Digital Growth Experts Ltd v Information Commissioner

The Appellant (“Digital Growth Experts Limited / DGE”) appeals against the

Having applied the law to the facts of this case I have decided that the MPN was in accordance with the law. I do not consider that the Information Commissioner ought to have exercised her discretion differently.

I find that DGE contravened regulations 22 and 23 of PECR, this much was not in issue albeit the scale of the contravention was disputed, and that the Information Commissioner was correct to issue the MPN. I find that the penalty imposed was fair just and proportionate in all the circumstances.

The Appellant company requested an oral hearing. This was conducted by remote video hearing. I heard the appeal alone under the composition statement in force at the time. No communication issues were brought to my attention that adversely affected the parties’ abilities to participate in the hearing which began at 10.09 and ended at 12.26 including a short break. I apologise to the parties for the time it has taken to promulgate this decision.

I was provided with an electronic bundle of documents with 656 pages including index. Both parties made submissions which echoed and amplified those previously committed to writing. I have considered all of the material and all of the submissions even if I do not refer to each document or submission. This decision focusses on my findings on the core issues in the case as I find them to be.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 implement EU Directive 002/58/EC (known as the ePrivacy Directive) which was designed to protect the privacy of the users of electronic communications.

Regulation 22 of PECR sets out the circumstances in which it is permitted to send electronic mail for direct marketing purposes. Insofar as these are relevant to this Appeal, they are as follows

Regulation 23 of PECR states that:

Since the implementation of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419), the definition of consent has been amended in Regulation 2 PECR 2003 to refer to the General Data Protection Regulations (“GDPR”). Regulation 2 PECR reads as material:

Article 4(11) GDPR states that:

The Commissioner has published guidance on the use of direct marketing. This guidance sets out in paragraph 58 that, in order “[t]o be valid, consent must be knowingly and freely given, clear and specific. Organisations should keep clear records of what an individual has consented to, and when and how this consent was obtained, so that they can demonstrate compliance in the event of a complaint.”

Section 55A of the Data Protection Act 1998 (as amended by Reg. 31 and Para 8AA of Sch. 1 to PECR, for cases relating to a contravention of PECR) (“DPA98”), provides:

Section 55A(5) DPA98 provides that the amount of the monetary penalty notice must not exceed a prescribed amount, which was set at £500,000 by the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010.

Section 55B DPA98 requires the Commissioner to serve a Notice of Intent before issuing a monetary penalty notice and provides for procedural rights.

The provisions of the DPA98 remain in force for the purposes of PECR notwithstanding the introduction of the Data Protection Act 2018 (see paragraph 58(1) of Part 9, Schedule 20 of that Act).

The Commissioner’s power to serve monetary penalty notices was considered by a three member panel of the Upper Tribunal in Leave.EU Group and Eldon Insurance Services v Information Commissioner [2021] UKUT 26 (AAC). In that case, the Upper Tribunal noted in paragraph 70 that Article 15a(1) of the ePrivacy Directive requires penalties to be “effective, proportionate and dissuasive”. The Upper Tribunal endorsed the observations of the First-tier Tribunal that the Commissioner’s Regulatory Action Policy “sets out principles of good practice which we would expect the ICO to follow in all cases” but “is not a straight-jacket”, see paragraphs 94 and 96.

The Information Commissioner’s Regulatory Action Policy (“RAP”) was published in November 2018 and sets out the Commissioner’s objectives when taking regulatory action, including under PECR. Objective 2 of the RAP is:

The Commissioner has also issued statutory guidance about the issue of monetary penalties, as required under Section 55C of the Data Protection Act 1998. This also sets out factors to be taken into account when determining the amount of the monetary penalty (page 23). At page 25, the guidance states that the Commissioner will take into account proof of genuine financial hardship: “The purpose of a monetary penalty notice is not to impose undue financial hardship on an otherwise responsible person”.

