OUT-LAW spoke to Caroline Monk, Casework and Advice Manager with
the ICO, following the publication of Information Commissioner
Richard Thomas's annual report this week. The report shows that Mr
Thomas's team successfully prosecuted 12 cases in the year ended
31st March 2005, though none of them involved
spammers.
All of these cases were under the Data Protection Act and
concerned either failures to notify the ICO of data processing (a
basic requirement that affects most organisations), or unlawful
obtaining of personal data without the consent of the data
controller (cases that tended to involve dishonesty, not ignorance
or carelessness). Most sentences were fines – ranging from £70 to
£1,600. Three sentences were conditional discharges – two of 12
months, one of 18 months.
Nobody faced legal action for other matters within the remit of
the ICO, such as failing to display a data protection notice, using
cookies on a website without notifying users, or sending spam in
breach of the Privacy and Electronic Communications Regulations.
But that is not to say that no action was taken.
The number of enquiries about websites is quite low and, of
those received, cookie enquiries appear to outnumber other website
data protection and privacy issues. Figures are not available, but
Ms Monk said that online matters were mostly requests for
compliance advice from organisations, rather than user
complaints.
A few complaints have been made over missing privacy notices and
missing information about cookies; but Ms Monk said they tend to be
easily dealt with, by approaching the website operator. Amends tend
to be made in response to such approaches. As long as a website
explains its use of cookies in its privacy policy and how to
control them, and as long as that privacy policy is easily located,
the ICO will be satisfied. "You shouldn't have to dig to find out
about cookies on a website," said Ms Monk. (For more on cookie
compliance, see OUT-LAW's sister site, AboutCookies.org).
Ms Monk said that roughly 50% of the spam complaints received by
the ICO were outside the scope of the Regulations. The Regulations
came into force on 11th December 2003 – meaning this is
the first annual report to cover a full year of their operation. By
comparison, data protection legislation in the UK is 21 years
old.
Most email to corporate email accounts will not fall foul of the
law, nor will email that is sent where there is an existing
customer relationship. Overseas senders – responsible for most spam
– also escape the ICO's attention, as do those who simply cannot be
identified from the offending email.
Ms Monk said there were "less than 600" spam complaints in
total. So only around 300 complaints were made that Ms Monk's team
could actually deal with. They are not ignored, however. Most of
them concern reputable companies that made an innocent mistake,
such as failing to action an unsubscribe request. The ICO will
write to these organisations. "We do get a very high success rate
with these companies suppressing the email address when we approach
them," she said. And it seems that further action is seldom
necessary.
But clearly some complaints target less scrupulous email
marketing activities – and these organisations tend to ignore the
warning letters. This is where the ICO wants greater powers of
enforcement. The ICO cannot fine a spammer; it cannot even stop a
spammer effectively.
Ms Monk said: "The powers we've got are not appropriate for the
nature of the Regulations. We have to supply a preliminary
Enforcement Notice before we can issue a formal Enforcement Notice.
That Enforcement Notice can be appealed. It costs nothing to appeal
the Notice and most of them are appealed. At that point, our action
is suspended for an Information Tribunal to be convened."
Ms Monk described a case she handled where enforcement action
was taken against a company that was sending unsolicited faxes. "We
waited nearly a year just for the tribunal to be convened," she
said. In the meantime, the company was able to continue its
unlawful activities.
She explained that the ICO had lobbied the Department of Trade
and Industry for more immediate powers. "We want something like the
Stop Now Orders," she said.
Consumer protection bodies like the Office of Fair Trading
already have the power to apply to the civil courts for Stop Now
Orders that can be used to force an unscrupulous trade to cease
trading immediately. Failure to comply with a Stop Now Order is
treated as a contempt of court and is punishable by an unlimited
fine or imprisonment. But the ICO does not share these powers.
The ICO also wants better information gathering powers, like
those enjoyed by Ofcom, which would help to identify the company
behind spam email. "We can approach an ISP and ask for the identity
of a sender. Under the Data Protection Act, they are allowed to
tell us; but they are not compelled to do so," Ms Monk
explained.
The ICO issued only three Enforcement Notices this year, all of
which concerned irregular police activities. In dealing with spam,
there were no Enforcement Notices or even preliminary Notices.
Ms Monk admitted the reason for this is that they have to be
realistic in deciding what to do about a complaint against an
uncooperative spammer. She said that the number of complaints
received represents a tiny proportion of the total volume of spam
that lands in our inboxes; and those complaints that are not
resolved informally represent an even smaller proportion. Factoring
this together with the limited enforcement powers means that it is
very difficult to be able to take effective action.
It is not the first time the ICO has said this. In last year's
annual report, Richard Thomas wrote, on the subject of spam: "…our
existing powers are inappropriate. They do not allow us to take
decisive action against those who continue to send unsolicited
marketing material."
He noted at the time, July 2004, that the DTI was reviewing
these powers, "to explore the possibility of providing us with some
form of injunctive power which will enable us to take swift
effective action." But it seems that nothing has changed. The ICO's
lack of powers is believed to be among the reasons for the European
Commission considering European court action against the UK
Government (see: UK's Data Protection Act
might not meet European Union standards, OUT-LAW News,
19/05/2004).
Meantime, the ICO has made its own internal changes. A major
re-structuring has taken place, largely attributable to the
massively increased workload of the ICO as a result of the Freedom
of Information Act coming into force in January. It is reflected in
the report's statistics: there were 11,664 cases received in
2003/2004, and 19,460 cases received in 2004/2005.
The new structure includes a new 20-person Regulatory Action
Division that is charged with investigations and enforcement. Until
now, the ICO has only been reactive. Assistant Commissioner David
Smith told OUT-LAW that the new Division "will allow us to go out
and make checks for compliance, not just act on complaints." He
added that it will help to bring important cases to a successful
conclusion more quickly.
But for as long as the ICO's powers remain unchanged, these
cases seem unlikely to trouble the spammers.
