Case Reference: EA-2023-0252-FP
(Monetary Penalty Notice)
Panel deliberations: 19 April 2024
Heard by: CVP
Before
TRIBUNAL JUDGE SOPHIE BUCKLEY
TRIBUNAL MEMBER DAVE SIVERS
TRIBUNAL MEMBER PAUL TAYLOR
Between
JOIN THE TRIBOO LIMITED
Appellant
and
THE INFORMATION COMMISIONER
Respondent
Representation:
For the Appellant: Robin Hopkins (Counsel)
For the Respondent: Eric Metcalfe (Counsel)
Decision:
1. The appeal against the Monetary Penalty Notice is dismissed.
2. The Monetary Penalty Notice is confirmed.
3. The tribunal will determine the appeal against the Enforcement Notice after it has received further submissions/evidence in accordance with the separate case management order.
REASONS
Introduction
Join the Triboo Ltd (‘JTT’) is a web services provider operating a number of job search websites and savings websites. Its principal activities are web publicity display, e-mail marketing and mobile marketing services and client recruitment campaigns through the internet and affiliate marketing. It supplies marketing data to third parties and carry out direct marketing by email on behalf of other companies (referred to as hosted electronic marketing).
In a Notice of Appeal dated 10 May 2023 JTT seeks to challenge a Monetary Penalty Notice (‘MPN’) imposing a fine of £130,000 and an Enforcement Notice (‘EN’) both issued on 12 April 2023. The MPN and EN contain findings that JTT had contravened regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR) by means of sending unsolicited emails for direct marketing purposes over the period 1 August 2019 to 19 August 2020.
At that start of the hearing, we determined that JTT was entitled to raise certain arguments included in its skeleton argument without any need to apply to amend the grounds of appeal.
The Judge apologises to the parties for the delay in promulgating the decision. This was due to the need to reconvene for panel deliberations, because there was insufficient time to deliberate on the day of the hearing. Partly as a result of panel availability over the Easter break, it was not possible to reconvene earlier than 19 April 2024.
This is a lengthy decision. Much of this decision consists of the factual background and a summary of the pleadings and submissions, with which the parties are already familiar. For the benefit of the parties the discussions and conclusions begin at paragraph 189 on page 40.
Factual background
We make these findings on the balance of probabilities.
In the course of the Commissioner’s investigation into Leads Work Limited (LWL) for sending unsolicited direct marketing messages in breach of regulation 22 PECR, LWL informed the Commissioner that it purchased data from, inter alia, JTT.
The Commissioner wrote to JTT on 24 August 2020. In its reply JTT identified 20 companies to whom it had sold its users’ data between 1 August 2019 and 24 August 2020. In the same period, JTT stated that it had made 8,717 direct marketing calls to users and sent 108,769,000 emails.
JTT sent the relevant emails to recipients who provided their email addresses via one or more of five websites operated by JTT (referred to below as “the relevant websites”). Four of those websites were concerned with job vacancies (“the jobs websites”). The fifth (“the savings website”) was concerned with money-saving offers and deals, e.g. on energy, education, finance and insurance.
The relevant websites are:
uk.job-search.online – 262,513 registered users (‘Jobsearch’)
uk.jobinaclick.net – 171,675 users (‘JobinaClick’)
findajob.website – 13,008 users (‘FindaJob’)
uk.job4you.website – 8,985 users (‘Job4you’)
savings.direct – 3,381 users (‘SavingsDirect’)
The versions of the consent statements and privacy policies in operation at the relevant time are referred to in this decision as the ‘original’ versions/consent statements/privacy policies etc. Amended versions were introduced from, at the latest, December 2021. These are referred to as the ‘new’ versions/consent statements/privacy policies etc.
In a letter to the Commissioner dated 20 September 2020, the director of JTT set out how the websites operated. He explained that it was necessary to register in order to use the services provided by the jobs website or to access exclusive content on the jobs websites, but that it was possible to opt in to or opt out of marketing communications by JTT and third parties:
“JTT operates also as a publisher, i.e. as the owner of several editorial websites (mostly focussed on job-related subjects) on which internet users can subscribe in order to access exclusive contents.
…
…When users land on the registration page, they are asked to fill out a web form in order to use the services offered by each site. The above-mentioned form, other than requiring users’ data functional to the subscription, provides for two additional checkboxes.
Via the first one, the data subjects are asked whether they are willing to receive marketing communications; via the second one, users are instead asked whether they consent that their data may be transferred to third parties (partners/clients of JTT). The list of said third parties is constantly updated and can be consulted via in the privacy policy, which link is available in the registration form and in any website’s footer.
These checkboxes are not pre-flagged, and consent can be provided through them freely and in an unambiguous way by the user. In fact, if a data subject decides not to flag either of these two check boxes, he can still resume the registration process and use the services offered by the website freely and without any implication of impairment.
If, on the other hand, the data subject flags the marketing communication checkbox, he will receive advertising communications (email or phone communication only) from JTT. Only if the second checkbox is flagged data will be transferred to third parties.”
JTT’s representatives when responding to the Notice of Intent in a letter to the Commissioner dated 9 December 2022, stated as follows:
“…there is separation between data provided for Jobsearch purposes, which is held in one place, and data which is provided for direct marketing services, which is never in use for the job search process. Only if the user provides his or her information to our client for electronic marketing purposes does our client hold such data at all for marketing purposes.”
The original consent statement for Jobsearch contains the following wording (p 252):
I agree with Marketing Activity
Yes No
I agree with 3rd parties policy
Yes No
The consent statement appears in the middle of the registration form for Jobsearch. At the top of the page is the word ‘REGISTER’. Below that is the heading ‘REGISTER for free today!’. The registration form has boxes for email, title, name, date of birth, mobile number, address and industry. It then includes the consent statement as set out above.
There is then a section on ‘Trades Courses’ which contains a further yes/no check box in relation to contact from Trades Courses by SMS.
The registration form finishes with the following statement: ‘By Entering you agree to our privacy policyand to receive communications by email, phone and SMS from Jobsearch’. This is followed by a click box containing the word ‘Register’.
We have also been provided with a printout of a page on the website entitled ‘Welcome to JobSearch’ which includes the following statement ‘Register now with JobSearch to kickstart your search’. It then states:
“By registering with JobSearch you will not be starting the actual application process and your details will not immediately be passed to the recruiter. By registering with JobSearch you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means. Koi Advertising also reserves the right to accept marketing fees from financial services institutions.”
The hyperlinks to the ‘privacy policy’ and the ‘3rd parties policy’ link to the same document. We refer to as the ‘original privacy policy’. It is entitled ‘Privacy Policy’ and is at p 271 of the bundle.
We have read and taken account of the entire original privacy policy for Jobsearch, but we have reproduced some relevant extracts in an open annex to this decision.
The original consent statement for JobinaClick (p 256) is materially identical to the one for Jobsearch.
The original consent statement for Findajob is the same except it states ‘I agree with 3rd parties policy including Scottish Power’ (p318).
The original privacy policies for Jobinaclick and Findajob are materially identical to the original Jobsearch privacy policy.
The original consent statement for Job4you is slightly different (p335). It states:
“Agree to receive offers by email from job4you, on behalf of selected companies (https://uk.job4you.website/registration/index.php?module=site&method=privacy) that we believe will be of interest to you. These companies are within the following categories: Automotive, Retail, Finance, Insurance or General.
Yes No
Agree that job4you partners (https://uk.job4you.website/registration/ index.php?module=site&method=privacy) may contact you with more interesting offers by email or telephone. You can opt-out of these communications at any time.
Yes No”
The registration page ends with a slightly different statement to the Jobsearch page:
“By clicking register you confirm that you have read and agreed to Job4you Privacy Policy.
(https://uk.job4you.website/registration/index.php?module=site&method=privacy)”
The ‘welcome page’ is similar to that for Jobsearch. It also provides that:
“By registering with Job4you you will not be starting the actual application process and your details will not immediately be passed to the recruiter. By registering with Job4you you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means. Koi Advertising also reserves the right to accept marketing fees from financial services institutions.”
The original privacy policy for Job4you is in the bundle. It is too small to read. The Commissioner notes in the PECR investigation report that it is identical to the privacy policies for the other jobs websites and we proceed on that basis.
The SavingDirect website states that its purpose is to ‘help you find the best quote for your solar panel installation’. It states ‘Once you complete the form we will immediately begin to find the best quotes for you, based on your requirements, from up to four MCS certified installation companies. They will then get in touch with out directly with competitive quotes.’
The SavingDirect consent statements are embedded in a box entitled ‘Request a free quote’ with a final button reading ‘Request a callback’. The box has a number of sections for title, first name, email address and a dropdown box for ‘what work do you require’. The form then includes the following:
“ I agree I do not agree
By entering you agree to receive communications by email, phone, and sms from Saving Direct.
I agree I do not agree
By entering you agree to receive communications by email, phone, sms and post from 3rd parties.
By entering you agree to our Privacy Policy and Terms and Conditions.”
The original privacy policy for SavingDirect is similar but not identical to that used on the job websites. It contains the same categories and subcategories in which emails may be sent. The list of business partners and clients is much shorter and only includes three companies.
Over the relevant period, a total of 459,562 people registered on the relevant websites; of those, a total of 253,774 people, around 56% of those who registered, ticked the ‘yes’ box to receive marketing communications.
In the period in question JTT sent 108,769,000 emails. Of these, approximately 107 million (equating to 98.3%) were received. JTT explained that it had managed 40 email marketing campaigns in the relevant period on behalf of third-party companies, with each email having been sent to individuals on 18 occasions. In each instance. The approximate percentage breakdown of the emails is: JobSearch 57%; JobinaClick 37%; FindaJob 2.8%; Jobs4U 2%; SavingDirect 0.7%.
The 107 million delivered emails were sent to 437,324 distinct individuals. This meant that each individual would have received on average 244 emails during the relevant period.
Examples of emails sent by JTT during the relevant period are at p 353 onwards. At the top of the email is the following:
“If you no longer wish to receive emails from us Click Here”
At the bottom of the email is the following:
“Unsubscribe from this list
You have received this email to [redacted] as a registered user of [Jobsearch]. If you no longer wish to receive emails from Join The Triboo Ltd VAT: GB102437752 - privacyuk@triboo.com please click the link above. Click here to see the privacy policy. This email and your data are controlled by Join The Triboo Ltd, 239 High Street Kensington, London, W8 6SN, United Kingdom.”
The Commissioner has not received any complaints in relation to JTT about any of these emails.
JTT informed the Commissioner in December 2021 that it had taken certain steps to improve its consent statements and privacy policies. In its letter of 9 December 2021 JTT stated that the changes generally included:
“a. Providing more details about how the data subject’s data will be processed, including the various means of communications;
b. Providing more details about the steps that are likely to be taken in respect of the data subject’s data where third parties are involved;
c. Incorporating the language of “data processing” and “consent” to build upon the previous affirmative and unambiguous language in obtaining consent; and
d. Including the name and the respective privacy policy (by hyperlink) of relevant third parties, if not already provided.”
The new consent statement for JobSearch is worded as follows (p 410):
“I agree to the processing of my data for marketing purposes by email, phone, and SMS from Join the Triboo: Yes/No
I consent to the communication of my data to third parties listed in the Join The Triboo's privacy policy… and their customers for their marketing purposes: Yes/No”
The other new consent statements are similarly worded. We have not been provided with copies of the new privacy policies.
On 17 October 2022 the Commissioner issued a Notice of Intent to issue a monetary penalty and a Preliminary Enforcement Notice to JTT. Representations were received on 9 December 2022.
In the representations JTT stated as follows:
There was no breach of regulation 22 PECR.
To the extent that there was a breach it was not serious.
The proposed monetary penalty was disproportionate.
The proposed enforcement terms were excessive relative to the wording of 22 PECR.
The MPN and EN were issued on 12 April 2023.
The turnover of JTT was as follows in 2019-2022:
Year ending 31 December 2022: £1,508,662
Year ending 31 December 2021: £1,130,265
Year ending 31 December 2020: £956,144
Year ending 31 December 2019: £1,715,930
JTT made the following gross profit, before administrative and other operating expenses, in those years:
Year ending 31 December 2022: £665,227
Year ending 31 December 2021: £478,561
Year ending 31 December 2020: £426,046
Year ending 31 December 2019: £547,586
JTT made the following annual operating profit or loss:
Year ending 31 December 2022: £36,014
Year ending 31 December 2021: £9,715
Year ending 31 December 2020: (£180, 616) or (£141,801) before finance costs
Year ending 31 December 2019: (£219,620) or (£184,871) before finance costs
In relation to bank accounts and cash reserves the information in the bundle relates to December 2022. At that stage JTT had no cash reserves and a negative bank balance. The accounts from 2021-2022 also show no cash reserves and a negative bank balance.
