Culture, Media and Sport CommitteeWritten evidence submitted by the Information Commissioner [NTC 033]

Introduction

1. The Information Commissioner (“the Commissioner”) has responsibility for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA), together with associated legislation such as the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

2. He is independent from government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals and taking appropriate action where the law is broken.

3. The Commissioner welcomes the Committee’s Inquiry into nuisance telephone calls and text messages, and the opportunity to give evidence—explaining the nature of the problem, what the Commissioner has done to tackle it, the impact of his action, where problems remain and the proposed solutions.

4. The amended PECR legislation has been in place for two years now. Although there have been successes and the Commissioner can point to progress, the issue of nuisance calls and SPAM texts continues to be a major concern for consumers. It is accepted that more needs to be done.

5. The Commissioner’s submission is focused on his role under PECR and the DPA. He is working closely with other regulators, most notably Ofcom, who are responsible for regulating abandoned and silent calls.

Summary of Main Rules and the Information Commissioner’s Powers Relevant to Nuisance Calls and Text Messages

6. PECR provide rules about sending marketing and advertising by electronic means, such as by telephone, fax, email, text and picture or video message, or by using an automated calling system. PECR also include other rules that relate to areas including cookies, telephone directories, traffic data, location data and security breaches.

7. On 26 May 2011, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR 2011) amended PECR.

8. The DPA is based around eight principles of “good information handling”. These give people specific rights in relation to their personal information and place certain obligations on those organisations that are responsible for processing it. Section 11 of the DPA also gives individuals the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give written notice to stop using their details for direct marketing.

9. The DPA and PECR both therefore restrict the way organisations can carry out unsolicited direct marketing (that is, direct marketing that has not specifically been asked for).

10. If an organisation is sending unsolicited direct marketing by electronic means, or employing a firm to do so on its behalf, it must comply with PECR. This includes telephone calls (both live and automated), faxes, emails, text messages and other forms of electronic message. PECR are broader than the DPA in the sense that they apply even if the organisation is not processing any personal data—which means they apply even if the organisation does not know the name of the person it is contacting. It also means the rules apply to business-to-business marketing, as well as marketing to consumers.

11. In very broad terms, an organisation cannot make unsolicited marketing calls to numbers which are registered on the Telephone Preference Service (TPS) without their specific consent, or make calls to anyone who has said they don’t want to receive them. And an organisation cannot generally send texts or emails to individuals without their specific consent.

12. The Commissioner’s investigations into nuisance calls and texts are normally focused on PECR, though he will also consider DPA issues, particularly if the marketing activity is of significant concern and enforcement under PECR is not possible.

13. On 26 May 2011, the Commissioner gained powers to serve third party information notices on communications providers and to impose Civil Monetary Penalties (CMPs) of up to £500,000 for the most serious breaches of PECR. Regulation 31 of PECR imports the Monetary Penalty provisions in section 55A of the DPA. The Commissioner can issue a Monetary Penalty Notice (MPN) when the PECR breach is of a kind likely to cause “substantial damage and substantial distress”.

14. The Commissioner has issued statutory guidance on CMPs, under section 55C(1) of the DPA (“the Guidance”).1 The Guidance addresses the term “substantial” in relation to damage and distress. It states that: “…if damage or distress that is less than considerable in each individual case is suffered by a large number of individuals the totality of the damage or distress can nevertheless be substantial”. The contravention must either have been deliberate or the data controller or person must have known or ought to have known that there was a risk that a contravention would occur and failed to take reasonable steps to prevent it.

15. The Commissioner also has the power to serve an enforcement notice under PECR and the DPA, containing steps which the person served with the notice must comply with. Non-compliance with an enforcement notice is a criminal offence. The Commissioner also has also the power to issue an information notice requiring a person to provide information that will enable him to ascertain whether the legislation has been breached.

