); (2) the decision makers did not direct their mind to the correct legal test or proper basis on which their judgment should be exercised and in those circumstances the decision makers are not entitled to a broad deference to their judgment (see R (on the application of Lunt) v Liverpool City Council [2010] 1 CMLR 14, per Blake J at para 44 where observations were made in the context of a Wednesbury challenge but the underlying thrust of what was said has force in the present context); and (3) the decision makers, certainly the Panel, were not experts with expertise in relation to PRS or affiliate marketing and its perils (see Sinclair Collis, per Lord Neuberger at para 200 and Gibraltar Betting and Gaming Association Ltd v Secretary of State for Culture, Media and Sport [2014] EWHC 3236 (Admin), per Green J in particular at paras 106-109).

On the facts Mr Ward responds to the Claimants’ contention that the measures taken were disproportionate as follows: first, the Defendant does not accept that none of the measures taken after 21 June 2013 were necessary because the Claimants had blocked their affiliate marketer’s website on that date. Until 10 July 2013 the Claimants failed to provide evidence that their affiliate marketing had ceased. On 28 June 2013 the Claimants informed the Defendant that they had also identified problems with two other marketing partners in eGENTIC’s advertising network, leading to the deletion of affected customers from the Claimant’s database. Mr Ward submits that neither the Defendant nor the Claimants knew if the problem identified was the only problem in the network. The RMIT can only track a minute part of the traffic. What happened was clearly unauthorised by the Claimants, but Mr Ward suggests that the Claimants had lost control of the use of affiliate marketing on their behalf. The measures taken by the Defendant were, he submits, proportionate because the steps taken eliminated consumer harm where there was great uncertainty.

Second, the less restrictive steps which the Claimants now advocate, Mr Ward submits, would not have ensured that consumers would be fully protected immediately. The EP provided for a fair process under which the Claimants could address the risk of consumer harm and then resume both the quizzes and their affiliate marketing. The Defendant considered a series of review applications and lifted the suspension as soon as it had sufficient evidence that the Claimants could operate their quiz services without risk to consumers. The suspension was time limited, in that it lasted on an interim basis just three weeks until the Claimants satisfied the Defendant that they had addressed the risk of harm to consumers. Affiliate marketing is an inherent risk in the system, as in Mellat, but Mr Ward contends that the Claimants were singled out because their system had thrown up in this case actually what went wrong.

Third, in response to the Claimants’ contention that the measures failed to strike a fair balance Mr Ward makes three points: (i) the Defendant was not obliged to disregard the risk of consumer harm purely because the hacking of a wifi network may itself give rise to criminal offence; (ii) it is not accepted there was no evidence of consumer harm. There was in any event a risk of serious and grave consumer harm, as a result of the ransomware promotion; and (iii) having chosen to use affiliate marketing, they were responsible for the consequences.

Mr Ward submits that the measures were taken because the manner in which the Claimants’ services were marketed gave rise to harm to consumers, or at least the risk of such harm. As a result, the Claimants’ services “prejudiced” the objective of consumer protection, or at the least presented a “serious and grave risk of prejudice to those objectives”.

Mr Ward emphasises that the legality of the Defendant’s actions must be assessed on the basis of the facts before the Defendant at the time. In the course of the procedure challenged, the Claimants admitted that the operator of the website “signed up as an affiliate publisher with an affiliate network someway down the chain from eGENTIC” (Ms Schmich’s witness statement at para 25). Before the Tribunal the Claimants accepted that the website was operated by a sub-affiliate. Further, whilst the Claimants now contend that the ransomware promotion did not cause consumer harm, the Claimants informed the Defendant by e-mail dated 28 June 2013 that “we managed to delete all affected users from our services”.

The Defendant does not accept the Claimants’ argument that the wifihackpassword website did not pose a risk to any “legitimate consumer”. The possible motivation of visitors to wifi networks is speculative and irrelevant. The Defendant’s function is to enable consumers to use premium rate services with confidence. What happened in this case raises concerns as to the Claimants’ degree of control over their affiliate networks more generally. In this regard Mr Ward relies upon the evidence of Ms Schmich who noted that the Claimants deleted subscribers from their database on a “precautionary basis” because of the ransomware problem (see para 46 of her witness statement) which, he suggests, clearly reflects recognition of the risks to consumers.