JTT is wholly owned by Triboo Direct which is wholly owned by S.r.l. Triboo S.p.A which is the ultimate controlling party. Triboo S.p.A has market capitalisation in excess of €20 million.
The following statement appears in JTT’s accounts for the year ended 31 December 2022 on Companies House:
The directors have considered the use of the going concern basis for the financial statements and have confirmed this is appropriate. It is fully expected that the company will continue to trade for at least twelve months from the date of these financial statements and has guaranteed support of its parent company to do so.
The Law
The breaches relied on by the Commissioner took place between 1 August 2019 and 19 August 2020. At that date Regulation 2016/679 (‘the GDPR’) was in force in the United Kingdom. The GDPR rather than the UKGDPR is the relevant underlying legislation for this appeal.
PECR implemented the Privacy and Electronic Communications Directive 02/58/EC (the Directive) in domestic law. The Commissioner’s power to impose a monetary penalty notice, JTT’s right of appeal and the tribunal’s jurisdiction to hear the Appeal all derive from the Data Protection Act 1998 (DPA 1998). The repeal of DPA 1998 does not affect its operation insofar as it relates to PECR: paragraph 58 of Schedule 20 to the Data Protection Act 2018.
Regulation 22 of PECR provides:
“(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b) the direct marketing is in respect of that person’s similar products and services only;
and
(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).”
Reg 2(1) defines a ‘subscriber’ as ‘a person who is a party to a contract with a provider of public electronic communications services for the supply of such services’.
Section 11(3) DPA 1998 defines direct marketing as, ‘the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals’. This definition applies for the purposes of the PECR.
The definition of ‘consent’ under PECR is set out in article 4(11) of Regulation 2016/679 (‘the GDPR’):
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
We find that the following recitals are a helpful guide to interpretation of regulation 21(4).
Recital 32 of GDPR provides:
“When the processing has multiple purposes, consent should be given for all of them.”
Recital 42 materially provides that:
“For consent to be informed, the data subject should be aware at least of the identity of the controller”.
Recital 43 states that:
“Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case.”
The Upper Tribunal in Leave.EU Group Limited and Eldon Insurance Services Limited v IC(GIA/921/2020, GIA/922/2020 & GIA/923/2020) (Leave.EU) considered the meaning of “specific and informed” consent as follows:
“48. There are two decisions of the Court of Justice (CJEU) which are helpful in this context: Case C-673/17 Verbraucherzentrale Bundesverband eV v Planet49 GmbH (EU:C:2019:801) [2020] 1 WLR 2248 (‘Planet49’) and Case C-61/19 Orange Romania SA v ANSPDCP (EU:C:2020:901) (‘Orange Romania’)….
49. The Planet49 case concerned an online promotional lottery. The registration process involved the installation of cookies on users’ computers and pre-selected boxes agreeing to being contacted by third parties. In the first instance, users who wished to enter the lottery were presented with a generic opening statement as to their consent to receiving information from “certain sponsors and cooperation partners”. However, they then had the opportunity to specify their preferences in considerable detail (see the CJEU judgment at [26]-[30]). The Court of Justice ruled that “the indication of the data subject’s wishes referred to in Article 2(h) of Directive 95/46 must, inter alia, be ‘specific’ in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes” (at [58]). The Court also agreed with the Advocate General that clear and comprehensive information (as required by Article 5(3) of the 2002 Directive) “implies that a user must be in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed” (CJEU judgment at [74]).
50. Furthermore, the passage at paragraph [58] of the Court of Justice’s judgment was expressly adopted in Orange Romania (at [38]). Likewise, and notably, the Court reaffirmed the passage from Planet49 at [74] in Orange Romania at [40]:
[40] As regards the requirement arising from Article 2(h) of Directive 95/46 and Article 4(11) of Regulation 2016/679 that consent must be ‘informed’, that requirement implies, in accordance with Article 10 of that directive, read in the light of recital 38 thereof, and with Article 13 of that regulation, read in the light of recital 42 thereof, that the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed (see, by analogy, judgment of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, paragraph 74).
51. We consider that Planet49 and Orange Romania are high authority as to the proper approach to the meaning of consent in this context. The decisions are especially helpful as regard the requirement that consent be both “specific” and “informed”. They set a relatively high bar to be met for a valid consent.”
A breach of the Regulations is a matter falling under s 55A of the DPA 1988 which provides (when applied to regulations 19 to 24 of PECR, see regulation 2 of PECR 2015):
The Commissioner may serve a person with a monetary penalty notice if the Commissioner is satisfied that—
there has been a serious contravention of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and
Subsection (2) or (3) applies.
This subsection applies if the contravention was deliberate.
This subsection applies if the person—
knew or ought to have known that there was a risk that the contravention would occur, but
failed to take reasonable steps to prevent the contravention.
The Upper Tribunal in Leave.EUat paragraph 70 explains:
MPNs represent one part of a suite of enforcement measures available to the Commissioner. In this context we note that Directive 2009/136/EC (‘the 2009 Directive’) amended the 2002 Directive, in part to strengthen enforcement of the rules governing the use of electronic mail for direct marketing. Article 15a(1) of the 2002 Directive, as amended, provides (…):
Members States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified.
The maximum limit for a MPN under the DPA 1998 is £500,000 (s 55A(5) and reg 2 of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010/31; ‘the 2010 Regulations’). The information that must be contained in the MPN includes, ‘the reasons for the amount of the monetary penalty including any aggravating or mitigating features the Commissioner has taken into account.’
S 55B sets out the procedural requirements of imposing a monetary penalty notice, including at subsection (1) that ‘the Commissioner must serve the data controller with a notice of intent’ before serving the monetary penalty notice. Article 2 of the Data Protection (Monetary Penalties) Order 2010 (the Order) requires the Commissioner to ‘consider any written representations made in relation to a notice of intent when deciding whether to serve a monetary penalty notice.’
Section 55B(5) DPA 1998 provides:
A person on whom a monetary penalty notice is served may appeal to the Tribunal against—
(a) the issue of the monetary penalty notice;
(b) the amount of the penalty specified in the notice.
The s 55B(5) right of appeal is to be determined in accordance with s 49 DPA 1998. This provides that the tribunal shall allow the appeal and (or) substitute another Notice if the Notice is ‘not in accordance with the law’ or to the extent that the Commissioner exercised her discretion, it should have been exercised differently.
S 160 DPA 2018 requires the Information Commissioner to publish a Regulatory Action Policy giving guidance about how she proposes to exercise her functions under the DPA 2018. This was published in November 2018. The Commissioner also publishes internal guidance which it uses when deciding the level of an MPN:-
“The [Case Working] Group will determine a starting figure that reflects the nature and seriousness of the contravention of the Act by the data controller or collection of breaches of PECR by a person.
This will involve looking at the nature of the contravention or collection of breaches together with the scope of the potential harm caused, and a consideration of what is reasonable and proportionate, given the circumstances of the case.
The initial view is based on the sanction available based on the statutory maximum of £500,000, which will be considered against a ‘nature and seriousness’ rating as follows:
Level A = £1 to £10,000
Level B = £10,001 to £40,000Level C = £40,001 to £100,000
Level D = £100,001 to £250,000
Level E = £250,001 to £500,000
Once the level of nature and seriousness has been determined, the starting figure will be set by moving upwards or downwards in the band dependent on the specific circumstances of the case.
For PECR breaches, the Group will take into account the number of unlawful communications which were the subject of complaints, the types of complaints and the period over which the collection of PECR breaches extended. “
In relation to seriousness the Upper Tribunal in Leave.EUemphasised that it was a factually specific issue in each case but noted at para 81 that ‘the number of emails involved gives a sense of scale. On any reckoning, over a million emails is a serious number and the FTT was entitled to take that as a starting point’.
The European Data Protection Board (EDPB) has produced guidelines on consent (Guidelines on consent under Regulation 2016/679, Version 1.1, Adopted on 4 May 2020). In Rondon v Lexisnexis Risk Solutions UK Ltd[2021] EWHC 1427 (QB) Collins Rice J stated at paragraph 87 that guidelines produced by EDPB “have weight which goes beyond expert commentary on the primary text. They do not constitute law but are an important indicator of whether or not ambiguity genuinely exists and, if it does, the best approach to understanding it. They have to be given commensurate weight.”
Section 40 DPA 1998 (as it applies to PECR) provides:
“(1) If the Commissioner is satisfied that a person has contravened or is contravening any of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (in this part referred to as the relevant requirements), the Commissioner may serve him with a notice (in this Act referred to as “an enforcement notice”) requiring him, for complying with the principle or principles in question, to do either or both of the following-
(a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be specified, such steps as a so specified, or
(b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified.
(2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage.”
Section 160(6) of the DPA 2018 provides in relation to Enforcement Notices that the Commissioner must produce and publish guidance on his regulatory action policy as follows:
“(6) In relation to enforcement notices, the guidance must include—
(a) provision specifying factors to be considered in determining whether to give an enforcement notice to a person;
(b) provision about the circumstances in which the Commissioner would consider it appropriate to give an enforcement notice to a person in reliance on section 150(8) (urgent cases);
(c) provision about how the Commissioner will determine how to proceed if a person does not comply with an enforcement notice.”
In accordance with section 160(6)(a), the Regulatory Action Policy (RAP) guidance on enforcement notices (pp.22-23) reads as follows:
“Enforcement notices will usually be appropriate where specific correcting action (or its prevention) may be required. Although this is not an exhaustive list, an enforcement notice may be required in such circumstances as:
• repeated failure to meet information rights obligations or timescales for them (e.g. repeatedly delayed subject access requests);
• where processing or transfer of information to a third country fails (or risks failing) to meet the requirements of the data protection legislation;
• where there is an ongoing NIS [Network and Information Systems] incident requiring action by a digital service provider;
• there is a need for the ICO to require communication of a data security breach to those who have been affected by it; or
• there is a need for correcting action by a certification body or monitoring body to ensure that they meet their obligations.”
This is not intended to be a comprehensive code covering every circumstances in which an enforcement notice may be appropriate (see paragraph 99 of Leave.EU).
Section 47 provides that a person who fails to comply with an enforcement notice is guilty of an offence.
In relation to proportionality the Upper Tribunal said the following at paragraph 107 of Leave.EU:
“107. … We start from the proposition that, as Lord Reed put it in Pham v Secretary of State for the Home Department [2015] UKSC 19; [2015] 1 WLR 1591 at paragraph [113]:
it is helpful to distinguish between proportionality as a general ground of review of administrative action, confining the exercise of power to means which are proportionate to the ends pursued, from proportionality as a basis for scrutinising justifications put forward for interferences with legal rights.
108. The present types of appeals plainly fall into the former rather than the latter camp. The correct proportionality test in a full merits review appeal is simply whether a fair balance has been struck between means and ends (see e.g. R v Barnsley Metropolitan Borough Council, Ex p Hook [1976] 1 WLR 1052). Structuring this approach through the prism of the three-fold EU proportionality test does not work – as Mr Knight pointed out, there will always be a less restrictive alternative to the imposition of a penalty (such as an informal warning or no regulatory action at all). Moreover, if the EU proportionality argument had any legs in this context, we would have expected it to have been run in previous case law. It is noteworthy in that regard that very experienced counsel made no such submissions in Central London Community Healthcare NHS Trust v Information Commissioner [2013] UKUT 551 (AAC), despite launching a head-on challenge to many other aspects of the MPN regime, and an analogous argument did not find favour with Judge Wikeley in UKIP v Information Commissioner [2019] UKUT 62 (AAC) at paragraphs 28-29.”
The jurisdiction of the First-tier Tribunal
This is a full-merits review type of appeal. We stand in the shoes of the Commissioner. If there is a mistake by the Commissioner, whatever the nature of that mistake, we make the decision that the Commissioner could have made.
The MPN
The contravention is detailed in the MPN as follows:
“44. The Commissioner finds that between 1 August 2019 to 19 August 2020, 107 million direct marketing emails were received by subscribers. The Commissioner finds that JTT transmitted those direct marketing messages, contrary to regulation 22 of PECR.
45. JTT, as the sender of the direct marketing, is required to ensure that it is acting in compliance with the requirements of regulation 22 of PECR, and to ensure that valid consent to send those messages had been obtained.
46. In this instance JTT is required to demonstrate that the consent is freely given, specific, informed, and contains an unambiguous indication from the individual via an affirmative action.
47. Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.
48. Consent will not be “informed” if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small print. Consent will not be valid if individuals are asked to agree to receive marketing from or on behalf of “similar organisations”, “partners”, “selected third parties” or other similar generic description.