16. Annex A sets out the relevant legal provisions under PECR and the DPA.

The Problem of Nuisance Calls and Texts

17. There is significant and compelling evidence of growing volumes of unsolicited live and automated telephone calls and SMS texts to UK consumers, and evidence that consumers are increasingly concerned about the problem. Complaint volumes are also increasing.

18. Since setting up an online reporting tool2 in March 2012, over 240,000 complaints have been made to the Commissioner about unsolicited calls and texts. The data is illustrated below. The peaks coincide with enforcement action by the Commissioner, presumably due to increased media coverage and public awareness of the Commissioner’s role and reporting mechanisms.

19. Tackling the issue of unsolicited telephone calls and texts has become a priority issue for the Commissioner. The issue is a key objective in the current ICO plan for 2013–16.3

20. There is a sliding scale of harm caused by unsolicited calls and texts. Evidence from concerns reported to the Commissioner by the public show that 90% consider the calls to be inconvenient, annoying, a cause for concern, a cause of anxiety or a disruptive irritation. In some cases the calls will cause much greater distress and harm. For example, shift workers may have their sleep patterns seriously disrupted, and people with a terminal illness or a disability may have to make a considerable effort to answer the phone.

21. It is also clear to the Commissioner that the issue is reflected in a significant volume of correspondence from constituents to MPs. This has been continually emphasised by Ed Vaizey, the minister responsible for PECR, and led to Mike Crockart MP tabling a private member’s bill setting out proposals to tackle nuisance calls.4

22. The evidence is also clearly set out in a recent independent report from the media policy project at the London School of Economics (LSE). The LSE report also highlights the wider costs to business and society of the problem:

Costs to phone companies and regulators in handling complaints.

The value of the telephone directory has been eroded, as two thirds of UK residential lines are ex-directory.

Trust in and reliance on the phone is being undermined.

23. The Commissioner has also seen emerging evidence, from 7726 data,5 that the threat posed by unsolicited texts to smart phones is also growing. These texts can lead to malware being installed. It is important that the issue is robustly tackled before becoming a significant problem.

Tackling the Problem—The Commissioner’s Regulatory Activity to Date

Enforcement action and engagement

24. The Commissioner’s approach follows good regulatory principles—strong enforcement is married with effective education and engagement with those who are regulated. The approach is based on identifying the worst offenders, engaging with them, and enforcing if engagement doesn’t work.

25. The Commissioner takes an intelligence led and threat based approach. He has responded to the problem of nuisance calls and texts by establishing a new team dedicated to investigating breaches, which is supported by an Intelligence Hub.

26. The Commissioner has worked hard to improve the standard and scale of his intelligence and evidence collection processes, to help in identifying organisations who are breaching the legislation and causing the most significant problems and enable his office to conduct more efficient and effective investigations. As well as intelligence from the Commissioner’s own online reporting tool and complaints data, information is drawn from TPS, GSMA and other intelligence sources such as 7726, the mobile industry reporting system for spam texts.

27. The approach to tackling organisations where there is evidence of a problem starts with engagement, with a process of escalation depending on the response. This approach contains a balance of incentives and deterrents. The Commissioner initially contacts the organisations identified, asking them to account for the reported breaches. His enforcement team analyses the response and checks for improvements in compliance. Where there is evidence of improvement, strong engagement and willingness to improve, the organisation is invited to attend a compliance meeting. At the meeting the organisation is held to account and their remedial action plans are examined, and thereafter their performance is monitored to ensure improvement.

28. For those organisations that fail to engage, or where there is an indication that they are not making sufficient improvements toward compliance, the Commissioner will consider imposing a CMP or taking other appropriate enforcement action.

