The Information Commissioner GIA 177 2014
| Jurisdiction | UK Non-devolved |
| Judge | Judge N J Wikeley |
| Judgment Date | 11 June 2014 |
| Neutral Citation | 2014 UKUT 255 AAC |
| Subject Matter | Information rights |
| Respondent | Niebel |
| Court | Upper Tribunal (Administrative Appeals Chamber) |
| Docket Number | GIA 177 2014 |
| Appellant | The Information Commissioner |
[2015] AACR 1
(Information Commissioner v Niebel)
[2014] UKUT 255 (AAC))
Judge Wikeley GIA/177/2014
11 June 2014
Data Protection – monetary penalty notice – whether text messages caused “substantial damage” or “substantial distress”
The Information Commissioner (IC) served Mr Niebel with a monetary penalty notice (MPN) for £300,000 on the basis that his jointly owned company had sent hundreds of thousands of unlawful spam texts to the public. The IC explained in the MPN that, while the distress in each individual case may not always have been substantial, the cumulative distress on those affected had been. Before the First-tier Tribunal (F-tT) the IC relied on only 286 messages as the basis for the contravention. The F-tT set aside the MPN and the IC appealed that decision. The issue before the Upper Tribunal (UT) was whether there had been a contravention of a kind likely to cause “substantial damage” or “substantial distress” under section 55A(1)(b) of the Data Protection Act 1998 either individually or cumulatively.
Held, dismissing the appeal, that:
- in deciding whether section 55A(1)(b) of the 1998 Act had been contravened, the F-tT was entitled to conclude that a contravention involving 286 text messages was of a very different kind from one involving hundreds of thousands of text messages. It was not possible to import the very much larger number in order to determine the nature of a contravention involving a much smaller one (paragraphs 28 to 41)
- the F-tT was entitled to conclude on the evidence before it that the contravention was not of a kind likely to cause “substantial damage” (paragraphs 42 to 54)
- the F-tT was also entitled to conclude on the evidence before it that the contravention was not of a kind likely to cause “substantial distress”, and to disagree with the IC’s guidance as to the meaning of “distress” (paragraphs 55 to 74).
DECISION OF THE UPPER TRIBUNAL
(ADMINISTRATIVE APPEALS CHAMBER)
The DECISION of the Upper Tribunal is to dismiss the appeal by the Information Commissioner.
The decision of the First-tier Tribunal (General Regulatory Chamber) (Information Rights) dated 14 October 2013, under file reference EA/2012/0260, in relation to the Respondent’s appeal against the Appellant’s Monetary Penalty Notice dated 26 November 2012, does not involve any error on a point of law.
The First-tier Tribunal’s decision accordingly stands.
This decision is given under section 11 of the Tribunals, Courts and Enforcement Act 2007.
REASONS
The background to this appeal
1. Unsolicited direct marketing communications, whether by text, phone call or e-mail, are mail, are one of the banes of modern life. They represent an intrusion into people’s privacy. A member of the public who visits the website of the Information Commissioner’s Office is advised that the Commissioner “can issue fines of up to £500,000 for serious breaches of the Data Protection Act and Privacy and Electronic Communications Regulations” (see the page at www.ico.org.uk/enforcement/fines, accessed on 11 June 2014). The Commissioner’s website also lists all the monetary penalty notices (MPNs) that have been issued. The majority of these have been issued against public sector organisations for breaches typically involving the loss or disclosure of personal data (see eg Central London Community Healthcare NHS Trust v Information Commissioner [2013] UKUT 551 (AAC); [2014] 1 Info LR 51). 2. On 26 November 2012 the Commissioner served a monetary penalty notice on two individuals, Christopher Niebel and Gary McNeish, the joint owners of Tetrus Telecoms. According to the summary on the Commissioner’s website, “The company had sent millions of unlawful spam texts to the public over the past three years.” This was, I was told, an investigation that had generated the largest number of complaints of any such inquiry handled by the Commissioner. Strictly speaking, Mr Niebel and Mr McNeish were each served with separate MPNs. The present proceedings concern only Mr Niebel; the Commissioner’s decision had been to issue him with a MPN for one of the largest penalties so far (£300,000).