49. The consent statement for ‘uk.job-search.online’, ‘uk.jobinaclick.net’ and ‘findajob.website’ simply states “I agree with marketing activity”. It is not specific and does not inform an individual as to what marketing activity will take place, via what means, nor who the marketing will be by or on behalf of. Indeed, the privacy policy states that marketing may be carried out for ‘third parties’ who may operate in ‘any business sector’ and are referred to as ‘business partners’ and ‘clients’. There is then a list of broad generalised categories and subcategories of organisations on behalf of which marketing may be sent. This statement was active on three out of four job websites, which obtained 96.8% of the ‘consents’ obtained by JTT during the relevant period.
50. The ‘UK.Jobs4you.website’ consent statement is more descriptive, but is neither specific nor informed. It refers to receipt of emails on behalf of ‘selected companies’ and contains broad categories, including ‘general’. Individuals could not possibly be informed as to what a ‘general’ company might be. The privacy policy is the same as detailed above.
51. The ‘Savings.Direct’ consent statement pre-packages all the consent channels into a single statement and thus cannot be said to be specific. It also not informed as it does not describe that any marketing will occur, instead stating that ‘communications’ will be sent. Again, the privacy policy is the same as the job websites save that it includes details of three named ‘business partners’ or ‘clients’.
52. The Commissioner has considered the consents obtained by JTT and finds that in each case they do not comply with the requirements of Article 4(11) of the GDPR.
53. The Commissioner is therefore satisfied from the evidence he has seen that JTT did not have the necessary valid consent for the 107 million direct marketing messages received over the relevant period.
54. As the data was not collected during the course of a sale or negotiation between JTT and the recipients of the emails, the Commissioner is satisfied that the provisions of regulation 22(3) PECR (“the soft opt-in”) do not apply in this case.”
The Commissioner went on to consider if the conditions under s 55A were met.
The Commissioner was satisfied that the contravention was serious because over a period of approximately one year a confirmed total of 107 million direct marketing messages sent by JTT were received by 437,324 distinct individuals. This means that each individual received on average 244 emails during the relevant period. These messages contained direct marketing material for which subscribers had not provided valid consent.
The Commissioner acknowledged that no complaints have been identified in relation to the sending of these emails, but is unsurprised by this given that the email marketing was hosted, and JTT’s role would not necessarily have been apparent to recipients. This is particularly so given that the broad range and content of the marketing emails was far removed from the context of the job search websites to which recipients had registered.
The Commissioner concluded that JTT knew or ought to have known that there was a risk that this contravention would occur because:
The Commissioner has published detailed guidance, the ICO operates a telephone helpline and ICO communications about previous enforcement actions are readily available;
The issue of unsolicited marketing has also been widely publicised by the media as being a problem;
JTT is an experienced host marketer and data supplier which has been operating in excess of 10 years, and so should have had a full understanding of the obligations imposed on them;
JTT was aware of the Commissioner’s prior investigation into LWL, and his concerns about the validity of consent to send marketing messages based upon data supplied by third parties, including JTT. This should have alerted JTT to the possibility that the consent it used to send marketing emails was inadequate.
The Commissioner concluded that JTT failed to take reasonable steps to prevent the contravention because JTT should have familiarised itself with, and ensured that the consent statements in its websites complied with Article 4(11) of GDPR in order to collect compliant data. JTT could have consulted ICO guidance or obtained further advice if it was unclear. The consent statements and privacy policies should have been specific as to what and how marketing was to occur, and informed as to the identity of third parties on whose behalf JTT hosted marketing. Whilst JTT stated it has undergone a legal review of its processes and procedures, and has since updated its consent statements, the Commissioner considered that the changes made were still insufficient to equate to compliant consent statements, particularly as all marketing channels remain bundled together and do not reference any of the third parties on behalf of whom JTT host marketing.
In determining to issue a MPN the Commissioner considered that there were no aggravating features.
The Commissioner took account of the mitigating feature that JTT had taken some steps to change its consent statements, however these were insufficient to satisfy the requirements of PECR, and so the Commissioner did not view this as justification to reduce the penalty.
The Commissioner attempted to consider the likely impact of a monetary penalty on JTT and decided on the information available to him that a penalty remained the appropriate course of action.
The Commissioner stated that his underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The Commissioner stated that he had had regard to the factors set out in s108(2)(b) of the Deregulation Act 2015; including: the nature and level of risks associated with non-compliance, including the risks to economic growth; the steps taken by the business to achieve compliance and reasons for its failure; the willingness and ability of the business to address non-compliance; the likely impact of the proposed intervention on the business, and the likely impact of the proposed intervention on the wider business community, both in terms of deterring non-compliance and economic benefits to legitimate businesses.
In relation to the amount of the penalty, the Commissioner decided that a penalty in the sum of £130,000 was reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty.
The EN
The EN relies on the same breach as that set out in the MPN. In relation to the issuing of the EN the Commissioner stated:
“27. The Commissioner has considered, as he is required to do under section 40(2) of the DPA (as extended and modified by PECR) when deciding whether to serve an Enforcement Notice, whether any contravention has caused or is likely to cause any person damage or distress. The Commissioner has decided that it is likely that JTT’s actions had the potential to, or did, cause damage or distress to the subscribers who received the unlawful marketing messages.”
28. In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of his powers under section 40 of the DPA, he requires JTT to take the steps specified in Annex 1 of this Notice.
The EN required JTT to take the following steps within 30 days of the date of the notice:
“Except in the circumstances referred to in paragraph (3) of regulation 22 of PECR, neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified JTT that he clearly and specifically consents for the time being to such communications being sent by, or at the instigation of, JTT.”
The Appeal
The grounds of appeal are, in summary, as follows:
Ground One
JTT did not contravene regulation 22 PECR as alleged by the Commissioner
Ground Two
Even if it did contravene regulation 22 PECR, the MPN and EN could not have been issued because other statutory preconditions were absent.
Ground Three
Even if the Commissioner had a discretionary power to issue the MPN and/or EPN it exercised that discretion wrongly.
Ground 1 – there was no contravention
JTT argues that the Commissioner’s conclusion that the opt-ins were insufficiently specific and informed is wrong because:
The Commissioner ought to have asked itself whether these opt-ins were specific indications of agreement to the purpose of the intended processing, i.e. marketing communications by electronic means.
The Commissioner wrongly interpreted Article 4(11) GDPR as requiring specificity “as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it”.
In any event the opt-ins were sufficiently specific and provided on a sufficiently informed basis.
Both the specific and sufficiently informed criteria need to be assessed in context. The only realistic conclusion is that individuals knew what they were signing up for and chose to sign up. That is reinforced by the fact that the Commissioner did not receive a single complaint. JTT made clear, on each of the emails that it sent, that it was the sender, and it included a clear opt-out with which it complied promptly.
Ground 2 – the MPN and EN could not have been issued.
JTT argues that the contravention was not serious. At its highest it is a technical and marginal contravention based on differing views as to the requisite standard for specific and informed consent. There was no damage or distress nor any (or any material) impact on individuals’ privacy rights. The volume of emails does not support a conclusion of seriousness.
It is submitted that JTT did not have the requisite “guilty mind” within the meaning of s. 55A(3) DPA 1998. JTT’s interpretation of and approach to consent was (at its lowest) reasonable, and it was thus reasonable for it not to take other steps to change its approach at that time. It is insufficient to simply assert that JTT should have known what the law was.
It is submitted that there is no basis for concluding that the alleged contraventions of regulation 22(2) were likely to cause anyone damage. The Commissioner has apparently applied a standard of ‘likely to have the potential to’ which is wrong in law.
Ground 3 – wrong exercise of discretion
It is submitted that the Commissioner exercised its discretion wrongly because:
The Commissioner failed to properly apply its policies and this case was not sufficiently serious to justify enforcement action. The MPN and EN are disproportionate.
The Commissioner unfairly implied that JTT was not a legitimate company.
The alleged contravention is not serious.
Both the MPN and the EN would cause unjustifiable and enormous harm to JTT’s legitimate business. JTT provided information showing inter alia that, for the year to 31 December 2020, it had an operating loss was £141,801. A MPN of £130,000 would be terminal for JTT’s business in those circumstances. The ICO either failed to consider the detailed information JTT provided about financial impact, or it failed to appreciate the terminal impact of this MPN, or it intended the MPN to have that terminal impact. On any of those scenarios, the ICO was wrong to impose this MPN.
The ICO has treated JTT unfairly in failing to acknowledge any mitigating steps, except to note at para. 73 of the MPN that JTT “has taken some steps to change its consent statements”
The EN contains no reasoning. There is no utility in issuing an EN that simply requires compliance with the law, and the ICO should not have done so here.
The response of the Commissioner
Ground 1 – JTT’s contravention of reg 22 PECR was plain and obvious
It is noted that JTT cites no authority for a ‘watered-down’ approach to the issue of specific consent. Read in light of the CJEU’s decisions in Verbraucherzentrale Bundesverband eV v Planet49 GmbH(EU:C:2019:801) [2020] 1 WLR 2248 (‘Planet49’) andCase C-61/19 Orange Romania SA v ANSPDCP (EU:C:2020:901) (‘Orange Romania’) it is submitted that the Commissioner’s requirement that direct marketers demonstrate each user’s consent “as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it” is hardly an exacting or an excessive standard.
The opt-ins in relation to three of JTT’s websites (uk.job-search.online, uk.jobinaclick.net and findajob.website) were no more specific than “I agree with marketing activity”.
As regards the link to the privacy policy, there was no separate “3rd party policy” referred to but only a bland reference to marketing activities for third parties, “who may operate in any business sector” and who are elsewhere referred to as JTT’s “business partners” and “clients”. Individuals are informed in the policy that they “may” be contacted by email within 11 broad categories including “financial” or “clubs, organisations and web sites/portals”. The policy also contains a very broad statement concerning the potential disclosure of data.
In relation to uk.jobs4you.website, the consent statement referred to “offers by email fromjob4you on behalf of selected companies that we will be of interest to you” within one of five specified categories including the catch-all “General”. In relation to savings.direct, the consent statement stated that “by entering you agree to receive information & offers by email, phone, SMS and post from 3rd Parties”, but makes no mention of any marketing, only “communications” made for purposes unspecified and unknown.
In all the circumstances, it is submitted that the Commissioner was plainly right to conclude that JTT had failed to provide users of the websites with “sufficiently detailed” information about its direct marketing to enable them to give consent that was both “specific” and “informed”.
It is submitted that the fact that half of users signed up and half did not says nothing whatsoever about whether the information provided was sufficiently detailed to enable an informed choice to be made.
The Commissioner submitted that it is unsurprising that the Commissioner received no complaints since users who received the emails would not have appreciated any link to the websites operated by JTT.
It is submitted that sending 107 million marketing emails in the space of little over 12 months was plainly an intrusion into the privacy of those recipients who had never properly consented to them in the first place.
Ground 2 – the Commissioner was entitled to issue the notices
It is submitted that sending 107 million emails in little more than a year without valid consent cannot be described as technical or marginal. JTT does not know if there was damage or distress or material impact on recipient’s privacy rights. The potential for very large numbers of infringements is a reason for greater caution.
The Commissioner submitted that JTT’s argument that it could not have known about the risk is fanciful. The PECR guidance made clear the need for specific and informed consent and JTT is an experienced operator.
The Commissioner found that there was damage as well as distress and it is submitted that the exclusion of distress only applies to the making of an EN not a MPN under section 55A.
Ground 3 – the decisions to issue the notices involved a correct exercise of discretion,
It is submitted that there has been no failure by the Commissioner to follow his own Regulatory Action Policy or his Internal Procedure. JTT remains unable to point to any specific respect in which they are incompatible with his published policies.
The Commissioner submitted that the reference to ‘legitimate’ companies made in a press release following the issue of the EN has no bearing on the validity of the EN.
It is submitted that if the statutory conditions are satisfied it cannot be argued that the contravention was not serious. It is not unlawful for the Commissioner to exercise his discretion to issue notices in cases where the statutory criteria for those notices to be issued are met.
Although JTT has an operating loss of £1414,801 in the year ending 31 December 2020, JTT’s annual revenues for the same year were £956,114. JTT is part of a large international group whose parent company has market capitalisation in excess of €20 million. The Commissioner submitted that it is very unlikely that the monetary penalty notice would have a “terminal impact” on JTT’s business.
The Commissioner submitted that he took into account that JTT had taken steps to change its consent statements. He disagreed that JTT’s interpretation was reasonable.
Given, however, that JTT continued its operations even after being notified of the Commissioner’s concerns, an enforcement notice, according to the Commissioner, was plainly a necessary and reasonable step to prevent further contraventions of the law.