A person served with a monetary penalty notice has a right of appeal to the First-tier Tribunal. As the Upper Tribunal noted in Leave.EU: “it is axiomatic this is a full merits review type of appeal” [paragraph 23]. The Tribunal stands in the shoes of the Commissioner and may review any determination of fact on which the notice was based.

The Upper Tribunal observed in Leave.EU paragraph 108, that:

DGE is a company which was incorporated on 20 December 2019, originally under the name of ‘Motorhome Brokers Limited’. The name of the company was changed to its present form on 12 February 2020. There were no accounts filed at Companies House at the time of the investigation.

DGE came to the attention of the Commissioner following a number of complaints being received via the 7726 reporting tool. Phone users can report the receipt of unsolicited marketing text messages to the GSMA’s (Footnote: ¹) Spam Reporting Service by forwarding the message to 7726. Those numbers spelling out “SPAM” on the telephone keypad.

The Commissioner is provided with access to the data on complaints made to the 7726 service and this data is incorporated into a Monthly Threat Assessment used to ascertain organisations that may be in breach of PECR.

The complaints related to DGE were about messages received that promoted a ‘[product]’ brand hand sanitising product, which the messages specifically claimed was “effective against coronavirus”. Sold via a website which was set up by DGE to market ‘[product]’ brand products. The complaints originated from two complainants but concerned more than one instance of receiving a text message; 5 in total.

To establish the precise volumes of the messages sent by DGE, a third party information notice was sent by the Information Commissioner to the company responsible for running the platform through which DGE had sent its messages. The response stated that between 29 February 2020 and 30 April 2020 there had been 17,241 text messages sent by DGE. Of these, 16,190 text messages had been delivered to subscribers. That is a delivery rate of 93.9%.

Examples of the body of the various texts sent were as follows

This decision is not about the efficacy of the product, in relation to which I make no findings, and nothing in this decision should be taken to suggest otherwise.

DGE did not provide evidence of consent to the Information Commissioner for any of the messages delivered to subscribers over the relevant period of 29 February 2020 to 30 April 2020. Consent was not relied upon by the company during the investigation and DGE does not assert as part of this appeal that consent was given.

Any company conducting direct marketing by text message should take appropriate and necessary organisational steps to comply with PECR. Furthermore, the guidance issued by the ICO is easily accessible and clear that companies must not send or instigate the sending of unsolicited direct marketing SMS messages to any individual unless they have prior consent which must be fully informed, specific, and freely given. No such consent existed in this case.

The name of the appellant company does not feature in the text messages sent which adopt the style of the product name. This is contrary to the requirement of regulation 23 PECR.

Between 29 February 2020 and 30 April 2020 there were 16,190 direct marketing text messages received by subscribers transmitted by DGE contrary to regulation 22 of PECR. A total of 17,241 text messages being sent over that time. Those messages also contravened the requirement to name the sender and the majority did not include an address to which the recipient of the communication might send a request that such communications cease if they did not want to get such message again.

DGE accepts in its notice of appeal that it “unintentionally and negligently breached PECR”. DGE negligently believed that they could send the messages to people who had responded to a Facebook advertisement offering a voucher to use for a discount on [product] hand sanitizer. The issue of consent was not considered further by DGE.

Not only was the Facebook data subjects’ personal data used but also that of data subjects who had previously provided details to an eBay account operated by the director of DGE from which mobile phone numbers were later harvested.

The Information Commissioner had begun the investigation by writing to DGE on 16 April 2020 outlining the concerns and drawing attention to their guidance, range of powers and possible penalties for breach of PECR.

In their initial response dated 27 April 2020 DGE suggested the two complainants had either deleted or not received their initial text which had provided an option to unsubscribe. DGE said if a person unsubscribed their name would be added to a suppression list which prevented further messages being sent to them but DGE were unable to confirm whether the two complainants had exercised, or had even been offered, a chance to unsubscribe.

