Reactiv Media has found itself facing a 50% increase in the fine it was attempting to overturn after an appeal to the First-Tier Information Rights Tribunal. The UK Information Rights Tribunal hears appeals against decisions of the Information Commissioner’s Office actions relating to data protection, privacy electronic communications, freedom of information and environmental information. The UK regulator, the Information Commissioner’s Office (‘ICO’), had served Reactiv Media with a fine of £50,000 for a breach of the Privacy and Electronic Communications Regulations (‘PECR’) after – together with the Telephone Preference Service (‘TPS’) – more than 600 complaints concerning unsolicited marketing phone calls made by the company were received by the ICO and TPS.
Under the PECR, it is unlawful to make or send unsolicited communications to individuals for the purposes of direct marketing, unless the individual has given his or her consent. Additionally, companies may not make unsolicited calls to numbers registered on the TPS, the official central opt-out register, unless they have the consent of the individual to do so.
Reactiv Media had argued that there was no evidence that its communications had caused “substantial damage or distress”, and that as it “offered a service to the public, it had a right to trade, [and] it was trading well in an area of high unemployment.”
The Tribunal disagreed, asserting that Reactiv Media’s arguments were “unsupported by evidence and showed a poor understanding of the issues”. Furthermore, the Tribunal saw the evidence before it as demonstrable of “a culture of denial and minimisation of the breach, weak governance of the company and a tendency to blame others”, so it deemed a larger penalty to be more justified. The Tribunal felt that the ICO had been unable to accurately determine Reactiv Media’s finances, and so the fine it imposed was too low as a result. Therefore, it unanimously held that a fine of £75,000 was more appropriate.
Historically, ICO decisions like these are rarely upheld, so this decision could provide the impetus required for companies to become more compliant with their privacy requirements. The ICO has already hinted it will start to issue more fines to deter unsolicited marketing activities; organisations should therefore be aware that privacy-related incidents will no longer be tolerated. Furthermore, the reputational damage could be unquantifiable, especially considering scathing comments that could be made by the Tribunal.
With the ICO’s power to issue fines of up to £500,000 for serious breaches, as well as its public announcement to prosecute non-conformers, this is not a good time for organisations to risk non-compliance, especially given there is no longer a requirement to prove substantial damage or distress.