Reply by JTT
To the extent that the Commissioner took information about Triboo SpA into account, he failed to include this in the Notices. Consequently, it is submitted that the Notices are defective for, and the decision to serve them is vitiated by, a failure to give adequate reasons. It is submitted that the Commissioner unlawfully and unfairly failed to give JTT an opportunity to address this issue. The market capitalisation of Triboo SpA is irrelevant.
It is submitted that the revenue of JTT is irrelevant when considering its ability to pay a penalty. JTT accordingly stands by the point that a MPN of £130,000 would be terminal for JTT’s business.
Evidence
The tribunal read and took account of a bundle of documents.
The issues
The issues for the tribunal to determine are:
Were the relevant emails sent in contravention of regulation 22(2) PECR because the ‘consent’ was insufficiently “specific and informed”?
Were the statutory conditions for issuing a MPN present:
Was the convention serious?
Did JTT know or ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention?
Were the statutory conditions for issuing an EN present?
If so, should the Commissioner have issued the MPN and/or the EN?
Skeleton arguments/oral submissions
Skeleton argument/oral submissions of JTT
Summary of key points
Mr. Hopkins submitted that it was highly relevant that some 2.5 years had elapsed between the end of the relevant period (August 2019 to August 2020) and the decision to issue the notices in April 2023. He submitted that the tribunal, standing in the shoes of the Commissioner in April 2023, should take into account the new versions of the consent statements when deciding whether to exercise discretionary enforcement functions. Mr. Hopkins submitted that the Enforcement Notices was entirely useless because things had changed by then. He said that the notices were an irrational and pointless exercise of the discretion to impose sanctions because they were directed at a target that has long since fallen away, because JTTs practices had been changed since at least December 2021.
Mr. Hopkins submitted that any contravention cannot possibly be categorised as serious. He drew the tribunal’s attention to an important structural feature of this case which he says distinguishes it from many other PECR cases that end up before the tribunal, in that the marketing emails are triggered by a voluntary opt-in box. He submitted that users of the website were entitled to choose without any adverse consequences whether to say yes or not to third party contact. There is no pre-ticked box, there is no reliance on users having done something else such as transacted with JTT or signed up for a produce or a service. In those circumstances Mr. Hopkins submitted that it makes no sense to call a contravention serious and issue draconian enforcement notices where emails have been sent specifically because individuals decided to tick the ‘yes’ box. This is bolstered by the fact that there were no complaints.
Mr. Hopkins submitted that even if the Commissioner establishes that the statutory conditions were met, he was wrong to exercise his discretion to take enforcement action, relying on the same points relied on in relation to seriousness. Further it was submitted that it is simply wrong to issue a monetary penalty notice that would be terminal for JTT’s business.
Relevant facts
Mr. Hopkins submitted that marketing emails were only sent by JTT or third parties to those who chose to register on one of these website and filled in the registration details. However that was not sufficient. The individual also had to tick a yes or no box. Mr. Hopkins stated that it was important to note that this was not a regime where, if you did not tick yes, you could not proceed. Mr. Hopkins submitted that you could register and receive updates about job vacancies even if you chose to say no to the marketing communications.
In support of this Mr. Hopkins relied on the letter from JTT to the Commissioner dated 21 September 2020 which states at p 294 of the bundle:
“These checkboxes are not pre-flagged, and consent can be provided through them freely and in an unambiguous way by the user. In fact, if a data subject decides not to flag either of these two checkboxes, he can still resume the registration process and use the services offered by the website freely and without any implication or impairment.”
Mr. Hopkins took the tribunal to examples of the consent statements and privacy policies in the bundle.
Mr. Hopkins submitted that even if the tribunal took the view that the wording was ambiguous in relation to whether or not consent was given merely by entering the website or registering, in fact emails were not sent unless the consent box was ticked. He submitted that these enforcement notices relate to the sending of the emails, they are not a penalty for having materials that are not clear or transparent.
Mr. Hopkins submitted that the consent statement had to be read as a package with the privacy policy. He submitted that the privacy policy gives a comprehensive and detailed list of the third parties who might contact the individual and gives links to their privacy policies. It provides specific details of the different types of marketing activities and the different sectors. The individual will understand what they will be getting: they are going to be sent offers for products and services within the categories in the list by the companies in the list.
On the basis of the privacy policy, Mr. Hopkins submitted that there is amply sufficient information to enable the people using the website and contemplating whether to click no or yes to understand exactly what they were signing up for if they clicked yes.
Mr. Hopkins argued that the fact that over the relevant period around 56% ticked the boxes saying yes, suggests that people could and did exercise a genuine choice and understood what they would receive. The fact that around half said yes and half said no does not support the impression that this was skewed so as by default to trick people into signing up for things they didn’t understand.
Mr. Hopkins took the tribunal to an example of one of the marketing emails from during or shortly after the relevant period (p353). Mr. Hopkins drew the tribunal’s attention to the unsubscribe links and the fact that the email states how the individual came to receive such emails (‘You have received this email to [redacted] as a registered user of Jobsearch’). If the Commissioner is right that insufficiently specific information is provided on the basis of the consent boxes, Mr. Hopkins argued that any information gap is quickly remedied in the first email which specifies which website they signed up on and gives an option to unsubscribe.
Mr. Hopkins submitted that this is a vital part of the analysis in relation to seriousness and in exercising the discretion to take enforcement action bearing in mind the guiding principles of purposiveness and proportionality.
Mr. Hopkins took the tribunal to the new versions of the consent statements introduced in 2021 (see p 410). Mr. Hopkins submitted that this was not a concession that the earlier versions were inadequate but JTT trying to improve, taking advice and making improvements to enhance the information provided.
Mr Hopkins submitted that the financial position of JTT does not enable them to pay a fine of £130,000. He relies on the email to the Commissioner at p 127 of the bundle and the profit and loss accounts at p 189 which show an operating loss of £180,616 for the financial year up to December 2020, and an operating loss excluding finance costs of £141,801.
Mr. Hopkins submitted that the Commissioner is wrong to rely on JTT’s revenue. Further, he argued that it is fundamentally misconceived to take into account speculation that JTT’s parent company might ‘bail them out’.
Ground 1 – no contravention of PECR
Mr. Hopkins submitted that there was no alleged contravention in relation to whether consent was freely given or unambiguous. He submitted that the issue was whether the consents were sufficiently ‘specific’ or ‘informed’ to meet the standards in Article 4(11) GDPR. Mr. Hopkins drew the tribunal’s attention to what he termed a specific acceptance at p 219 by the Commissioner in the enforcement decision record to the effect that consent was freely given.
In relation to the meaning of ‘specific and informed’ Mr. Hopkins submitted that this is not defined in the legislation. The meaning is context dependent.
Mr. Hopkins submitted that ‘specific’ means that the tribunal has to ask if the opt-ins were specific indications of agreement to the purpose for which data will be processed. Specific does not mean that there needs to be specificity as to the particular party or sector. Mr. Hopkins relied on the European Data Protection Board (EDPB) Guidelines 05/2020 on consent under Regulation 2016/679 to support his submission.
Mr Hopkins argued that individuals were asked to give consent to the specific purpose of marketing, which was hived off from registration to the website.
In relation to ‘informed’ consent, Mr. Hopkins noted that the EDPB is of the opinion that at least the following information is required for obtaining valid consent:
the controller’s identity,
the purpose of each of the processing operations for which consent is sought,
what (type of) data will be collected and used,
the existence of the right to withdraw consent,
information about the use of the data for automated decision-making in accordance with Article 22 (2)(c) 36 where relevant, and
on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.37
Mr. Hopkins submitted the express descriptions of emails, marketing activity, sectors and the third parties taken together comfortably falls within the EDPB guidance on what informed consent looks like.
Mr. Hopkins noted that the Commissioner at para 47 of the MPN states that:
“Consent is required to be “specific” as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it.
Mr. Hopkins argued that that is not what the EPDPB guidance says, which is that it has to be specific as to purpose not as to the granular detail.
Mr. Hopkins submitted even applying the Commissioner’s ‘gloss’ on the standard, JTT met that threshold. He argued that the consent statements and the privacy policy provided sufficiently clear specific granular information about what the email address would be used for, and who would be sending the communications.
Mr. Hopkins submitted that, for the same reasons, the opt-ins were provided on a sufficiently informed basis. “Marketing” is a very common and well-understood aspect of 21st century life, in particular in the context of registrations on websites. Those who were interested in more information about the kinds of organisation who might send them marketing communications could click the hyperlink to the privacy policy. Within that privacy policy, JTT described the types of third parties who may send marketing communications (e.g. by sector or type of offer). For the jobs websites, the privacy policy also provided a lengthy illustrative list specifying companies who may send marketing communications (e.g. Scottish Power, O2, Sky UK), together with links to the privacy policies of those companies.
Mr. Hopkins argued that it is not open to the Commissioner or the tribunal to ‘micro-manage’. the exact way in which the information was presented, if that information complies with the minimum standard imposed by law.
Mr. Hopkins submitted that it is important to take a step back and take a purposive and proportionate approach. The Commissioner’s approach, he submitted, is divorced from reality in a case where half the individuals opted in and half did not, and where there have been no complaints. Mr. Hopkins submitted that there was a strong resonance between this case and Xerpla Limited v ICO (EA/2017/0262), where the tribunal overturned a MPN issued for alleged contraventions of regulation 22(2) PECR.
Mr. Hopkins submitted that data protection legislation, including PECR, must be read purposively not mechanically Dixon v North Bristol NHS Trust [2022] EWHC 3127 (KB); 191 BMLR 148 at para. 104.
The purpose of PECR, as set out in recital 40 to Directive 2002/58/EC is the protection of privacy. Mr. Hopkins submitted that the emails sent by JTT and third parties in this case did not intrude or cause any meaningful interference in an individual’s privacy given the voluntary sign-up.
Further, it is submitted that the Commissioner lost sight of the proportionality principle when it applied a ‘gold-standard’ gloss to the terms “specific” and “informed” in ways that overlook:
the context in which recipients voluntarily signed up for such emails, and
the fact that any lack of understanding a recipient may have had about the marketing they might be consenting to was swiftly alleviated once they received the emails themselves.
It is submitted that the EN is fatally undermined by the fact that it is a forward-looking document issued in April 2023, yet it fails to say anything about the new versions of JTT’s consent statements and privacy policy.
Ground 2 – the statutory criteria are not present
Mr. Hopkins submitted that whatever breaches the tribunal might find, they would constitute marginal and technical, rather than serious contraventions, based on differing views as to the required standards for ‘specific’ and ‘informed’. It is not an egregious case where accessing some kind of service is conditional on consent, or where repeated emails are sent after opting out.
There is no damage or distress. JTT does not understand how it is said that damage or distress would be likely where there is an opt in consent model accompanied by opt-outs in the emails.
It is submitted that the volume of emails is unsurprising given the kind of business that JTT operates, and the large number of customers who ticked a box to agree to receive such emails.
Mr. Hopkins submitted that it is accepted that the contravention was not deliberate, and it cannot be said that it knew or ought to have known about the risk because the law is not clear. JTT’s interpretation of/approach to consent was (at its lowest) reasonable, and it was thus reasonable for it not to take other steps to change its approach at that time.
In relation to the EN Mr. Hopkins submits that the ‘has contravened’ limb in section 40(1)DPA 1998 must be subject to a qualifier that the alleged contravention is (i) sufficiently recent, and (ii) risks being repeated.
It is submitted that the EN refers to distress when that is omitted from section 40(2) DPA 1998 as it applies to PECR.
Ground 3: The MPN and EN should not have been issued
Mr. Hopkins relied on the points made under ground 2 and emphasised the following:
A MPN of £130,000 would be terminal for JTT’s business.
The ICO failed properly to apply its own guidance.
Mr. Hopkins submitted that the tribunal should ask itself, in the light of the changes made to the polices, if something less draconian would do.
Skeleton argument/oral submissions of the Commissioner
Ground 1 – the contravention of PECR was plain and obvious
The Commissioner accepted that there is no suggestion that anyone was compelled to give consent but the concepts of freely given consent and informed consent very much go together, because, as is clear from the case law, you cannot freely give consent if you do not properly understand what you are being asked to consent to.
The Commissioner submitted that consent has to be judged in context and the factual matrix in Xerpla is very different: the Upper Tribunal noted in paragraph 64 of Leave EU the specific factual matrix described by the First-tier tribunal in Xerpla, “it was obvious what its subscribers were consenting to. It was obvious because of the service Xerpla was offering. Whether consent is informed has to be judged in context. The nature of Xerpla’s discounts/deals website was that subscribers could be sent third party offers about any products and services. That is why they subscribed to it. Had they wished to subscribe to a service offering only certain types of products and services, this was not the website for them.”