29. Details of the Commissioner’s enforcement activity are published in quarterly PECR enforcement activity reports on the ICO website6 which “name and shame” organisations where appropriate:

ASSESSMENT OF ORGANISATIONS, APRIL TO JUNE 2013 (AS PUBLISHED ONLINE)

30. The CMPs the Commissioner has imposed send out a clear message to other companies involved in cold calls or spam text messages that the rules must be followed. They also attract media headlines, and this in turn prompts more people to report their concerns to us. Since gaining the powers the Commissioner has imposed CMPs under PECR totalling £800,000.7 Recent examples include:

Two penalties totalling £440,000 to the joint owners of Tetrus Telecoms for the mass sending of unsolicited SMS text messages (November 2012).

A penalty of £90,000 on DM Design Bedroom Ltd after it continued to make unsolicited live marketing calls to individuals who had already registered with the TPS and confirmed that they did not wish to be contacted (March 2013).

A penalty of £125,000 on Nationwide Energy Services and one of £100,000 on We Claim You Gain (June 2013). These two companies are part of Save Britain Money Ltd and were fined for failing to carry out adequate checks on whether people they were calling had registered with the TPS.

A penalty of £40,000 on Tameside Energy Services for failing to carry out adequate checks on TPS registration (July 2013).

Joining up and cross-regulatory action

31. The Commissioner has recognised that joining up and taking cross regulatory action is an important part of the strategy to tackle nuisance calls and texts. On 31 July 2013 the ICO and Ofcom launched a joint initiative on tackling nuisance calls and messages, and published a joint action plan.8 The key elements of this action plan are:

Ongoing, targeted enforcement action;

Improving the tracing of nuisance calls and messages;

Effective coordinated action including a review of the impact of the Telephone Preference Service (TPS);

New ICO guidance on consent;

Updated consumer guides on nuisance calls and messages; and

New proposals for tackling nuisance calls.

32. Further details on these actions are provided below in the section on proposed solution. The ICO and Ofcom will publish a general update on progress in relation to the work set out in this joint action plan in early 2014. In addition, updates on progress in relation to specific pieces of work will also be provided on the ICO and Ofcom websites. Both organisations are committed to making full use of their existing powers to tackle the issue and reduce consumer harm.

33. The Commissioner has been playing a central role in coordinating a strategic approach involving other regulators and key stakeholders. The Commissioner has initiated and is leading the multi-agency operation LINDEN. As part of the operation a strategic threat assessment on lead generation and unwanted marketing communications has been developed, covering the whole “data cycle” in which personal data is collected, bought, sold, used and in some cases re-used by a variety of organisations for a variety of marketing purposes. This has enabled the Commissioner to identify key intervention points and enforcement opportunities for regulators and stakeholders and a joint delivery plan has been compiled to shape and complete this activity.

What effect this has had

34. The Commissioner has so far engaged with 28 organisations in relation to live calls, resulting in 14 organisations taking sufficient steps to improve their compliance or otherwise providing evidence to demonstrate that the number of recorded complaints does not reflect levels of compliance (for example, because some complaints are invalid). Ten organisations are still under a period of review pending a final decision on the most appropriate course of action, and four have been the subject of enforcement action.

35. The impact and effectiveness of fines can be seen immediately after a CMP is imposed, as there has often been an increase in complaints—presumably due to media coverage and increased public awareness of reporting mechanisms. This can be seen in the graph showing complaint data at paragraph 18 above (reproduced below with the timing of CMPs marked). In the month following the Tetrus Telecoms CMP and the month following the DM Design Bedroom Ltd CMP, there was then a marked decrease in the number of complaints. However, it is difficult to be sure whether this can be directly attributed to an actual reduction in nuisance calls and texts, or whether it is simply public awareness—and therefore the number of complaints—returning to the “normal” levels existing prior to the media coverage.

36. Nonetheless, it is clear that the number of complaints to the Commissioner about nuisance texts peaked in November 2012, when the Commissioner imposed a CMP on the joint owners of Tetrus Telecoms for the mass sending of unsolicited texts, and that, the number of complaints to the Commissioner about nuisance texts has reduced by 75% since that CMP, with no further spikes.