The body of the messages sent, as listed in the complaints and by the appellant company, demonstrate that not all messages provide the option to unsubscribe; the majority did not include that option. DGE does not dispute this. The requirement to do so was not understood by DGE at the material time, as accepted in their email of 4/5/20.

If a data subject clicked on the marketing link in the text message sent to them, DGE accepts they would receive up to nine follow up messages.

In their initial response of 27/4/20 DGE suggested that the volume of text messages sent from 12/2/20 to 16/4/20 was 1076. Later it was suggested that 2409 initial texts were sent to the numbers from the eBay list then sent a further text to 866 individuals who had clicked the link but this is not consistent with the information provided to the Information Commissioner as a result of the third party notice nor is it consistent with a pattern of people opting out. DGE was asked for clarification by the Information Commissioner but did not supply the requested information.

When the Information Commissioner asked DGE for the bodies of messages sent, on the 27 April 2020 DGE identified only 6 sorts of messages but by this stage, they had sent 18 types of different messages.

Subsequently a further two messages were identified by the company when asked by the Information Commissioner, but these responses from DGE and the estimates of numbers of texts sent that they gave fall short of the amount of actual distinct messages sent as revealed by the third party information.

DGE suggest that the company had been provided with inaccurate information about the marketing exercise by the service engaged to carry it out, hence it gave inaccurate figures to the Information Commissioner. However, it is of note that DGE produced screen shots that appear to relate to a different company, the name of which is given in figures 1, 3, 4 [pages D569 – 71] in the top right of the report screen under the director’s name. In any event, even if the screen shots relate to this company it was incumbent upon them to ensure the statutory requirements were understood and how and in what volume direct marketing was being carried out by their contractor.

I conclude that the omissions in information provided, the inconsistencies and lack of clarity in the responses from the appellant company demonstrate obfuscation by DGE in its response to the ICO investigation.

The company did cease to use direct marketing by text at the end of the material period (30 April 2020). Thus although an enforcement notice was issued, along with the MPN, it is not the subject of appeal.

The company has one director and one employee, Mr Hughes. He is occasionally helped by his wife. As part of the investigation the Information Commissioner conducted a detailed review of the company’s financial position which must be distinguished from that of the its director/employee as they are different legal personalities. Thus the issue of his personal financial position or liabilities to other companies is not relevant in an assessment of the means of the company. I note from the P60 provided that Mr Hughes was also employed by another company in the tax year ending 5/4/2020

Draft unaudited accounts were provided by DGE for the six month period to end June 2020. This shows a gross profit for that period of £12,849 and an operating profit of £309. It is stated that the company owes £11,406 to its director.

DGE had entered into an agency agreement with the products’ manufacturer and had bought in stock to sell to consumers in the sum of £10,000 at set up. Net Profit was said to be £1.21 per unit on a sales price of £14.99; by my calculation that is a profit of 8%.

Bank statements were produced by DGE for two bank accounts in the company name showing cash balances of £2,204.21, on 9/7/20 in account ending 030 and £5.96 on 23/7/20 account ending 946. These statements, for the second account (946) covering the period from December 2019 to end July 2020, also reveal payments to the director, repayment of loans to the director and intercompany loans made in the period after the service of the MPN.

The grounds of appeal dated 19 October 2020 sought a “dismissal or significant reduction” of the monetary penalty. The grounds of appeal were helpfully summarised by the respondent as follows

The Information Commissioner resists the appeal for the reasons set out in the response which maintains the reasoning set out in the MPN.

This appeal is by way of full merits review. That means that defects in the process undertaken by the Information Commissioner are superseded by this decision. Furthermore, the appellant’s primary complaint about the process has been that little if any weight was placed on the representations made by the company and particularly those made in response to the notice of intention however, it is clear to me that the Information Commissioner took account of the representations made and placed significant weight upon them, reducing the penalty to £60,000 from the intended penalty of £120,000 as a result.