Ms Rose submits that despite nine days of investigation the Defendant’s monitoring unit produced no evidence of actual harm to consumers (see Claimants’ response to the Defendant’s “Note on Consumer Harm”). Further the Defendant has not put forward sufficient evidence to demonstrate the existence of a “serious and grave” risk to the average, reasonably well-informed and circumspect consumer (Mars [1995] ECR 1-1923) from the illegal software download on wifihackpassword.com. Within one hour of the Defendant giving notice to the Level 1 provider of the concern, the offending website was blocked, and thereafter consumers were not at serious risk of harm from the illegal website or from the Claimants’ services. Certainly there is no evidence of the contrary. Ms Rose submits that in reality the only persons at risk of harm from that website were those taking active steps to engage in the criminal offence of hacking into wifi networks. In order to reach the unauthorised link to the Claimants’ services a person had to go through a number of steps which involve undertaking a risk that the average, reasonably well-informed consumer who falls to be protected under EU law is unlikely to undertake. It is, Ms Rose suggests, unsurprising that the Defendant received no complaints from any consumer in relation to this issue. Ms Rose submits that the burden of proof was on the Defendant and that at no stage did the Defendant properly analyse or consider the extent of any risk to consumers.

As Ms Rose observes there is no finding by the Tribunal to the effect that at any stage the Claimants had lost control of their affiliate network. She further makes the point that there was no finding by the Tribunal as to whether or not there was actual harm and there was no evaluation by the Tribunal as to whether there was any serious risk of harm (see paras 41 and 42 above). The Tribunal noted that there were no complaints from consumers (see para 43 above).

Having considered all the evidence and the written and oral submissions of the parties, I am not satisfied that there is “precise evidence” of actual harm to any consumer. I accept that the Tribunal implicitly found that there was potential consumer harm. However there was no risk of potential harm from the services unaffected by the malware affiliate, and in relation to the two services affected the burden was on the Defendant to analyse and show that there was a risk of potential harm, which in my view they did not do.

The fourth point made by Mr Ward on the facts is that the Claimants requested and were ultimately granted a further review of the interim measures which led to the third decision on 12 July 2013. By that decision the Tribunal allowed the Claimants, subject to certain conditions, to re-start services without the use of affiliate marketing. The Claimants complain that this was a decision that the Defendant could have made on 27 June as at that time they made clear that they were only seeking to use services without affiliate marketing. Moreover there was no justification for continuing the freeze on the Claimants’ revenues.

In my view the measures taken by the Defendant were disproportionate. I do not accept that they were necessary; in particular I consider that a less restrictive method could have been adopted (see para 73 above). Further I am not satisfied that the Defendant has discharged the burden of establishing that the measures attained a fair balance of means and ends. In circumstances where a nine day investigation had shown that there was an isolated rogue affiliate and having regard to the Claimants’ previous conduct, there was in my view no necessity to adopt the EP without first having given the Claimants an opportunity to make representations. The fact is the Claimants immediately arranged for the rogue website to be disconnected within one hour of their being informed of the problem. A fair balance between the interests of the Claimants and the protection of consumers was not struck in this case. In my view it was not appropriate to suspend the whole of the Claimants’ business in the UK and freeze their revenues in circumstances where there was no evidence of actual harm to any consumer, the malware did not affect the Claimants’ existing customers, and the services affected by the malware were suspended (and the Defendant had been informed of this by Ordanduu before the Panel authorised the use of the EP). Thereafter the Tribunal in reviewing the decisions taken wrongly placed the burden of proof on the Claimants to establish that there was no risk of harm to consumers.

Mr Ward submits that this court should have regard to the fact that the Commission has confirmed that the conditions for invoking Article 3(5) have been fulfilled. On 3 July 2013 the Defendant informed DCMS, the competent UK authority, of the measures taken against the Claimants, and on 4 July Mr Alford of DCMS notified the measures as required by the Directive to both the European Commission and the German authorities. No response has been received from the German authorities, but, after several reminders, Mr Wein of the Commission responded on 6 May 2014 as follows:

“Based on Sophie’s input we can confirm that the conditions for invoking Article 3(5) ECD have been fulfilled and that the described measures taken (suspension concerning only services connected to the potential threat without restricting the operation of other services until sufficient evidence has been provided that the potential threat has been removed) appear to fulfil the requirements of Article 3(4)(a) ECD.”

Mr Ward suggests an additional reason why the Commission’s confirmation that the conditions for invoking Article 3(5) were fulfilled should be accepted is because by the time that confirmation was given, the Commission had received a letter from Hamlins, the Claimants’ solicitors, dated 13 March 2014, setting out the Claimants’ case in full (see in particular paras 12, 13, 15, 16-19), and had had an opportunity to consider the core arguments advanced by the Claimants. Although the letter was addressed to Mr Sparas, Mr Ward invites me to infer that it was seen by Mr Wein before he gave his confirmation (which was copied to Mr Sparas). Mr Ward contends by reference to the Monitoring Report, a copy of which was sent to the Commission, that the Commission was aware that the 164 complaints related to non-malware, and that the Commission knew at the critical date that only two of the Claimants’ services were involved although the action taken was broader. In addition having read Hamlin’s letter the Commission knew, inter alia, that the Defendant had applied the Code, that nine days had passed before the EP was invoked, the legal test applied by the Defendant in refusing the Claimants’ first application for a review, and that the Defendant placed the burden on the Claimants to vary the interim measures.