37. Cloudmark Inc also reported a 50% drop in unsolicited SMS communications as a result of the publication of the CMPs issued against the owners of Tetrus Telecoms Ltd. The ability to heavily and publicly fine those who contravene is a significant deterrent.

38. Cloudmark Inc also reported a 78% reduction in nuisance text messages following multi-agency work led by the Serious Organised Crime Agency (SOCA) and City of London Police, in which the Commissioner was involved.

On-going Challenges

A global problem

39. The problem is very much a global one and similar challenges are faced by regulators in other countries. The Commissioner often encounters cases where some of the senders and instigators are based outside the UK and also outside the EU. This makes effective regulation more difficult and the Commissioner is actively developing bilateral information sharing agreements and enforcement and disruption opportunities. The Commissioner is also a Competent Authority under the Consumer Protection Co-operation Regulations, which facilitates enforcement cooperation between European member states.

40. The Federal Trade Commission in the US has recently agreed to obtain and share information with the Commissioner in relation to organisations in the US using lines to send messages into the UK or allowing lines to be used for that purpose. This sharing of information is permitted under the US Safe Web Act which allows disclosure in order to facilitate overseas co-operation in order to combat unsolicited marketing and fraudulent communications.

41. The Commissioner is also actively engaged with the London Action Plan, which is an international multi-agency approach to tackling problems associated with unsolicited calls and texts. The next meeting is scheduled for October 2013 in Canada.

42. The ICO are also leading on a multi-agency initiative to address concerns within the list broking and lead generation industry, which requires further regulation, and many of the organisations involved are often based outside the UK.

43. Ten referrals have recently been made to our international and European counterparts responsible for tackling nuisance calls. The Commissioner made those referrals after using existing powers to serve 59 information notices on telecommunications providers, in order to identify the owners of 8,000 different telephone numbers. Those numbers identified as operating abroad have been passed on to regulators in the United States, Ireland, Belgium and Spain to take action.

Limitation of the current threshold for MPNs under PECR

44. The Commissioner now has a team in his Enforcement Department dedicated to investigating breaches of PECR, and they have become very effective in collecting and analysing intelligence from a range of sources and converting this into evidence to enable us to take enforcement action. However, the enforcement opportunities only cover a small percentage of cases investigated, as the extent of the detriment complained of by consumers in many cases amounts to nuisance, annoyance, inconvenience or anxiety, but does not cross the legal threshold of “substantial damage” or “substantial distress” for MPNs, because the number of complaints isn’t high enough and/or there is an absence of evidence of actual damage or distress. When the Commissioner has imposed penalties he has placed considerable reliance on the reference in the MPN guidance to the cumulative effect of distress that is less than considerable for any one individual amounting to substantial distress when suffered by many individuals.

45. The Commissioner has significant evidence of annoyance or nuisance caused to individuals from calls and texts which may not amount to “distress” and may be less than substantial. It is also harder to argue substantial damage and substantial distress when volumes of complaints are not at a high level.

46. It would not be viable for the Commissioner to seek to stretch the legal definitions currently in PECR to cover the lower volumes, and certainty in the legal regime is an important factor in creating deterrence. The Commissioner is concerned that ultimately the courts may not support the approach he is already taking, which relies on the cumulative effect of nuisance, annoyance, inconvenience or anxiety caused to a large number of people amounting to substantial distress.

47. Regulatory efforts are targeted on those organisations where there is evidence of very high numbers of potential PECR breaches. These are the organisations where the level of distress likely to have been caused might be sufficient to meet the criteria for a CMP. However, there are a significant number of organisations that fall below this threshold and that the Commissioner does not therefore pursue. If the legal threshold were lowered, it would then allow the Commissioner to take more action.

Challenge of consent

48. Consent is a key component of direct marketing. The problem has many different aspects. Organisations will generally need an individual’s consent before they can send marketing texts, emails or faxes, make live marketing calls to numbers listed on the TPS, or make any automated marketing calls under PECR. They will also usually need consent to pass customer details on to another organisation under the first data protection principle. To be valid, consent must be knowingly given, clear and specific. Some organisations will seek to rely on implicit consent, and some may seek to use opt-out rather than opt-in mechanisms. The ICO discourages the use of both practices for marketing using calls, texts and emails.