There is no meaningful comparison to this appeal, Mr. Metcalfe submitted, where individuals were using the primary websites to look for jobs.
The Commissioner submitted that, in light of the CJEU’s decisions in Planet49 and Orange Romania, the Commissioner’s requirement that direct marketers demonstrate each user’s consent “as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it” is hardly an exacting or an excessive standard
The Commissioner relied in particular on the statement by the CJEU in Orange Romania in that the data controller was required to:
“provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.”
It is submitted that the Commissioner’s guidance is entirely consistent with the requirement to provide users with “sufficiently detailed” information to understand the consequences of any consent they may give.
Mr. Metcalfe submitted that the EDBP guidance does not support JTT”S case.
Mr. Metcalfe highlighted paragraph 71 of the Commissioner’s guidance on direct marketing:
“The crucial consideration is that the individual must fully understand that their action will be taken as consent, and must fully understand exactly what they are consenting to. There must be a clear and prominent statement explaining that the action indicates consent to receive marketing messages from that organisation (including what method of communication it will use). Text hidden in a dense privacy policy or in ‘small print’ which is easy to miss would not be enough…”
Mr. Metcalfe also referred to p 30 of the Commissioner’s detailed guidance on direct marketing:
“specific and informed: Your request for consent must be prominent, in plain language and separate from your privacy information. It must clearly explain what the consent is for (e.g. to send direct marketing emails), who wants to rely on the consent (e.g. you or another organisation) and how people can withdraw consent;”
Mr Metcalfe submitted that any third party controllers who are going to rely on the direct marketing consent have to be identified at the point at which consent is given and it is not enough to rely on a list of sectors or a list of particular companies buried at the end of the privacy policy.
Mr. Metcalfe took us to the consent statement of Jobinaclick and submitted that there is no specificity, the third party controller is not identified and there is no detail of the purpose beyond ‘marketing activity’, no description of the type of processing and no indication as to how to withdraw consent.
Mr. Metcalfe submits that the consent statement is not saved by the reference to the privacy policy. The specific sectors are only identified at page 7 out of 12 and the list of business partners at page 9.
Mr Metcalfe submitted that the fact that there have been no complaints does not assist. He submitted that realistically anyone aggrieved will turn on the spam filter and click unsubscribe rather than complain to the Commissioner.
Mr Hopkins relied on the fact that half the individuals clicked the ‘opt in’ box. Mr. Metcalfe submitted that if consent is not properly informed it is not consent and it follows that every email then received is an invasion of privacy because it is unsolicited. It still causes distress even if it is not as serious as a more substantial breach of privacy.
Ground 2 – the Commissioner was entitled to issue the notices
JTT’s contravention involved sending out 107 million emails to 437,324 individuals in the space of little more than a year, in circumstances where it had failed to obtain their valid consent. It is submitted that a breach of such magnitude can hardly be described as “technical” or “marginal”.
Mr. Metcalfe submitted that the fact that JTT is dealing in such very large numbers is all the more reason why they need to take very particular care in making sure that the consent form conforms with the requirements.
It is submitted that JTT’s argument that it could not have known about the risk is simply fanciful: JTT has been active in direct marketing for over 10 years and must be taken to be aware not only of the law relating to the GDPR and PECR but also all applicable guidance (including the EDPB guidance it cites repeatedly without appearing to have read its contents). In this case, both the EDPB guidance and the Commissioner’s own PECR guidance made clear the need for specific and informed consent and, in failing to follow that guidance, JTT – an experienced operator in this field - evidently ran the risk of a breach occurring.
Mr. Metcalfe submitted that the new consent forms were not in place until 16 months after the events under consideration.
Ground 3 – the Commissioner’s decision to issue the notices involved a correct exercise of his discretion in each case
It is submitted that there has been no failure to follow the Commissioner’s own policies.
Mr. Metcalfe submits that it is unusual to suggest that the operating loss for a single year should somehow be determinative. There is no obvious reason why a penalty which falls to be paid in accordance with the regulations should be given less weight than the other costs of JTT’s business.
Mr. Metcalfe submits that it is for JTT to give evidence as to the broader financial picture. JTT made a profit the following year and in the year ending 2022. The penalty would be paid now, not in 2020.
The Commissioner took into account the fact that JTT had put in place new consents in December 2021, but was not satisfied that they were necessarily compliant. It was clear to the Commissioner that JTT’s conduct in the relevant period was in breach and that is what is material to the lawfulness and the exercise of the commissioner’s discretion.
In relation to the parent company, Mr. Metcalf submits that there is nothing to say why a parent company’s resources cannot be taken into account where JTT submits that a penalty would be terminal.
In relation to the assessment of the amount of the penalty Mr. Metcalfe submitted that the tribunal was entitled to take account of the financial position as it stands in April 2024.
In relation to the enforcement notice, Mr. Metcalfe submitted that JTT continued its operations under the original consent forms for a period of 16 months after it was first notified of the Commissioner’s investigation. Mr. Metcalfe submitted that it was entirely lawful for the Commissioner to issue an enforcement notice to spell out exactly what JTT has to do in order to meet the requirement. The Commissioner's view was that the additional consents and privacy policies were not necessarily compatible, and the enforcement notice can be a mechanism whereby the Commissioner can more swiftly take steps if there are any continuing breaches in the future.
Mr. Hopkin’s reply
When questioned by the Judge on the clarity of some of the wording in the consent statements and the privacy policies Mr. Hopkins accepted that it could be worded better but did not accept this was anywhere near a substantive problem of people not knowing what they were getting into.
Mr. Hopkins submitted that, factually, this appeal was much closer to Xerpla than Leave EU and Planet 49. He stated that the highest these cases go in terms of principles is that there is a relatively high bar for valid consent. They do not provide that there must, for example, be a list of opt in boxes listing every single person who might send you marketing communications.
Mr. Hopkins submitted that Leave EUdoes not say anything about the relevance of the number of complaints to seriousness or the exercise of discretion and therefore this can still be taken into account under grounds 2 and 3.
Mr. Hopkins noted that the detailed guidance referred to by the Commissioner dates from December 2022 so cannot be used as a pointer to what JTT ought to have known. In any event the general principles in that guidance are unproblematic. JTT were specific in the privacy policy that this was email marketing and listed every company that was going to send emails. The option to unsubscribe is contained in the emails. The Commissioner complains that the information appears in the ‘small print’. Mr Hopkins submits firstly that the online journey would look slightly different to the print out and in any event that the Commissioner is micromanaging exactly how he wants the notices to be laid out which is not permissible.
Mr. Hopkins submitted that the bottom line appeared to be that the Commissioner says that in order to be valid there has to be a list of every intended sender with a tick box next to each one. He submitted that is not what JTT does, nor what anyone does, nor what the law requires.
Mr. Hopkins drew the tribunal’s attention to the other financial information in the bundle. The yearly profit for the year ending 2022 was just less than £40,000. The accounts for 2020 include the figure for 2019. The details provided in the letter at p 127 show that the company did not have the cash reserves to pay the penalty.
Mr. Hopkins noted that Mr. Metcalfe had stated that the new versions of the consent statements were ‘not necessarily compliant’. Mr. Hopkins stated that JTT had never been told what was wrong with the new versions.
It is submitted that the idea of the enforcement notice being used expressly to enable the Commissioner to punish JTT for future infractions illustrates why it should not be in force. An enforcement notice cannot simply say that JTT should comply with the law, they are obliged to do that in any event. The enforcement notice has to specify what practice needs to change and what JTT must do to avoid potential future sanctions.
Discussion and conclusions
We undertake a full merits review, although we accord due respect to the Commissioner as regulator.
GROUND 1: JTT did not contravene regulation 22 PECR as alleged by the Commissioner
Overarching issues in relation to breach
Whilst we have needed to examine the wording of the consent statements and privacy policies in detail, we do not accept that this is ‘micro-managing’ the exact way in which the information is presented.
Information does not need to be presented in a particular way, but the Controller must ‘provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed.’ (para 40 Orange Romania)
We accept that data protection legislation must be construed purposively and not mechanically. Mr. Hopkins referred us to recital 40 to Directive 2002/58/EC which reads:
“(40) Safeguards should be provided for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes in particular by means of automated calling machines, telefaxes, and e-mails, including SMS messages. These forms of unsolicited commercial communications may on the one hand be relatively easy and cheap to send and on the other may impose a burden and/or cost on the recipient. Moreover, in some cases their volume may also cause difficulties for electronic communications networks and terminal equipment. For such forms of unsolicited communications for direct marketing, it is justified to require that prior explicit consent of the recipients is obtained before such communications are addressed to them. The single market requires a harmonised approach to ensure simple, Community-wide rules for businesses and users.”
Mr. Hopkins submitted that the notion that unsolicited emails might impose a burden and/or cost on the recipient was somewhat out of date. We note that the ECJ in Pegnitz(Case C-102/20 StWL Städtische Werke Lauf a.d Pegnitz Gmbh v Eprimo Gmbh [2022] 2 C.M.L.R. 21), which was decided in 2021, proceeded on the basis that unsolicited emails (spam) did impose a burden. An individual is only able to free the space to see all their exclusively private emails after they have checked the content of the unsolicited email and actively deleted it (paragraph 41 Pegnitz).
We agree with the Advocate General’s opinion in Pegnitz at paragraph 57 that unsolicited emails do amount to an invasion of privacy because users regard their private email inbox as coming within their private sphere. Thus we do not accept that there is no meaningful invasion of privacy where those emails are unsolicited and prior consent, as defined, has not been obtained.
We accept that whether consent is informed has to be construed in context. Mr. Hopkins submitted that there was a strong resonance between this case and Xerpla. That case concerned consent given on a discounts/deals website where subscribers could be sent third party offers about any products and services.
That is very different to the websites in this appeal which are either (a) a website that provides assistance with searching for jobs or (b) in the case of Savingdirect a website for finding the best quote for solar panel installation. Unlike subscribers in Xerpla those who register on a jobs website or a solar panel installation quote website are not registering in order to be sent third party offers about any products and services. They are registering specifically for assistance with job searches or for getting the best quote for solar panel installation. That is the context in which we must construe whether or not the consent was informed.
We have taken care not to apply any gloss, and certainly no ‘gold-standard’ gloss to the terms “specific” and “informed”. We have interpreted them in the light of the statute, the case law and, where appropriate, the EDPB guidance.
We do not accept that any information contained in the emails themselves is relevant to the question of whether the prior consent was informed or specific.
The changes made after the relevant period are not relevant to the question of whether or not there was a contravention of PECR in the relevant period.
The fact that no complaints were made is not, we find, relevant to the question of whether or not there has been a breach of PECR. As the Upper Tribunal stated at paragraph 54 of Leave.EU, ‘the volume of complaints cannot be a reliable let alone determinative metric for deciding whether there has been a PECR breach, given that subscribers have easier default options than lodging a formal complaint with the Commissioner’.
Did JTT contravene regulation 22 of PECR between 1 August 2019 and 19 August 2020?
Between 1 August 2019 and 19 August 2020 JTT sent approximately 107 marketing communications by email, either on its own behalf or on behalf of other organisations, to 437,324 recipients who had provided JTT with their email addresses via one of five websites.
These were unsolicited communications. Under regulation 22 PECR such emails can only be sent if the recipient of the electronic mail has previously notified JTT that ‘he consents for the time being to such communications being sent’ by JTT.
For the purposes of regulation 22, consent is defined in article 4(11) GDPR as follows:
“’consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”
We accept that the Commissioner did not base the MPN or the EN on the grounds that the consent was not ‘freely given’ or ‘unambiguous’ and the parties’ and thus our focus is primarily on whether the consent was specific and informed. However, there is significant overlap between the different elements, and a number of factors that would be relevant to whether consent was freely given and unambiguous will also be relevant to whether consent was, in particular, informed. The fact that recipients of emails ‘voluntarily signed up’ for such emails does not carry weight if they did not sign up on an informed basis.
We accept Mr. Hopkins’ submission, which he based to a large extent on the EDPB guidelines, that consent has to be specific as to purpose. At paragraph 58 of Planet 49 the Court of Justice ruled that “the indication of the data subject’s wishes referred to in Article 2(h) of Directive 95/46 must, inter alia, be ‘specific’ in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subject’s wishes for other purposes”.