In support of his submission that this court should adopt the views of the Commission Mr Ward relies on the decision in R (on the application of Bancoult) v Secretary of State for Foreign and Commonwealth Affairs [2014] EWCA Civ 708 at paras 155-157, per Lord Dyson MR.

Ms Rose submits that the response from the Commission of 6 May 2014 does not assist the Defendant’s case. As it makes clear, the Commission’s view is based on what it was told by the Defendant. Mr Alford had forwarded to the Commission the Defendant’s Notices of Derogation dated 3 July 2013 (which in respect of each Claimant was in identical terms). The Notices stated:

“PhonepayPlus concluded that pursuant to Article 3(4) of the E-Commerce Directive urgent action had to be taken against the provider to stop serious consumer harm occurring as identified below:

(1)

Monitoring conducted by PhonepayPlus showed that the Provider’s service was promoted by an affiliate marketer (‘affiliate’) who appeared to use a form of malware to lock consumers’ internet browsers and, under the pretext of unlocking their browsers, force them to interact with online offers which took them to the landing pages of the provider’s ‘quiz competition’ subscription services.

(2)

PhonepayPlus has received 164 complaints from members of the public who reported that they (i) had been misled into entering into the service(s), (ii) were confused as to why the premium rate charges appeared on their mobile phone bill, and (iii) had not seen any pricing information.”

On 7 April 2014 Mr Wein wrote to Mr Alford:

“The conditions for invoking Article 3(5) could have been fulfilled in view of the perceived risk for consumers particularly regarding the used malware identified via monitoring on 12 June 2013. However, it appears that the 164 complaints received from members of the public over a longer duration (since June 2012) refer at least partially also to non-malware related affiliate marketing promotions already partially covered by an investigation carried out in 2012. For these complaints the urgency procedure does not seem to be justified.

The sanctions imposed by a PhonepayPlus Tribunal on 25 July 2013 appear to have been proportionate. However the concerned companies have been prevented from providing any services from 24 June to 15 July 2013 and service restrictions remained in place until mid-August 2013 despite the fact that the used malware threat allegedly had already been removed by 21 June 2013. It is unclear whether these measures under the given circumstances have been proportionate.

In order to finalise the assessment it would be useful to obtain the report from the investigation carried out in 2012 and some additional information on when the 164 complaints have been received and whether they concerned malware related and/or non-malware related affiliate marketing.”

On 8 April 2014 Ms Sophie Dyer, the Defendant’s in-house counsel, gave her response. She stated:

“The complaints

PhonepayPlus fully accepts that the complaints were a subsidiary matter and did not require urgent action. The Emergency procedure (EP) was used only in relation to our concerns regarding the discovery of the use of content locking malware (the malware). The complaints were only added in order to provide the full background to the investigation as they concerned the same service.

…

We note the Commission’s request for further information relating to the complaints. As it appears to us that the complaints are not relevant to the urgent action that was taken, we have not provided the complaint data with this e-mail. However, if the Commission requires the complaint data after consideration of this e-mail we are happy to provide it.

Restrictions on the service

…

1.

Restrictions between 24 June and 15 July

As you are aware, three members of the Code Compliance Panel independently agreed that the use of the EP was appropriate on Saturday 22 June. This was communicated to Ordanduu and Opitmus on Monday 24 June and the respective services were suspended on this date. The suspension only applied to the services connected to the malware and there were no restrictions on Ordanduu’s and Optimus’ ability to operate other services.

…

2.

Restrictions between 15 July and publication of the decisions

The only restrictions in place between 15 July and publication of the Tribunal’s decisions on 22 August related to the use of affiliate marketing to promote the specific services subject to the EP. For clarity, there were no restrictions on the operation of any of Ordanduu and/or Optimus’ services or their use of non-affiliate marketing promotions.”

Ms Rose submits that this e-mail of 8 April which Ms Dyer describes as a “clarification” contains a number of misrepresentations. First, the statement that “The Emergency Procedure (EP) was used only in relation to [the Defendant’s] concerns regarding the discovery of the use of content locking malware (the malware). The complaints were only added in order to provide the full background to the investigation as they concerned the same service” is not true. There is no doubt that the EP was being used to investigate the 164 complaints (see para 29 above). The Defendant did not tell the Commission they had nothing to do with malware. Second, the Defendant did not inform the Commission that they had already been told that the link to the rogue website had been blocked before the EP was used. Third, the statement that “The suspension only applied to the services connected to the malware and there was no restrictions on Ordanduu and Optimus’ ability to operate other services” was false. It is undisputed that only two of the services were connected to the malware. Fourth, the statement that “The only restrictions in place between 15 July and publication of the Tribunal’s decisions on 22 August related to the use of affiliate marketing to promote the specific services subject to the EP. For clarity, there were no restrictions on the operation of any of Ordanduu and/or Optimus’ services or their use of non-affiliate marketing promotions” was untrue. Not only were specific services blocked, but there was a very significant restriction on the Claimants’ services generally, which remained frozen so they could not recover any revenues from their UK operations.