49. The key aspects of the problem are:

Organisations are presenting unfair or unclear information to consumers, who may not realise the implications of consenting.

Consent provided in one specific context is taken as “unlimited” consent for any communications with an individual.

Organisations will pass on, sell or buy in data on a vague understanding that individuals have consented for the data to be shared and consent is valid for any communications. Organisations often have poor or non-existent records to demonstrate whether “bought in” data has valid evidence of consent.

Many organisations will seek to rely on outdated information related to consent.

Communications from individuals indicating that they clearly do not consent are ignored.

50. Examples of common poor or unlawful practices are as follows:

Individuals are required to submit their contact details when it is not actually required for the purpose for which they are interacting with the organisation. For example, some organisations require a contact telephone number before they will provide a simple online quote.

A clause “consenting” to the use or resale of a person’s data for marketing purposes is buried within terms and conditions which are located away from the page on which the individual is invited to submit his details. These terms and conditions are often unread as they tend to be long and legalistic.

A consent statement indicates that the data may be passed to “selected third parties”, but in practice it is passed to anybody willing to buy the data.

Information is sold on a long time after it was collected, and is used to promote products or services which were not available nor in the contemplation of the individual at the time that the information was collected.

A consent statement indicates that details will be passed to third parties for marketing purposes, but does not give any indication of the identity of those third parties or the channel of communication. This is then sold on as valid consent for any type of marketing—even though PECR require an individual specifically consents to the particular type of communication (eg automated call or text) from the particular sender.

The list brokerage industry operates on a contact and warranty basis where data is traded on the assurance that it has been obtained in compliance with DPA and PECR. The purchaser of a marketing list will not have seen actual evidence of consent or know when and where the data was collected, and simply relies on assurances that consent has been validly obtained. However, the consent may not have been specific enough to actually cover the intended marketing, and on occasions the consent would appear to have been fabricated.

Proposed Solutions for those Problems

Joint working

51. Joint working remains an important part of the solution and the Commissioner will continue work closely with Ofcom and other partners as part of operation LINDEN.

52. The Commissioner will also continue to work closely with other regulators on an international basis. This will include close working with European Data Protection Authorities as part of the Article 29 working party, and via the Consumer Protection Cooperation mechanism (referenced at paragraph 39 above). The Commissioner is also a leading member of GPEN—the Global Privacy Enforcement Network,9 and a member of the London Action Plan.10 Both networks include the US Federal Trade Commission.

Lowering the MPN threshold under PECR

53. At the end of July the Commissioner submitted a detailed business case for amending PECR to the Department for Culture, Media and Sport. This met a commitment that the Commissioner’s Director of Operations made at a roundtable chaired by Ed Vaizey, earlier in July.

54. The focus of the business case is on amending PECR to enable the Commissioner to impose a CMP of up to £500,000 upon companies or persons who contravene Regulations 19, 20, 21, 22, 23 or 24 of PECR—if the Commissioner is satisfied that those texts or contraventions are likely to cause “nuisance, annoyance, inconvenience or anxiety”. This change would ensure that the penalties available meet the criteria of “effective, proportionate and dissuasive” as required by the E-Privacy Directive,11 from which PECR are derived.

55. The Commissioner has also made the case that he should be able to deduct of the costs he incurs in imposing and collecting the monetary penalty. He considers that this is a reasonable proposal to ensure that some additional revenue is available to fund the enforcement activity. The Commissioner receives no specific funding for PECR work as it is funded from the data protection notification fee.

56. Lowering the threshold is supported by Which? and other groups who represent consumer interests. It is also featured in Mike Crockart’s Private Members Bill, mentioned above.