Having applied the law to the facts as I have found them to be I conclude as follows.

Ground 1: DGE’s methods, of sending unlawful direct marketing texts to individuals for whom it could not evidence consent, at a time of a public health emergency, was an attempt to make a profit however minimal that profit might be. In describing this as profiteering this is a description of the company taking an opportunity to sell their product. That is what companies do and that is not criticised of itself. The company’s decision to pursue the business idea by way of direct marketing messages in breach of PECR is the subject of the MPN.

DGE did not take reasonable measures to prevent the contraventions and did not take steps to properly acquaint itself with the requirements of the regulations. The company did not obtain advice on direct marketing and characterises the contraventions as a result of what is described as “naïve enthusiasm” by the director to share “news” of the product or to educate and inform the public about it. I do not accept that characterisation; this was a business set up to sell sanitizing products at the time of the covid-19 pandemic. The company was entitled to do so and it is not suggested that the marketing in issue in this case targeted at particularly vulnerable or at risk persons. However, the messages were sent in the context of a health crisis where the whole nation was concerned about the spread of a virus. The purpose of the messages was to market a product and the company intended to make a profit from those sales. Thus their actions are correctly to be described as “profiteering” and neither the decision to issue the MPN nor the amount of the penalty is vitiated by the use of that word which should be given its ordinary and natural meaning.

Ground 2: the Information Commissioner was justified in classifying the five complaints made to the 7726 reporting tool as such, and that DGE’s submission that there were just two complainants, whilst true for the period in question, is irrelevant. The 2 complaints via the reporting tool were the mechanism by which these matters came to the attention of the Information Commissioner.

Furthermore, whilst the reporting of complaints may have led to the initial investigation, the basis of the contravention is 16,190 direct marketing text messages that were sent without valid consent, which DGE does not deny sending.

The volume of complaints is not the sole marker of gravity of a contravention which must be seen in all the circumstances.

Ground 3: As I have set out above, I have concluded that the Information Commissioner took account of DGE’s representations, both financial and otherwise, made in response to the notice of intent as demonstrated, inter alia by the reduction in the potential penalty.

Ground 4: There is no requirement when considering the imposition of a Monetary Penalty Notice, that the breach be a repeat breach, or ‘second offence’. The scale of the breach cannot be classified as ‘de minimis’ as described by the appellant. DGE admits to sending in excess of 16,000 unsolicited text messages over a two month period. The Information Commissioner was entitled to exercise her discretion in the circumstances of this case to impose a monetary penalty.

One of the purposes of a MPN is its deterrent effect. The Information Commissioner is the regulator and has a duty to consider the appropriate action to take in response to all breaches, this tribunal now stands in her shoes. There can be no blanket rule that “first” breaches should not be marked by regulatory action as to do so would amount to a charter to contravene the regulations and would encourage “phoenix” companies to be set up by those who would know that there will be no sanction for “first breaches” by a legal entity.

Ground 5: There is no requirement for deliberate acts to be shown. For the purposes of section 55A DPA98, it is sufficient that DGE knew or ought reasonably to have known that there was a risk that a contravention would occur, and that it failed to take reasonable steps to prevent the contravention.

The Commissioner is not required to evidence any requirement for ‘damage and/or distress’, because the requirement has been specifically removed by the Privacy and Electronic (EC Directive)(Amendment) Regulations 2015. Albeit section 40(2) DPA98 (as modified) requires only that any damage caused or likely to be caused when deciding whether to issue an Enforcement Notice, but that is not the subject of this appeal.

Ground 6: The guidelines from the Information Commissioner distinguish between contraventions under PECR and those arising under the DPA and should be read subject to changes in the law, for example, the removal of the requirement to show distress or damage under PECR. The guidelines do not fetter the discretion to be exercised by this tribunal, nor of the Information Commissioner. Each case must be considered on its own facts.