3. On 14 October 2013 the First-tier Tribunal (Judge Nicholas Warren, Chamber President, Mrs Susan Cosgrave and Ms Jean Nelson) allowed Mr Niebel’s appeal against his MPN. The Commissioner now appeals to the Upper Tribunal, with my permission. On any reckoning, Mr Niebel’s conduct represented a considerable public nuisance (in the layperson’s broad understanding of that expression, rather than the technical lawyer’s meaning). The tribunal’s summary of the background to the case pulled no punches:
“[2] The material before us demonstrates that Mr Niebel and his company, Tetrus, has been engaged in sending unwanted text messages on an industrial scale. There were hundreds of thousands of them sent from hundreds of unregistered SIM cards seeking out potential claims for mis-selling of PPI loans or for accidents. There is certainly no evidence from Mr Niebel to show that he made any effort to make sure that the recipients consented or that he retained any record of consents. He did not even bother to register with the ICO under the Data Protection Act (DPA) as a controller of data.”
4. Nobody in the proceedings before me took issue with that summary. If anything, the tribunal’s account may underplay the scale of Tetrus’s operations. The Commissioner’s MPN refers to “many millions of unsolicited direct marketing text messages” (at paragraph [7]) and the use of over 16,000 SIM cards (at paragraph [41]).
5. However, Mr Niebel is not charged with being a public nuisance. The case against him is that he acted in serious breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426, as amended; referred to here as “PECR”) and as such was liable to pay what is, in effect, a (very substantial) fine by virtue of the MPN issued under the DPA 1998.
6. I held an oral hearing of the Commissioner’s appeal to the Upper Tribunal on 13 May 2014. I am indebted to Mr James Cornwell (counsel for the Commissioner) and Mr Robin Hopkins (counsel for Mr Niebel), both of whom appeared below, for their illuminating submissions, both on paper and orally. However, I am dismissing the Commissioner’s appeal for the reasons that follow.
The legal framework
7. We have all received unsolicited direct marketing messages by text, e-mail or telephone. As noted above, they are not simply a nuisance. They also represent an intrusion into our privacy. This mischief was recognised by the European Directive 2002/58/EC on privacy and electronic communications (“the 2002 Directive”) (see eg recitals (2), (3) & (40) and Article 1(1)). The 2002 Directive was implemented in domestic law by PECR. In particular, regulation 22 of PECR prohibits the “transmission of unsolicited communications by means of electronic mail to individual subscribers” for direct marketing purposes, unless the individuals concerned have asked for, or consented to, such communications (“electronic mail” is defined broadly by regulation 2(1) of PECR to include phone texts). Furthermore, regulation 23 prohibits the transmission of such communications which either disguise or conceal the identity of the sender. Regulation 31 of, and Schedule 1 to, PECR modified certain provisions of the DPA for the purposes of the new regime. PECR came into force on 11 December 2003 (regulation 1).
8. The 2002 Directive was significantly amended by Directive 2009/136/EC (“the 2009 Directive”). In particular, Article 2(10) of the 2009 Directive inserted a new Article 15a into the 2002 Directive, entitled “Implementation and enforcement”. This required Member States to make provision for penalties for infringements of national provisions adopted under the Directive, “including criminal sanctions where appropriate”. In addition, “the penalties provided for must be effective, proportionate and dissuasive”. The UK Government sought to give effect to the 2009 Directive by bringing forward amendments to PECR in the form of the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208; “PECR 2011”). In particular, regulation 14(e) of PECR 2011 amended Schedule 1 to PECR so as to make certain modifications to section 55A of the DPA. These amendments were effective as from 26 May 2011.
9. ...
To continue reading
Request your trial