57. The primary case of the Commissioner is that the penalty regime under PECR must be broadened to create a stronger deterrent effect across a wider range of organisations that are regularly breaching the provisions of PECR related to unsolicited calls and texts. If a wider range of organisations feel the likelihood of a significant penalty is stronger, this will drive up the standard of compliance and reduce of the level of nuisance to the wider public. Our secondary case is that changes are desirable if the Commissioner’s ability to impose penalties in the types of cases where we are already doing so is to be safeguarded.

58. The Commissioner’s online reporting tool, which has a section enabling the contributor to explain how the unwanted calls or texts affected them, currently provides information that could be used as evidence the new threshold being met. Examples include:

the subscriber receives calls from the same organisation on a number of occasions despite telling them on each occasion that she is registered with the TPS, that she does not wish to be called and that the organisation should put her on their do not call list;

the organisation uses a generic term to name itself and, as a result, the subscriber is not in a position to fully identify who is calling her. The calls tend to be mid to late evening and disrupt childcare routines; and

the subscriber is a sole trader who runs a small business. The volume of unsolicited calls in relation to the business and also her personal life interferes with her ability to trade and disturbs her home life. She feels that he has no break from the calls.

59. It is vital that those companies or persons who seek to derive significant commercial benefit from unsolicited calls and texts in breach of PECR, and who gain an unfair commercial advantage over more responsible organisations who do subscribe to the Telephone Preference Service and make other proper checks, see a strong commercial risk, in the form of a fine, from the activity.

60. The business case submitted has argued that there should be a greater breadth of penalties issued, not just focused on cases that could be regarded as “large”. For example in a case where there is evidence of up to 300 calls clearly causing nuisance, the Commissioner would have the option to consider imposing a smaller penalty.

61. Whilst the Commissioner will continue to put effort into the “large” cases unless the courts rule against him, the change in threshold would enable a wider range of often smaller penalties to be imposed. The combination of these MPNs would have a much more powerful effect on unacceptable activity related to unsolicited communications.

62. The Commissioner will continue to also use his Enforcement Notice powers in cases where it is necessary to order the named person to stop a particular activity. These notices are an important tool to force someone to put “something right” but deterrence value is much lower than a CMP.

63. The Commissioner believes the changes are relatively straightforward amendments to secondary legislation, and the changes would not cause any difficulty in terms of transposition of the E-Privacy Directive—indeed the changes can be seen to give full effect to the intention of the Directive.

64. Annex B illustrates the powers and penalties available in the Canadian system which provides powers for extremely high fines but their terms are “undue inconvenience or nuisance”.

Clarifying the position on consent

65. The Commissioner has not ruled out calling for further amendments to PECR on the issue of the consent—see below. In the meantime the Commissioner will publish new guidance on direct marketing in early September 2013 (this should be in advance of the Director of Operations giving evidence to the Committee). The guidance will pull together all the Commissioner’s existing guidance on marketing, including on calls and texts under PECR. It will also contain new and more detailed guidance on consent. The guidance will seek to provide sharper and clearer messages on methods of consent, time limits, proof of consent, third party consent, and buying and selling marketing lists. The guidance will seek to improve understanding of the law, reduce the grey areas that organisations can exploit, and encourage good practice in obtaining, recording and verifying valid consent.

66. The guidance will be extensively promoted. The Commissioner will also expect that industry guidance is amended in line with his guidance. An assessment will be made of what impact the guidance has and what more needs to be done after that.

Reviewing guidance on Privacy Notices

67. In 2009 the Commissioner issued a Data Protection Code of Practice on Privacy Notices. The Code won an award at 2010 Nominet Internet Awards. It has been considerably successful in raising the standard of many privacy policies in large organisations but it is also clear that more still needs to be done to promote the key messages. Technology has also changed significantly since 200912 and the Commissioner has learnt more about common problems from complaints and monitoring. The lack of clear and fair information in privacy notices is part of the problem related to consent. The Commissioner will therefore review the Code in 2013 and consider whether to issue a new version. This process will include a consultation with stakeholders, as required by the DPA.