The purpose for which personal data is collected must, under article 5(1)(b) GDPR, be ‘specified, explicit and legitimate’. ‘Specified’ implies that the purpose of the collection must be clearly and specifically identified. The purpose has to be defined sufficiently precisely and specifically, because it enables the assessment of, for example, whether further processing is for compatible purposes, and in order to apply other GDPR requirements including, for example, the adequacy, relevance and proportionality of the data collected. (Footnote: 1)
Thus, the purpose has to be sufficiently defined to delimit the scope of the processing operation. The EDPB quotes p 17 of the Article 29 Working Party Opinion 3/201 on purpose limitation of 2 April 201 (WP29 Opinion 3/2013) at FN30 of its guidance on consent: “For these reasons, a purpose that is vague or general, such as for instance ‘improving users’ experience’, ‘marketing purposes’, ‘IT-security purposes’ or ‘future research’ will - without more detail – usually not meet the criteria of being ‘specific’”.
Consent also has to be informed. In Planet49theCourt agreed with the Advocate General that clear and comprehensive information (as required by Article 5(3) of the 2002 Directive) “implies that a user must be in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed” (CJEU judgment at paragraph 74).
The Court reaffirmed the passage from Planet49 at paragraph 74 in Orange Romania at paragraph 40:
“As regards the requirement arising from Article 2(h) of Directive 95/46 and Article 4(11) of Regulation 2016/679 that consent must be ‘informed’, that requirement implies, in accordance with Article 10 of that directive, read in the light of recital 38 thereof, and with Article 13 of that regulation, read in the light of recital 42 thereof, that the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed (see, by analogy, judgment of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, paragraph 74).”
Jobsearch
Turning to the question of whether or not JTT had obtained consent under regulation 22, we look first at the two Jobsearch consent statements:
I agree with Marketing Activity
Yes No
I agree with 3rd parties policy
Yes No
We refer to the marketing activity consent statement as ‘the first consent statement’ and the 3rd parties policy consent statement as ‘the second consent statement.
The first consent statement – marketing activity
The first consent statement does not contain any indication of what marketing activity might be carried out. The stated purpose of ‘Marketing Activity’ is too vague to be a specified purpose within the GDPR and accordingly the consent is not specific. There is no indication of who will be carrying out the marketing activity or whether the controller is JTT or third parties or both. There is no indication that the marketing activity will include communication by email. The consent statement does not show that the data subject had consented to ‘such communications’ as required by regulation 22 of PECR.
Mr. Hopkins asks us to consider the consent statement in conjunction with the privacy policy. The privacy policy is not hyperlinked from the first consent statement, but is hyperlinked from a number of other places.
There is a third consent statement on the page, which was not referred to in this appeal, which allows the data subject to tick a yes or no box in relation to receiving marketing from Trades Courses. That consent statement contains a hyperlink to the privacy policy as follows: ‘By selecting yes, you consent to Trades Courses sending you marketing about their products/services that are relevant to you. You can unsubscribe at any time. Read the Privacy Policy to find out more. Thank you! Read.”
The hyperlink to the privacy policy is also at the bottom of the page, above a button labelled ‘Register’ in the following statement: ‘By entering you agree to our privacy policy, and to receive communications by email, phone & sms from Jobsearch’. The ordinary meaning of ‘entering’ would be entering a website. In this context it might also be construed to mean ‘clicking the register button’. What it cannot sensibly mean is ‘By clicking yes to the first of three different consent statements above’.
It would have been apparent to anyone considering selecting ‘yes’ in relation to marketing from Trades Courses and to anyone wondering what the consequences of registration were that more information could be found in the privacy policy.
In contrast it is not made clear to the data subject wondering whether or not to click ‘yes’ or ‘no’ to ‘marketing activity’ that there is another information layer applicable to that particular consent statement.
In any event, whilst a layered way of presenting information can be appropriate, the first layer in JTT’s first consent statement does not even specify the purpose of the processing or the identity of the controller. Particularly in the light of the lack of clarity as to where further information in relation to this particular consent statement could be found, the data subject is not in a position to be able to determine easily the consequences of any consent he or she might give.
We note the following passage from FN42 to the EDPB guidance:
“Note that when the identity of the controller or the purpose of the processing is not apparent from the first information layer of the layered privacy notice (and are located in further sub-layers), it will be difficult for the data controller to demonstrate that the data subject has given informed consent, unless the data controller can show that the data subject in question accessed that information prior to giving consent.”
In addition, although we accept JTT’s evidence that it was not necessary to tick ‘yes’ to the first consent statement to register, and that registration alone provided access to job bulletin emails, this is not clear from the registration and welcome pages.
At no point was the data subject informed that receiving job related emails was not conditional upon giving consent to marketing activity.
We agree with the Advocate General in Planet49 when he gave his opinion at paragraph 67 that, in relation to the obligation to inform, “it must be made crystal-clear to a user whether the activity he pursues on the internet is contingent upon the giving of consent. A user must be in a position to assess to what extent he is prepared to give his data in order to pursue his activity on the internet. There must be no room for any ambiguity whatsoever. A user must know whether and, if so, to what extent his giving of consent has a bearing on the pursuit of his activity on the internet.”
JTT’s welcome page and registration page are, at best, ambiguous as to whether it is possible to register without consenting to marketing activity. The bottom of the registration form states clearly that ‘by entering’ you agree to our privacy policy and to receive communications by email, phone and sms from Jobsearch. Further information is provided in a ‘notice’ on a page headed ‘Welcome to Jobsearch’. This page states ‘By registering with JobSearch you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means.’ It is not at all clear that registering to receive job related emails is separate to agreeing to marketing activity.
Read as a whole, particularly given the use of the broad phrase ‘marketing activity’ we find that data subjects might well form the view from the first information layer that receiving job emails or registering to receive such emails was conditional on ticking ‘yes’ to marketing activity. It is not clear that separate consent can be given to those separate purposes.
Even if a data subject understands that further information is available in the privacy policy, we are not satisfied for the following reasons that the consent statement, considered in conjunction with the privacy policy, meets the requirements of regulation 22.
First, it is not clear from the policy what a data subject is separately consenting to by clicking the ‘yes’ box to marketing activity. As set out above, data subjects are informed that by ‘entering’ (presumably registering or using the website) they have agreed to the privacy policy, and to receive communications by email, phone & sms from Jobsearch. They are also informed that by registering with Jobsearch they have permitted Jobsearch the right to pass some or all of their information to third parties who may send them marketing material via email, SMS or other means.
The nature of the communications that are sent to those who simply ‘register’ without opting in to marketing (whether job alerts or otherwise) is not made clear in the privacy policy, and therefore the additional communications that are covered by the separate consent tick box are unclear.
For example, the privacy policy sets out on the first page that it ‘describes how Join The Triboo Ltd, will use the information that you provide to it (whether by completing the registration form or using its website job-search.online’). It does not identify which purposes are related to which consent statement and which arise purely from filling in the registration form or using the website.
The privacy policy creates further confusion as to whether it is possible to register without agreeing to marketing activity.
For example, under ‘your personal information’ the policy states that personal information is collected ‘when you register with us’ and that ‘We use this information for directing advertising campaigns’ and that ‘Once you register with us and agree to the terms and conditions of this Privacy Policy that govern how your information will be processed, you will not be anonymous to us and our partners and clients and will become of our users’.
Under ‘disclosure of personal information’ the policy states ‘By registering with us you permit us or our partners or clients to use such information that you provide to alert you to a range of promotions etc..’ and ‘When you register with us you consent to us sending personally identifiable information about you to our partners or our clients and in particular we may” share, rent or sell such information for marketing purposes… send the information to our partners or clients who work with us for marketing purposes’.
It also states, under ‘Your acceptance of these terms’, ‘By using this site you consent to the collection and use of this information by use and to our privacy policy’.
Under the heading ‘Data Sharing’ the privacy policy states ‘Following explicit consent in the registration form Triboo may share you email address and job-related preferences with vendors that they use to send them email job alerts’. It is unclear which consent statement in the registration form is intended to apply to the sending of job alerts.
Finally, the heading ‘Opting-out (Deregistration)’ follows a table setting out the list of Commercial Purposes, referred to above, which includes technical administration of the web site, research and development, customer administration, marketing and trading in personal data. Under the ‘Opting out (Deregistration)’ heading the privacy policy states:
“Should you wish to opt out of your data being used for these purposes, please unsubscribe.
The consequences of deregistration are that your account details will be placed in a suppression file and you will not receive any further communications from job-search online. Every email that job-search.online sends contains a link to unsubscribe.”
This opt-out paragraph creates the clear impression that registration and consent to marketing and trading in personal data are intrinsically linked. By opting out from marketing, data subjects are told that they will not receive any further communications from Jobsearch.
Even having read the privacy policy we find that data subjects might well form the view that receiving job emails or registering to receive such emails was conditional on ticking ‘yes’ to marketing activity. It is not clear that separate consent can be given to those separate purposes.
Mr. Hopkins argued that the fact that over the relevant period around 56% of those registering ticked the boxes saying yes, suggests that people could and did exercise a genuine choice and understood what they would receive. He said that the fact that around half said yes and half said no does not support the impression that this was skewed to trick people into signing up for things they didn’t understand by default.
We accept that those that said ‘no’ (around 44%) presumably did not form the view that receiving job emails or registering to receive such job emails was conditional on ticking ‘yes’. However, in relation to those that said ‘yes’, we do not know what their understanding was. For the reasons set out above, we find that the information provided to them was not clear enough on this issue to make such consent informed consent.
Further, it is not clear from the privacy policy which parts apply to the first consent statement (as opposed to those parts that are consented to by ‘registering’ or ‘using the site’ or ticking the ‘3rd parties policy’ box or agreeing to the privacy policy by ‘entering’ or by ticking the Trades Courses box). Accordingly, it is not clear which purposes set out in the policy have been consented to by agreeing to the first consent statement. As a result, it is not clear who will be carrying out marketing activity that has been consented to and it is not clear what type of marketing activity is covered. On that basis we are not satisfied that the consent is informed or specific.
If we are wrong about this, and in the alternative, if it is adequately clear that references to ‘marketing activities’ included all marketing activity in the privacy policy, we find that the bundle of purposes included in the policy is too broad and too vague to be a specified purpose within the GDPR and accordingly the consent is not specific.
The start of the policy states that JTT carry out ‘marketing activities’ for ‘third parties (who may operate in any business sector) and are referred to in this Privacy Policy as Our Business Partners and Clients’. Those ‘marketing activities’ are said to be ‘web publicity display, e-mail marketing and mobile marketing services to promote a wide range of products and services and client recruitment campaigns through the internet and affiliate marketing’.
‘Marketing Activities’ is defined differently later in the policy in the context of third parties as ‘the communication directly to particular individuals by e-mail, post, telephone or sms of any advertising or marketing material in response of any product or service from us, our partners or clients’. The purpose of ‘Marketing activities’ is thus extremely broad and non-specific, including direct marketing by JTT and others, by a variety of means and also the undefined purpose of ‘client recruitment campaigns’.
We find for all the reasons set out above that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above.
We conclude that the consent given by agreeing to the first consent statement was not informed or specific and accordingly that the recipients of the marketing emails had not previously notified JTT that they consented for the time being to such communications being sent by JTT.
The second consent statement – 3rd parties policy
The second consent statement states ‘I agree with 3rd parties policy’. The wording ‘3rd parties policy’ is hyperlinked to the privacy policy.
We do not accept that ticking this box amounts to ‘informed consent’. First. whilst a layered way of presenting information can be appropriate, the first layer in JTT’s second consent statement does not even specify the purpose of the processing or the identity of the controller. Particularly in the light of the confusing nature of the information that is provided in the second information layer, the data subject is not in a position to be able to determine easily the consequences of any consent he or she might give. We have already set out the relevant passage from FN42 to the EDPB guidance.
Further, and in any event, clicking on the link does not lead to a ‘3rd parties policy’. It leads to the privacy policy. This is confusing and may well lead data subjects to assume that the link is not working.
Even if a data subject scrolled down to attempt to find the ‘3rd parties policy’ there is no section headed ‘3rd parties policy’. The first substantive reference to third parties is a reference to the placing of cookies by LiveRamp and its group companies. A reader might assume that this is the ‘3rd parties policy’ to which they are agreeing.
As the 3rd parties policy tick box is separate to the ‘marketing activity’, a data subject might assume that the second consent statement is not a consent to marketing activity. They might assume that it is, for example, consent to emails from third parties containing job opportunities. Because there is no separate ‘3rd parties policy’ or explanation of what this separate consent means, even if the data subject clicks on the hyperlink it is not possible for the data subject to identify easily the consequences of any consent he or she might give. On this basis we find that the consent is not informed.
Further, the purpose for which consent is given via this tick box is not specified and therefore the consent is not specific. First, as set out above, the ‘3rd parties policy’ does not exist, either as a separate document or as a separate section within the privacy policy. It is accordingly not possible to identify the purpose for which consent is given.
