Vanquis Bank Limited has been fined £75,000 by the Information Commission Office (ICO) for breach of the Data Protection Act (‘DPA’) and electronic communications (EC Directive) Regulations 2003) (‘PECR’). There are some interesting lessons to be learned for other organisations, particularly in the light of the forthcoming GDPR (General Data Protection Regulation) and new Data Protection Act changes.
Matters first came to the ICO’s attention when it received 15 complaints from individuals about unsolicited marketed text messages. That placed it in the ICO’s ‘monthly threat assessment’ as a priority to investigate. So far as text messages are concerned, the ICO are keen to ensure that Regulation 22 PECR and its guidance is complied with. Organisations cannot send, or instigate the sending of marketing text messages unless the recipient has notified that sender that he consents to messages being sent by it, or at its instigation. Consent will not be specific enough if individuals have previously been asked to agree to receive marketing messages from ‘selected third parties’ or ‘trusted parties’ or other similar generic description. The Bank’s defence was that data had been purchased from a global marketing company and that the contractual agreement stated that they or their suppliers have obtained all appropriate consents as required under PECR. By this time further complaints relating to unsolicited direct marketing texts had been received. The Bank was required to prove the consent. They were unable to do so for all complainants. They also relied on indirect consent but were unable to evidence that specific consent had been given. The ICO was satisfied that the Bank did not have consent under PECR.
By then there were complaints about direct marketing emails. Again the Bank was unable to provide any evidence for clear and specific consent. Indirect consent had been obtained through various affiliates and sub-affiliates and was insufficient for the purposes of the ICO’s direct marketing guidance.
Having found breaches of the DPA and PECR, the ICO was satisfied that the contraventions were serious. Over 10 months 870,849 direct marketing text messages was sent without individuals consent and in 5 months 620,000 direct emails was sent without consent. The Bank did not deliberately intend to contravene Regulation 22 PECR. However, they were negligent. There are some useful pointers from the decision:-
- The ICO found that the issue of unsolicited text/email messages has been widely publicised by the media as being a problem. Organisations, particularly of the Bank’s size, should have been aware of its responsibilities;
- Reasonable steps could have been taken to prevent the contraventions. The ICO publishes guidance regarding PECR and direct marketing. Guidance makes it clear that particular care must be taken when relying on ‘indirect consent’ and it is not acceptable to rely upon assurances given by third parties without undertaking proper due diligence;
- The contract between the Bank and the third party was insufficient. The Bank failed to take reasonable steps to ensure that the consents obtained were clear, specific and valid. Reasonable steps that could have been taken included ensuring that data lists were not bought unless there was proof of opt-in consent specifically naming or clearly describing the organisation; and carrying out small sampling exercises to assess the reliability of data purchased.
In the circumstances the appropriate, reasonable and proportionate fine levied under current legislation was £75,000.
By way of reminder, current fine limits are £500,000. Following GDPR which takes direct effect on 25 May 2018 and the passing of the new Data Protection Act which is currently in draft form, the level of fines will increase to a maximum of €20m or 4% annual global revenue, whichever is the greater; although the maximum fines are intended to relate to serious breaches.
For further information please contact Holly Dobson on 0114 224 2121 or at [email protected]