Reviewing TPS

68. As part of their joint action plan the Commissioner and Ofcom will review effectiveness of TPS. Registration with the TPS is a key tool for consumers to limit nuisance calls. The Commissioner and Ofcom will undertake an assessment of the impact of the TPS on the level of unsolicited live sales and marketing calls, to evaluate how well the TPS is currently working for consumers and inform future work in this area. A new piece of market research is likely to be completed in spring 2014.

Other changes that could be made to PECR

69. Whilst the Commissioner has initially focused his arguments for changing the legislation on the MPN threshold he will also consider whether to make a further business case for other changes. This further work will examine whether:

the consent requirements in PECR should be amended, including time limited consent;

further information requirements should be placed on those sending unsolicited messages;

the ICO should have extended compulsory audit powers under PECR;

the ICO should be able to issue statutory codes of practice under PECR;

stronger legal requirements are needed to make sure the TPS is used to screen calls;

stronger legal requirements are needed to ensure the identity of the person sending the message is provided and to prevent “spoofing”; and

an obligation should be placed on organisations receiving calls to respect a caller’s right to withhold their number.

70. These changes will require more detailed consideration and consultation, including whether the changes are compatible with transposition of the E-Privacy Directive. It is also worth noting that the European Commission have indicated that the E-Privacy Directive will be reviewed and possibly amended if the proposed Data Protection Regulation is passed (likely to be in 2014). This could include consideration of issues around consent.

August 2013

Annex A

SUMMARY OF LEGISLATION RELEVANT TO INFORMATION COMMISSIONER’S REGULATION OF NUISANCE CALLS AND TEXTS

Privacy and Electronic Communications Regulations 2003 (as amended)

Regulation 19 Use of automated calling systems

19.—(1) A person shall neither transmit, nor instigate the transmission of, communications comprising recorded matter for direct marketing purposes by means of an automated calling or communication system except in the circumstances referred to in paragraph (2).

(2) Those circumstances are where the called line is that of a subscriber who has previously notified the caller that for the time being he consents to such communications being sent by, or at the instigation of, the caller on that line.

(3) A subscriber shall not permit his line to be used in contravention of paragraph (1).

(4) For the purposes of this regulation, an automated calling system is a system which is capable of—

(a)automatically initiating a sequence of calls to more than one destination in accordance with instructions stored in that system; and

(b)transmitting sounds which are not live speech for reception by persons at some or all of the destinations so called.

Regulation 21 Unsolicited calls for direct marketing purposes

21.—(1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where—

(a)the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or

(b)the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.

(2) A subscriber shall not permit his line to be used in contravention of paragraph (1).

(3) A person shall not be held to have contravened paragraph (1)(b) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made.

(4) Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.

(5) Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a line of his—

(a)the subscriber shall be free to withdraw that notification at any time, and

(b)where such notification is withdrawn, the caller shall not make such calls on that line.

Regulation 22 Use of electronic mail for direct marketing purposes

22.—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.

(2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

(3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—

(a)that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;

(b)the direct marketing is in respect of that person’s similar products and services only; and

(c)the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. .

(4) A subscriber shall not permit his line to be used in contravention of paragraph (2).

Regulation 23 Use of electronic mail for direct marketing purposes where the identity or address of the sender is concealed

23. A person shall neither transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail—

(a)where the identity of the person on whose behalf the communication has been sent has been disguised or concealed;

(b)where a valid address to which the recipient of the communication may send a request that such communications cease has not been provided;

(c)where that electronic mail would contravene regulation 7 of the Electronic Commerce (EC) Directive Regulations 2002; or

(d)where that electronic mail encourages recipients to visit websites which contravene that regulation.