Second, the sections which refer to the use of data by third parties in the privacy policy include purposes as wide as ‘any Commercial Purpose including marketing activities’ (p 324). There is a table within the privacy policy that lists purposes that are referred to in the policy as ‘Commercial Purposes’, this includes research and development, marketing and trading in personal data. This bundle of purposes is too broad and too vague to be a specified purpose within the GDPR and accordingly the consent is not specific.
Finally there is confusion in relation to whether it is possible to register without agreeing to the ‘3rd parties policy’ in the way that is set out in detail above in relation to the first consent statement.
We find for the reasons set out above that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above.
We conclude that the consent given by agreeing to the second consent statement was not informed or specific and accordingly that the recipients of the marketing emails had not previously notified JTT that they consented for the time being to such communications being sent by JTT.
Jobinaclick and Findajob
The above reasoning deals with the Jobsearch consent statement and privacy policy. The reasoning and conclusions apply equally to Jobinaclick. The minor difference in the wording of the consent statement on the Findajob website does not affect our conclusions and thus the reasoning and conclusions also apply to Findajob.
Job4you
The original consent statement for Job4you states:
Agree to receive offers by email from job4you, on behalf of selected companies (https://uk.job4you.website/registration/index.php?module=site&method=privacy) that we believe will be of interest to you. These companies are within the following categories: Automotive, Retail, Finance, Insurance or General.
Yes No
Agree that job4you partners (https://uk.job4you.website/registration/ index.php?module=site&method=privacy) may contact you with more interesting offers by email or telephone. You can opt-out of these communications at any time.
Yes No
The registration page ends with a slightly different statement to the Jobsearch page:
By clicking register you confirm that you have read and agreed to Job4you Privacy Policy.
(https://uk.job4you.website/registration/index.php?module=site&method=privacy)
The ‘welcome page’ is similar to that for Jobsearch. It also provides that:
“By registering with Job4you you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means. Koi Advertising also reserves the right to accept marketing fees from financial services institutions.”
The original privacy policy for Job4you is in the bundle, but it is too small to read. We assume that it is materially identical to the privacy policies for the other jobs websites.
Much of our reasoning set out above applies equally to the Job4u statement, particularly because the privacy policy is the same.
Certain elements of our reasoning do not apply in the case of the Job4you consent statements because the wording of the consent statements is different. The consent statements attempt to set out the purposes with more specificity. They contain specific reference to emails. Both contain a link to the privacy policy.
The first consent statement specifies that the agreement is to receive offers by email from job4you on behalf of selected companies that job4you believes will be of interest to the data subject within the following categories: automotive, retail, finance, insurance or general. The statement contains a link to the privacy policy after the words ‘selected companies’.
The second consent statement specifies that the agreement is that job4you partners ‘may contact you with more interesting offers’ by email or telephone. The statement also includes a link to the privacy policy after the words ‘partners’.
Whilst ‘offers’ could be read as referring to marketing activity, in the context of registering for a jobs website, we do not accept that the data subject can identify easily the consequences of any consent he or she might give from this statement. Neither statement mentions advertising or marketing. It is not clear from the consent statement that the consent extends beyond ‘offers’ relevant to the data subject’s job search.
Further, even if it is understood to refer to marketing offers, there is insufficient information to allow the data subject to identify easily the consequences of any consent he or she might give. The categories of companies are meaningless because they include the catch all category ‘general’. JTT, the controller of the data, is not identified. The privacy policy, for all the reasons set out above, is confusing.
The confusion as to what consent is given by registering/entering the website remains, because of the wording of the registration form, on the welcome page and in the privacy policy. It remains unclear which parts of the privacy policy apply separately to the first consent statement (as opposed to those parts that are consented to by ‘registering’ or ‘using the site’ or agreeing to the privacy policy or by ‘entering’ or by ticking the Trades Courses box). The bundle of purposes set out in the privacy policy is, for the reasons set out above, too vague and broad to be a specified purpose. There is confusion in relation to whether it is possible to register without giving consent for the reasons set out above.
We find for those reasons, along with those set out in relation to Jobsearch where relevant, that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above.
We conclude that the consent given by agreeing to the consent statements on the Job4you website was not informed or specific and accordingly that the recipients of the marketing emails sent by JTT on behalf of third parties had not previously notified JTT that they consented for the time being to such communications being sent by JTT.
SavingDirect
In relation to SavingDirect the consent statements are embedded in a box entitled ‘Request a free quote’ and the final button reads ‘Request a callback’. There is no reference to marketing in the first consent statement which merely states ‘I agree to receive communications by email, phone and sms from Saving Direct’. The second consent statement refers to ‘information & offers by email, phone, sms & post from 3rd parties’.
Looked at in the context of the webpage, it is not clear that the consents are to anything other than receiving the requested ‘no obligation quotes’. There is no reference to JTT and no reference to the purpose of direct marketing. On that basis, particularly in the light of the confusing nature of the information that is provided in the privacy policy, the data subject is not in a position to be able to determine easily the consequences of any consent he or she might give.
Although both consent statements include an ‘I agree’ and ‘I do not agree’ box, they both begin with the wording ‘By entering you agree to…’. The statement at the end of the ‘request a free quote’ box reads ‘By entering you agree to our to Privacy Policy and Terms and Conditions’. As with the jobs websites it is not clear that it is possible to consent separately to being contacted about the ‘no obligation quote’ as opposed to the broad range of marketing communications referred to in the privacy policy, many of which bear no relation to solar panel installations. The privacy policy contains much of the same wording in this regard set out above in relation to Jobsearch.
It remains unclear which parts of the privacy policy apply separately to the first consent statement (as opposed to those parts that are consented to by ‘entering’ or by agreeing to the second consent statement). The bundle of purposes set out in the privacy policy is, for the reasons set out above, too vague and broad to be a specified purpose.
We find for those reasons, along with those set out in relation to Jobsearch where relevant, that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above.
We conclude that the consent given by agreeing to the consent statements on the SavingDirect website was not informed or specific and accordingly that the recipients of the marketing emails had not previously notified JTT that they consented for the time being to such communications being sent by JTT.
Conclusions on ground 1
For all of those reasons, we are not satisfied that the recipients of the emails sent by JTT had previously notified JTT that they consented to such communications being sent by JTT. On that basis, we find that JTT was in breach of regulation 22 of PECR in that it sent approximately 107 marketing communications by email, either on its own behalf or on behalf of other organisations, to 437,324 recipients between 1 August 2019 and 19 August 2020.
Although our reasons differ in some aspects to the Commissioner’s we agree that the consent was not specific or informed and therefore this ground of appeal does not succeed.
GROUND TWO: Even if it did contravene regulation 22 PECR, the MPN and EN could not have been issued because other statutory preconditions were absent.
The statutory preconditions for issuing a MPN are that the breach is serious and that the controller knew or ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention.
Was the breach serious?
Mr. Hopkins argued that any breaches that we find can be categorised as ‘marginal and technical’ and are based on differing views as to the required standards for ‘specific’ and ‘informed’.
The case law gives clear guidance on the standards required and we have applied that, assisted by the EPBD guidance, to the facts.
On the Jobsearch website, the controller and the specific purpose are not provided in the first layer of information. The EDPB guidance was relied on by JTT. That guidance expressly states that ‘marketing purposes’ will - without more detail – usually not meet the criteria of being ‘specific’ and that when the identity of the controller or the purpose of the processing is not apparent from the first information layer of the layered privacy notice (and are located in further sub-layers), it will be difficult for the data controller to demonstrate that the data subject has given informed consent.
The EDPB guidance is not law, but it is a good indication of how the Commissioner or the tribunal is likely to interpret the GDPR and PECR.
JTT’s privacy policy is poorly signposted. It is confusing. Statements on the website and in the privacy policy contradict JTT’s position that registration alone is not treated as consent to direct marketing. It is impossible to identify which purposes relate to which specific consents.
In those circumstances the breaches cannot be categorised as ‘marginal and technical’. We do not accept that there is any genuine doubt or uncertainty as to whether there was a contravention of PECR. We do not accept that the breaches are based on differing views as to the required standards for ‘specific’ and ‘informed’.
We understand that the nature of JTT’s business is the sending of large numbers of direct marketing emails. Therefore, if it does not obtain consent, the number of emails in breach of PECR sent will necessarily be large. The fact that the number of emails sent is not surprising, does not, in our view, affect the impact of that number on the seriousness of the breach. 107 million marketing communications to 437,324 recipients in one year is a serious number, and we take that as a starting point.
In terms of the impact on individuals, we do not need to find damage or distress. We do take account of the fact that unsolicited direct marketing by email is a burden and an invasion of privacy. It intrudes into the private sphere of an individual’s inbox which is for private correspondence. ‘Spam’ filters are not always effective. Marketing emails take up storage space. They take up physical space on the display and have to be checked and deleted to make way for private correspondence.
The fact that any individual who received an email had clicked a ‘yes’ box, does not reduce the burden or invasion of privacy in circumstances where we have found that they were not properly informed about what they were agreeing to receive.
We accept that this is not a case where the controller has sent repeated emails after an opt out. We accept that the emails, when they are sent, identify JTT and give a number of opt-out options. Further, we accept that in fact registering is not conditional on signing up to marketing activity, albeit that this is not made clear to the data subject. These are factors that are relevant to the level of seriousness, but in our view taken along with the other matters dealt with in this section do not mean that the breach is not serious.
The fact that there have been no complaints is of limited assistance in assessing the seriousness of the breach. As the Upper Tribunal noted at paragraph 54 of Leave.EU recipients of unwanted emails have easier default options than lodging a formal complaint with the Commissioner. For example, JTT provided an opt-out button in the emails, some email providers have a ‘report as spam’ button or recipients can simply delete the email. Nonetheless we accept that this does have some relevance to our assessment of seriousness. People do make complaints to the Commissioner, and if there had been a large number of complaints we would have taken that into account as an indication of an even more serious problem. The lack of complaints is therefore a small but significant factor when assessing seriousness.
Taking account of all the matters set out above, we find that sending approximately 107 million marketing communications to 437,324 recipients in one year without having obtained prior consent is a serious breach of PECR.
Did JTT know or ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention?
It is accepted that the contravention was not deliberate.
We do not accept that the law is unclear, as set out above. The relevant parts of the EDPB guidance are set out above. The judgment in Planet49is dated 1 October 2019. The Commissioner has produced a number of guidance documents which are relevant to consent.
JTT’s business was the sending of large numbers of direct marketing emails either on its own behalf or others, via personal data obtained through websites offering unrelated services helping people find jobs or obtain solar panel quotes.
In those circumstances such a business should have been fully aware of the risk that consent statements and privacy policies of the type used on these five websites presented at least a risk of a contravention of PECR.
We do not accept that the approach to consent taken by JTT was reasonable. This is clear from our reasoning on why the consent was neither specific or informed.
For those reasons we find that JTT ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention.
Conclusions on ground 2
We find that the statutory preconditions for issuing a monetary penalty notice were present in that the breach was serious and JTT ought to have known that there was a risk that the contravention would occur but failed to take reasonable steps to prevent the contravention.
There are no statutory preconditions for issuing a EN other than that the Commissioner must be satisfied that a person has contravened or is contravening any of the requirements of PECR. There is no basis upon which we could, as argued by Mr. Hopkins, read into section 40(1) DPA 1998 additional requirements that the alleged contravention is (i) sufficiently recent, and (ii) risks being repeated.
For the reasons set out above we have concluded that JTT has contravened regulation 22 of PEC. The statutory precondition for issuing the Enforcement Notice is accordingly present.
In summary whilst our reasoning differs to some extent from the Commissioners’, we agree that the statutory preconditions were met and therefore this ground of appeal does not succeed.
GROUND 3: Was it appropriate to issue a MPN and/or an EN and, in the case of the MPN, in what amount?
The MPN
Once the statutory preconditions are met, the Commissioner must determine (a) whether it is appropriate to issue a MPN and (b) if so, the amount of the MPN.
Article 15a(1) of the 2002 Directive, as amended provides:
“Members States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified.”
We note that article 15a(1) explicitly recognises that penalties may be applied to cover the period of any breach, even where the breach has subsequently been rectified.
The RAP at pages 23-24 sets out the factors that the Commissioner will consider when deciding whether to impose a penalty and the amount of the penalty. These include:
the nature, gravity and duration of the failure
the intentional character of the failure or the extent of negligence involved
any action taken to mitigate damage or distress
the degree of responsibility of the controller
any relevant previous failures
the degree of cooperation with the Commissioner, in order to remedy the failure and mitigate the possible adverse risks of the failure
the categories of personal data affected
how the Commissioner became aware of the infringement including whether, and if so to what extent, the controller notified the Commissioner of the failure
other aggravating or mitigating factors, including financial benefits gained as a result of the failure
whether the penalty would be effective, proportionate and dissuasive.