Ground 7: The Commissioner considered comparable cases as a benchmark but a simple comparison of only the number of breaches/call/messages involved in comparator cases will not properly represent the entirety of the relevant facts and considerations in those cases. The Information Commissioner increased the amount of the penalty from the benchmark in the light of significant aggravating factors. Previous cases only act as guidance and each case must be determined on its own facts.

I have concluded, on the basis of the fact I have found proved, that DGE has contravened both regulation 22 and 23 of PECR. Between 29 February 2020 and 30 April 2020 there were 16,190 direct marketing text messages received by subscribers a total of 17,241 text messages being sent over that period. I agree with the observation of the Information Commissioner that DGE have been unable to evidence any consent as required by the regulations, instead providing unclear and inconsistent explanations for its practices and the means by which it obtained the data used for its direct marketing from an online account operated by a director or from social media advertisements.

Regulation 22(3) cannot apply in the circumstances of this case to provide any “soft opt in” . DGE has provided no evidence to support a reliance on Regulation 22(3) PECR for any of the data used from various origins, or any evidence to demonstrate valid consent whatsoever. DGE did not rely on this issue during the appeal.

The majority of the messages do not make clear that they are being sent by and on behalf of DGE, rather they either do not reference a sender at all or alternatively refer to a product name which is not a registered trading name of DGE. DGE obtained permission to market the products from a separate and distinct entity. I am satisfied that the actions of DGE have contravened regulation 23 PECR.

I have decided that it was appropriate to impose a monetary penalty, on DGE because

Seriousness: I am satisfied that condition (a) from section 55A (1) DPA is met. I have concluded that the contravention was serious in the light of the following

Deliberate or negligent contravention: There is no suggestion that the contravention was deliberate. In considering whether DGE acted negligently as opposed to deliberately the requirements of section 55A(3) DPA 1998 apply. I have concluded that DGE knew or ought to have known that there was a risk that the contravention would occur: the appellant accepts that it carried out direct selling by electronic mail and did so negligently. I have concluded that DGE knew or ought to have known that there was a risk that the contravention would occur and failed to take reasonable steps to prevent the contravention. The requirements of the regulations for direct marketing are widely publicised and guidance is readily available from the Information Commissioner’s website. No systems were in place to ensure consent had been obtained nor to adequately source and record the source of the date used, still less that consent had been obtained. I am satisfied that conditions (a) & (b) from section 55A (1) DPA are met.

I am also satisfied that the procedural rights under section 55B have been complied with.

I note that the penalty set out in the notice of intent was in the sum of £120,000. The reduction by 50% indicates that significant weight was placed on the company’s representations in response to that notice.

The original starting point for the penalty was identified by the Information Commissioner as £20,000. This was proportionate given the scale of the breach.

I have concluded that it is right that the penalty should be increased to reflect the fact that although not aggressive this was an exercise designed to make money in the context of a pandemic that had increased demand for the product being marketed. Furthermore, the company did not take advantage of advice and guidance that was readily and freely available to it. I also take into account the failure of the company to co-operate with the investigation.

In considering the amount of the penalty I acknowledge the potential impact on DGE of the imposition of a financial penalty but having considered the financial information available to me I do not consider that the imposition of the penalty will result in undue financial hardship to the company. The amount of the MPN was appropriate to dissuade and deter others from using similar direct marketing campaigns without familiarising themselves with the regulations that apply. The imposition of the penalty will reinforce the need for every business to ensure they are only messaging people who have given consent to receive marketing messages and comply with the requirement to properly identify themselves as the sender.

Taking all this into account, I am satisfied that a penalty of £60,000 is reasonable, proportionate and dissuasive in all the circumstances of this case and in my judgement struck a fair balance between means and ends.

I conclude that the MPN was in accordance with the law and I do not consider that the Commissioner ought to have exercised her discretion differently. The appeal is dismissed.