Regulation 24 Information to be provided for the purposes of regulations 19, 20 and 21

24.—(1) Where a public electronic communications service is used for the transmission of a communication for direct marketing purposes the person using, or instigating the use of, the service shall ensure that the following information is provided with that communication—

(a)in relation to a communication to which regulations 19 (automated calling systems) and 20 (facsimile machines) apply, the particulars mentioned in paragraph (2)(a) and (b);

(b)in relation to a communication to which regulation 21 (telephone calls) applies, the particulars mentioned in paragraph (2)(a) and, if the recipient of the call so requests, those mentioned in paragraph (2)(b).

(2) The particulars referred to in paragraph (1) are—

(a)the name of the person;

(b)either the address of the person or a telephone number on which he can be reached free of charge.

Regulation 31 Enforcement—extension of Part V of the Data Protection Act 1998

31.—(1) The provisions of Part V and section s55A to 55E of the Data Protection Act 1998 and of Schedules 6 and 9 to that Act are extended for the purposes of these Regulations and, for those purposes, shall have effect subject to the modifications set out in Schedule 1.

(2) In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under the provisions referred to in paragraph (1) as extended by that paragraph and the functions set out in regulation 31A and 31B.

(3) The provisions of this regulation are without prejudice to those of regulation 30.

Regulation 32 Request that the Commissioner exercise his enforcement functions

32. Where it is alleged that there has been a contravention of any of the requirements of these Regulations either OFCOM or a person aggrieved by the alleged contravention may request the Commissioner to exercise his enforcement functions in respect of that contravention, but those functions shall be exercisable by the Commissioner whether or not he has been so requested.

Data Protection Act 1998

Section 11 Right to prevent processing for purposes of direct marketing

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he is the data subject.

(2) If the court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

(3) In this section “direct marketing” means the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals.

Section 55A—Power of Commissioner to impose monetary penalty

(1) The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—

(a)there has been a serious contravention of section 4(4) by the data controller,

(b)the contravention was of a kind likely to cause substantial damage or substantial distress, and .

(c)subsection (2) or (3) applies.

(2)This subsection applies if the contravention was deliberate

(3)This subsection applies if the data controller—

(a)knew or ought to have known —

(i)that there was a risk that the contravention would occur, and

(ii)that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but .

(b)failed to take reasonable steps to prevent the contravention. .

(3A) The Commissioner may not be satisfied as mentioned in subsection (1) by virtue of any matter which comes to the Commissioner’s attention as a result of anything done in pursuance of—

(a)an assessment notice;

(b)an assessment under section 51(7)

(4) A monetary penalty notice is a notice requiring the data controller to pay to the Commissioner a monetary penalty of an amount determined by the Commissioner and specified in the notice.

(5) The amount determined by the Commissioner must not exceed the prescribed amount.

(6) The monetary penalty must be paid to the Commissioner within the period specified in the notice.

(7) The notice must contain such information as may be prescribed.

(8) Any sum received by the Commissioner by virtue of this section must be paid into the Consolidated Fund.

(9) In this section—

“data controller” does not include the Crown Estate Commissioners or a person who is a data controller by virtue of section 63(3);

“prescribed” means prescribed by regulations made by the Secretary of State.

Annex B

CANADA

The Canadian system is different in that their “Commission” (whose powers are different from that of our Commissioner) can under their Telecommunications Act 1993 make its own rules to regulate unsolicited telecommunications if they “consider it necessary to prevent undue inconvenience or nuisance, giving due regard to freedom of expression”. There is no requirement for “substantial damage or substantial distress” nor for “seriousness”.

The Commission brought in rules which are the equivalent to PECR and they can amend them in line with any decisions they may make so as to keep them up to date. They appear to be responsible for making decisions from which they can then change their own rules.

If a person, whom they describe as a “telemarketer”, has breached their rules by sending an unsolicited communication and they pay their initial fine then, they are deemed to have committed the offence and no further action is taken. If they fail to pay they may be prosecuted in the criminal system for an offence and face fines of up to 1 million dollars.