Robin Hopkins picks out the two key themes from Leave.Eu's failed appeal against fines and notices imposed by the ICO: the process of appealing and whether consent to receive an email is consent to receive unrelated content in those emails.
Regulation 22 of PECR 2003 – the prohibition on non-consensual electronic direct marketing communications – has been a favourite ICO hunting ground for monetary penalties for many years. Nevertheless, its dos and don’ts have remained stubbornly fuzzy at the edges. Thankfully, the Tribunal’s most recent decision on direct marketing communications is helpful and illuminating. It’s also quite entertaining: a nice montage of Arron Banks, spam, kangaroos and stuff. You can read The Leave.Eu Group Ltd and Eldon Insurance Services Ltd (EA/2019/ 0054-0059) here.
It saw two entities in the Banks empire – one a political campaign group, the other an insurance company – challenge a batch of ICO notices. These were: two MPNs for spam emailing (£60k and £45k), an enforcement (a ‘stop sending spam emails’ order) and two assessment notices under the DPA 2018 (requiring the appellant companies to permit the ICO’s investigations). All of the appeals have been dismissed.
There is a lot going on in this decision and, as I say, it’s quite colourful in places. The Tribunal discusses the ICO’s discretion to issue MPNs and to set the amounts. The discussion of assessment notices is also notable. Key points there: assessment notices are investigatory tools in respect of which the ICO has a broad discretion, unfettered by procedural preliminaries – so the Tribunal will generally be reluctant to overturn them.
But I want to focus on two themes here.
One is procedural challenges to ICO notices: if you feel the ICO has not followed a fair and proper procedure, to what extent can you press this before the Tribunal? Will it be interested, or will it tell you to stop griping and address the substance of the notice instead?
As previously reported, Facebook’s appeal against a £500k ICO MPN – issued following the Cambridge Analytica fallout – involved a procedural challenge. The ICO argued that the Tribunal should not entertain this point, because it has a full merits review jurisdiction, allowing it to cure any procedural defects, so that they make no substantive difference. Facebook argued that it should be allowed to run its procedural challenge; part of its case was that there may be instances where a procedure has been so seriously unfair that it can’t be cured by a full merits review before the Tribunal. The ICO’s procedural unfairness can be a killer blow. On that point, Facebook prevailed: the Tribunal (Chamber President McKenna) ruled that Facebook could at least run its argument. But the appeal then settled.
Back to Leave.EU and Eldon then: they tried a similar angle to Facebook, but got short shrift. Admittedly, the ICO had misspoken about this case in a public forum, and its documentary/audit trail was in some respects lacking. But that was not enough. The appellants had not made out their allegations of bias, and any procedural defects could be cured by the Tribunal’s full merits jurisdiction. They were not serious enough to amount to a killer blow. The Tribunal held that “a pleaded case of procedural unfairness amounting to an error of law cannot be established by a critique of the twists and turns of the investigation; as Judge McKenna said in Facebook, it would require the Appellant to prove its case as to the most serious of allegations” (para 76).
The other point to focus on here is the meat of the dispute, so to speak. Leave.EU had secured consents to send recipients electronic political newsletters, but those newsletters then included content promoting Eldon’s insurance services. The Tribunal found that they did contain direct marketing content: “we are satisfied that the content of the newsletters included material which constituted direct marketing material, by including the GoSkippy banner but also by associating Skippy the kangaroo with Mr Banks’ business interest in GoSkippy insurance and his political views”. As the Tribunal concluded: “There would be no other reason to include a kangaroo in a political newsletter other than to reinforce the association with Eldon’s product” (para 85).
The fact that this direct marketing content was included within a political newsletter did not save the appellants from PECR contraventions. Chris Knight (counsel for the ICO) “described the Appellants’ case as being that if you sign up to receive one type of e mail then that can be filled up with other material which you did not consent to receive. That approach, in his submission, drives a coach and horses through the PECR protections”. He added this: “a spam sandwich nevertheless contains spam”. The Tribunal agreed.
So, if your electronic communication contains direct marketing material amid other kinds of material, you can be in PECR trouble. There is no “primary purpose” test: you can’t get round regulation 22 PECR by arguing that the offending communication was primarily non-marketing material.
If your communication contains direct marketing content, you need consent (unless you can rely on the soft opt-in). Here, the consents were not up to scratch, and did not cover the marketing of Eldon’s services. Note that point: if you are going to send emails flogging someone else’s products, your consents need to cover that. Further, Leave.EU’s reliance on the reference in its privacy notice to sending people “what we feel may interest you” was impermissibly ambiguous. On consent, the go-to paragraphs here are the ICO’s submissions at para 74 and the Tribunal’s conclusions on consent at paras 86-87.
Eldon was also on the hook, as it had “instigated” the sending of the kangaroo spam by its Brexiteer buddies. Arron Banks was in control of this messaging operation, and Eldon’s actions constituted instigation because they were a form of “positive encouragement” (the language from Microsoft v McDonald). The go-to paragraphs here are paras 26 and 88.
Upshot: Skippy sent packing, Chris Knight’s submissions prevail, and we get some very illuminating guidance from the Tribunal on some of the crucial contours of PECR compliance.
This piece was originally published on the 11KBW Panopticon blog and is reproduced here with permission.