Although these factors are a useful indicator or the relevant factors, the requirement is that the Commissioner exercise his powers in accordance with the statutory framework and there is nothing in the RAP that precludes him from so acting, as the Upper Tribunal said in Leave.EUat paragraph 104 ‘Guidance cannot fetter discretion, so expecting it to be too prescriptive or interpreting it as if it were is not permissible’.
The factors set out in section 108(2)(b) of the Deregulation Act 2015 are also relevant, including the nature and level of risks associated with non-compliance, including the risks to economic growth; the steps taken by the business to achieve compliance and reasons for its failure; the willingness and ability of the business to address non-compliance; the likely impact of the proposed intervention on the business, and the likely impact of the proposed intervention on the wider business community, both in terms of deterring non-compliance and economic benefits to legitimate businesses.
We have had regard to all the above factors, where relevant.
In particular, we note that JTT have maintained throughout the Commissioner’s investigation and throughout the tribunal process that the original consent statements were not in breach of PECR. Although JTT amended their consent statements and privacy policies from, at the latest, December 2021, this was after a significant period of time had passed and they did so explicitly on the basis that they maintained that the original consent statements were compliant. This is not a case where the organisation acknowledges the breach at an early stage and takes steps to remedy the failure.
In any event, although some improvements have been made, we are not satisfied that the new consent statements (i.e. those introduced at the latest in December 2021) were compliant with regulation 22 PECR.
We note that the first information layer does now name the controller (Join the Triboo) and includes reference to emails, but it still only includes the non-specific broad ‘marketing purposes’. The welcome page is the same, so is the statement at the bottom of the registration page that ‘by entering’ you agree to our privacy policy. Although the privacy policy is hyperlinked from the bundle, we have not been provided with copies in the bundle and therefore we do not know how the content of the privacy policies differed in December 2021. For those reasons we are not satisfied, on the evidence before us, that JTT had remedied the issues in relation to specificity and information that we have identified in our section on breaches above.
We take account of the fact that awarding a penalty would have deterrent effect in relation to businesses engaging in similar practices, and would reinforce the need to ensure that consent is specific and informed.
The fact that there are no complaints, is of some relevance. If there had been a large number of complaints we would have seen this as evidence of a very significant level of intrusion into people’s privacy, which would have been an aggravating factor. That is not present in this case. However, as was made clear in Leave.EU, there are easier options than complaining to the Commissioner, and therefore an absence of complaints does not lead us to conclude that there was no burden or invasion of privacy for the individuals receiving unsolicited marketing emails.
We have taken account of the nature and gravity of the failure. The nature of the failings in the consent statements and privacy policies is clear from our detailed consideration of the consent statements and privacy policies above. A serious and significant number of emails were sent without proper consent over a year, each of which carries with them a small but significant intrusion into the private sphere of each individual, and a small but significant burden as a result of having to take action in relation to each of those emails.
We have also taken account of the matters considered under seriousness above.
In our view, taking all those factors into account it is proportionate to issue a monetary penalty, applying proportionality in the sense that this is a fair balance has been struck between means and ends.
Looked at in the round, we agree with the Commissioner that it was appropriate to issue a monetary penalty notice in this case.
In terms of the amount of penalty, many of the considerations considered above in relation (a) the statutory criteria and (b) whether the MPN should be issued are relevant to the amount of penalty. We have taken all the factors set out above into account.
We have also taken particular account of the financial impact on JTT.
When considering the financial impact on JTT it is appropriate to take into account the current financial position of JTT, given that the penalty will have to be paid now.
We take account of the fact that with a revenue of around £1-1.5 million this is a comparatively small enterprise and that it has no cash reserves and a negative bank balance. Further we note that the company made significant operating losses in 2019 and 2020. Since 2020 the amount of profit made by the business has increased every year. In 2021 the company made a small profit of £9,715. In 2022 the company made a profit of £36,014.
In relation to Mr. Hopkins’ submission that a fine of £130,000 would be terminal to JTT, we note that even if JTT’s profits do not continue their upward trajectory, and even if expenditure remains the same, after paying the fine JTT would make an operating loss of about £93,000. This is much lower than the operating losses made in 2019 and 2020 which were not terminal for the business.
Further, we find that that the resources of JTT’s parent company can properly be taken into account in the light of the following statement that appears in JTT’s accounts for the year ended 31 December 2022 on Companies House:
The directors have considered the use of the going concern basis for the financial statements and have confirmed this is appropriate. It is fully expected that the company will continue to trade for at least twelve months from the date of these financial statements and has guaranteed support of its parent company to do so.
By analogy with R v NPS London [2019] EWCA Crim 228, in our view it is proper to have regard to the likely provision of funds by the parent company of the group, Triboo SpA, given the guaranteed support set out in JTT’s most recent published accounts and the fact that the parent company has market capitalisation in excess of €20 million.
For all those reasons, we are not persuaded that the fine would be terminal to JTT.
Looked at as a whole, taking into account the circumstances and seriousness of the contravention, and all the other factors set out above, we consider that the fine of £130,000 was proportionate in the sense that a fair balance has been struck between means and ends.
For the reasons set out above, ground 3 of the appeal fails in relation to the MPN.
Was it appropriate to issue an enforcement notice?
As any enforcement notice will be forward looking, we have concluded that it is appropriate to consider the current consent statements and privacy policies operated by JTT, before determining this issue. The Judge has issued a separate case management order requiring JTT to provide the current consent statements and privacy policies and allowing the parties to provide written submissions on this issue. The parties have also been asked to indicate if they consent to the remaining issue being dealt with on the papers.
Signed SOPHIE BUCKLEY Date: 2 May 2024
Judge of the First-tier Tribunal
OPEN ANNEX
Relevant extracts from the Jobsearch privacy policy
“Modern information and communication technologies play a fundamental role in the activities of an organization like Join The Triboo Ltd. We are a web services provider based in the United Kingdom.
Our principal activities are:
• web publicity display, e-mail marketing and mobile marketing services to promote a wide range of products and services.
• client recruitment campaigns through the internet and affiliate marketing.
We carry out such marketing activities for third parties (who may operate in any business sector) and are referred to in this Privacy Policy as Our Business Partners and Clients.
This privacy policy describes how Join The Triboo Ltd. will use the information that you provide to it (whether by completing the registration form or using its website, jobsearch.online
…
Providing Visitors with Anonymous Access
You can access our Web site home page and browse our site without disclosing any personal data.
…
Data Collection and Purpose Specification
We collect the personal data that you may volunteer while using our services.
…
To access the table of personal data types collected and purposes for which they are used, go to the end of the page. Please note that any purposes listed in the table below are referred to in this Privacy Policy as Commercial Purposes.
We do not collect or use personal data for any purpose other than those referred to in the table below. If we wish to use your personal data for a new purpose, we will give you the opportunity to consent to this new purpose: by indicating in a box at the point on the site where personal data is collected.
…
Your personal information
When you register with us we ask for personal information such as your name, date of birth, contact details, and other details listed in the table below. We use this information for directing advertising campaigns, but never to process, or aid the process of, job applications. Your gender and date of birth information will always remain confidential to any recruiters or employment companies that we work with.
When you are registering with us it is not until you click the Sign Up or "Register" button that your information is transferred.
Once you register with us and agree to the terms and conditions of this Privacy Policy that govern how your information will be processed, you will not be anonymous to us and our partners and clients and will become one of our users.
…
Disclosure of personal information
274 With your consent, we may share, rent and sell your personal data or sell or rent our entire database to our partners and clients in any sector for any Commercial Purpose including marketing activities. By marketing activities, we mean the communication directly to particular individuals by e-mail, post, telephone or sms of any advertising or marketing material in respect of any product or service from us, our partners or clients.
By registering with us, you acknowledge that we will not process any job application or submit any information on your behalf to any recruiter in respect of any job. You will have sole responsibility for your application in respect of any job vacancy.
If you subsequently decide you no longer wish to receive direct marketing/information from us, or no longer wish us to pass your information to third parties you should notify us accordingly by e-mail to: privacyuk@triboo.com
By registering with us you permit us or our partners or clients to use such information that you provide to alert you to a range of promotions and competitions in respect of any products or services. We may contact you regarding site changes or changes to such products or services that you use.
When you register with us you consent to us sending personally identifiable information about you to our partners or our clients and in particular we may:
• share, rent or sell such information for marketing purposes;
• share your information with third parties as required to provide the service or the product you have requested;
• send the information to our partners or clients who work with us for marketing purposes;
• respond to subpoenas, court orders or legal process;
…
Your acceptance of these terms
By using this site, you consent to the collection and use of this information by us and to our privacy policy. If we change our privacy policy in any way, we will post these changes on this page.
…
TABLE of personal data collected and purposes for which they are used
Primary personal data/Business information
x volunteered by each visitor
Primary personal data
Technical administration
of the Web site
Research & Development
Customer Administration
Marketing
Trading in personal data
Name
X
X
X
X
X
Gender
X
X
X
X
X
Address
X
X
X
X
X
E-mail address
X
X
X
X
X
Phone/Fax number
X
X
X
X
X
CV
X
X
X
X
X
…
Data Sharing
Following explicit consent in the registration form Triboo may share your email address and job-related preferences with vendors that they use to send them email job alerts.
Furthermore, a user can easily unsubscribe from them.
…
You may be contacted by e-mail within the following categories
Various contests:
Offers for surveys, sweepstakes, prize draws and free giveaways
Financial:
Offers for professional associations; consumer, automobile and housing loans; household, automobile, travel and accident insurance; Claims (PPI/PBA). Our preferred partners in the claims sector are HQ Consultancy Ltd, Ascend Finance and Neilson Financial (Smart Insurance & British Seniors Insurance)
Credit Report
Pharmaceutical
Magazines and newspapers:
Offers for newspapers and magazines on fashion, nature, photography, interior decorating, science, economics, fitness and lifestyle
Beauty and health tips:
Offers for weight-loss products, dietary supplements, vitamins, creams and dental hygiene products
Clubs, organisations and web sites/portals:
Charitable organisations, film clubs, dating sites and fitness centres
Electronics:
Offers for TV providers, internet, mobile telephone service and web pages
Clothing, fashion and lifestyle:
Offers for underwear, designer clothing, jewellery and makeup
Games and gambling:
Offers to register on web sites featuring bingo, gambling and scratch games, for example
Transport, autos, travel and holidays:
Offers for petrol, roadside assistance, airline tickets, motoring holidays, skiing holidays, charter trips and summer house rentals.
…
Opting Out (Deregistration):
Should you wish to opt out of your data being used for these purposes, please unsubscribe.
The consequences of deregistration are that your account details will be placed in a suppression file and you will not receive any further communications from job-search.online Every email that jobsearch.online sends contains a link to unsubscribe.
Opting out at a later date
Once you have given your consent, you can however still control whether or not you continue to receive communications or see such advertisements from such third parties. The method of control depends on the channel of communication or advertising
Use of your personal information
We use your personal information collected via the Jobianclick website to:
Provide you with information about the products and services we offer
Provide you with a more personalised service
Conduct market research
Pass on to selected companies to provide you with other offers and promotions
Help other companies profile and extend their databases
Facilitate communication between yourself and others
…
Our Business Partners & Clients:
Brand processed by Lead 365, 6th Floor, Alexandra Warehouse, West Quay, Gloucester Docks, Gloucester, Gloucestershire, GL1 2LG, Companies House – 09973434
Utilita Energy Limited
Secure House, Moorside Road, Winchester, Hampshire, SO23 7RX
Privacy Policy = https://utilita.co.uk/terms
Telephone channel
Utility sector
Company number – 04849181
[Privacy Policy lists 12 other companies with similar details]
…
Our Business Partners & Clients:
• RS DATA TECH, LTD t/as ukcreditratings.com - Privacy Policy
• Results Generation - Austinshire Partners, LLC
• Marketing Punch
• Click Labs Group and their Client Portfolio
• We Breathe Media and their Client Portfolio
• British Seniors Insurance Agency (Neilson Financial Services Ltd)
• Smart Insurance (Neilson Financial Services Ltd
• Property Rescue
• Save Today
• SJB66
• DMLS site & Client Portfolio
• Dr Money Saver
• Pharmacy2U
• ZIp Recruiter
• UK - Trades Courses
• UK - O2 Free Sim
• UK - Adzuna
• UK - GoGroopie Company Number - 07363687 Company Address - Alpha House, 100 Borough High Street, London SE1 1LB
• UK - Price Reactor.
• UK - Adzuna
• .UK - Saving.Direct Life Insurance
• .UK - The Casino
• UK - Restoration Media
• UK - Scottish Power - 320 St. Vincent Street, Glasgow, Scotland, G2 5AD
• UK - Avon
• UK - Choose Leads Limited
…”