Consent given by Leave.EU subscribers to Brexit-related emails did not constitute freely given, informed, and specific consent to the inclusion of an insurance promotion
The Upper Tribunal has rejected appeals by Leave.EU and Eldon Insurance in Leave.EU Group Ltd and Eldon Insurance Services Ltd v Information Commissioner  UKUT 26 (AAC).
The appeals concerned regulatory action taken by the ICO against both companies regarding a series of newsletters, emailed by Leave.EU to its subscribers. The emails included advertising material on behalf of Eldon offering Leave.EU subscribers a 10% discount on Eldon’s insurance products.
On 1 February 2019 the ICO issued five notices which became the subject of the appeals to the FTT. She issued a monetary penalty notice (MPN) against both Leave.EU (for £45,000) and Eldon (for £60,000). She also issued both Leave.EU and Eldon with an assessment notice for the purpose of conducting an investigatory audit into each organisation. She additionally issued an enforcement notice against Eldon. The ICO issued the MPNs and the enforcement notice on the basis that both Leave.EU and Eldon had breached regulation 22 of Privacy and Electronic Communications Regulations 2003 SI 2003/2426 (PECR).
The organisations appealed to the First Tier Tribunal, which rejected their appeal. The Upper Tribunal has now also rejected their appeal. They appealed on nine grounds, all of which were dismissed.
The Upper Tribunal decision
The UT ruled that the emails breached regulation 22 of PECR because they included material which constituted direct marketing. The emails were unsolicited because they included content which would not have been expected by email recipients, who had signed up to receive a political newsletter. The UT pointed out that the underlying E-Privacy Directive 2002/58/EC’s aim is to prevent intrusion into individuals’ privacy, and by including marketing material in a political newsletter, an intrusion had taken place. The companies had argued that the aim of the Directive was purely to prevent spamming.
The UT considered the CJEU cases of Case C-673/17 Verbraucherzentrale Bundesverband eV v Planet49 GmbH and Case C-61/19 Orange Romania SA v ANSPDCP which considered the requirements to be met for valid consent to be freely given, informed and specific. Recipients had agreed to emails, but not to the direct marketing, and the privacy notice was very vague.
The UT also considered the case of Microsoft Corporation v McDonald  EWHC 3410 (Ch) and agreed with the First Tier Tribunal that there was ample evidence on which the FTT could and did conclude that Eldon instigated the transmission of communications for the purposes of direct marketing in the relevant legal sense.
Further, it said that the test is for the companies to know or that they ought to have known that there was a risk of contravention, not that they knew or ought to have known that there would be a contravention. This is an inevitably fact specific judgement.
The UT said that a prudent business entity, in embarking on the unprecedented course of conduct in these circumstances would have undertaken an appropriate due diligence exercise, especially in the context of recent regulatory contact with the ICO. That due diligence would have brought to its attention the clear guidance contained in the ICO’s publicly available direct marketing guidance. There was no evidence of such an exercise before the UT; indeed the evidence suggested ad hoc and off the cuff decision-making. The UT concluded that in these circumstances that Eldon should have known that its involvement in promoting the Brexit discount to Leave.EU subscribers would involve a risk of contravening PECR but that Eldon failed to take appropriate steps to prevent that contravention.
The UT agreed with the FTT that “although the complaints from subscribers were few in number, they seem to us accurately to describe the problem”. It said that in any event, the volume of complaints cannot be a reliable let alone determinative metric for deciding whether there has been a PECR breach, given that subscribers have easier default options than lodging a formal complaint with the ICO.
The UT also said that the ICO had met the criteria for issuing the fines because the companies should have known that including the discount offer in the newsletters ran the risk of breaching the PECR, but they did not take appropriate measures to prevent contravention. There was a serious contravention of PECR, considering the number of emails, which was over a million. The UT also pointed out that the ICO had complied with its Regulatory Action Policy, the notices complied with the law and were proportionate and consistent with the ICO’s general approach. There was no apparent bias or unfairness in the ICO's investigation.
Leave.EU and Eldon have reportedly indicated that they will appeal.