Further Ms Rose submits whether Mr Wein had read Hamlin’s letter of 13 March 2014 or not, he made it clear that the confirmation the Commission was giving was “Based on Sophie’s input”.

I accept Ms Rose’s submission that in the circumstances no reliance can be placed by the Defendant on the approval of their actions by the Commission.

In my judgment, for the reasons I have given, the actions of the Defendant were unlawful. They did not comply with Article 3 of the Directive, in particular because the measures were disproportionate in that they went beyond the least restrictive means necessary to achieve the objective of protecting customers. In addition the process was unfair in the respects identified in this judgment.

The only issue in respect of relief on which I heard oral submissions from the parties related to the Claimants’ claim for damages in EU law.

In support of her submissions that the Claimants are entitled to damages in EU law Ms Rose referred me to the legal principles set out in Byrne v Motor Insurers [2008] 3 WLR 1421 and the recent authority of Recall Support Services Ltd v Secretary of State for Culture, Media and Sport [2014] EWCA Civ 1370. In Byrne at para 32 Carnwath LJ stated:

“It is clear from the case law of the court … that three conditions must be satisfied for a member state to be required to make reparation for loss and damage caused to individuals as a result of breaches of Community law for which the State can be held responsible. (i) The rule of law infringed must have been intended to confer rights on individuals; (ii) the breach must be sufficiently serious; and (iii) there must be a direct causal link between the breach of the obligation resting on the state and the loss or damage sustained by the injured parties.”

Ms Rose submits that condition (i) is clearly met in the present case as Article 56 TFEU is directly effective and confers on individuals rights which are enforceable and which the national courts must protect (Laval v Byggnads [2008] 2 CMLR 9). As for condition (iii), Mr Rose submits that there is a clear causal link between the Defendant’s actions and the losses the Claimants have suffered. However she accepts that this is an issue which is best remitted to the Queen’s Bench Division for determination. At the very least it is plain from the evidence of Ms Schmich that the Claimants have suffered some loss. Mr Ward indicated that the Defendant is prepared to proceed for present purposes on the basis that breach of Article 3 of the Directive may confer rights on individuals. He reserved the Defendant’s position as to whether any breach of the Directive as the court may find has a direct causal link to any alleged damage suffered by the Claimants.

The real issue before me related to condition (ii). In Recall at paragraph 78 Richards LJ addressed the question of sufficiently serious breach. The “multi-factorial” test was summarised by Maurice Kay LJ in R (Negassi) v Secretary of State for the Home Department [2013] EWCA Civ 151 in the following terms:

“14.

… potential factors [are]: (1) the importance of the principle which has been breached; (2) the clarity and precision of the rule breached; (3) the degree of excusability of an error of law; (4) the existence of any relevant judgment on the point; (5) whether the infringer was acting intentionally or involuntarily or whether there was a deliberate intention to infringe as opposed to an inadvertent breach; (6) the behaviour of the infringer after it has become evident that an infringement has occurred; (7) the persons affected by the breach or whether there has been a complete failure to take account of the specific situation of a defined economic group; (8) the position taken by one of the Community institutions in the matter.”

Ms Rose submits that by applying the Code to two German companies as if they were UK businesses, and by imposing disproportionate restrictions the Defendant’s conduct involved a manifest and grave disregard of the Directive with serious financial consequences for the Claimants. Further, the Defendant misled the Commission on matters of concern to it.

Mr Ward did not accept that even if the Claimants succeeded with their claim the Defendant’s actions would amount to a manifest and grave disregard of the Directive. The first six factors listed in Recall pointed, he submitted, in the Defendant’s favour; the seventh had no application; and as for the eighth, the Commission had approved the Defendant’s actions. Mr Ward did not accept that the Defendant had misled the Commission.

In my judgment the Claimants have satisfied condition (ii): the breach in the present case is, in my view, sufficiently serious. The Defendant’s Executive were aware of the Directive but did not inform the Panel or the Tribunal of its existence and relevance, as a result of which the Claimants were treated as if they were UK businesses subject to the Code alone; disproportionate restrictions were imposed, and the views expressed by the Commission do not assist the Defendant as they were based on what they were told by the Defendant which contained material inaccuracies and omissions.

Accordingly I direct that this claim be transferred to the Queen’s Bench Division for issues of causation and quantification of damages to be determined. The parties should endeavour to agree an order. I will give further directions in relation to relief and ancillary matters, if requested to do so.