Monetary penalties: getting the amount right

What factors should be taken into account when setting the amount of a monetary penalty for serious contraventions of data protection and privacy laws? Perhaps surprisingly, our case law has to date had precious little to say on this. The recent decision of the First-Tier Tribunal in LAD Media v IC (EA/2017/0022) is a notable exception.

LAD Media is “a lead generation and data brokerage business operating in the financial services, debt management and consumer claims sector. It sources and supplies data and leads from sources for clients’ marketing campaigns”. The ICO issued it with a monetary penalty of £50,000 for serious contraventions of PECR 2003 – in particular, for sending 393,872 SMS messages for direct marketing purposes without the necessary consent of the recipients. So far so familiar.

Rather than take the (equally familiar) route of simply folding the business and resurrecting it in a different guise, LAD challenged the penalty. The Tribunal determined the appeal on the papers. Here are the key points.

First, there was indeed a contravention of regulation 22 PECR. LAD did not have the requisite consents: “unless the data subject is able to understand what will be done with his data and by whom, he will have been deprived of his right to object to the use of that data and, in terms of regulation 22 PECR specifically, he will not be able to notify the relevant data controllers that his consent is no longer valid. The privacy notices in this case only go so far as to inform individuals that their details will be shared with unspecified third parties; this is not freely given nor specific and does not amount to a positive indication of consent.”

Second, the ICO was right to consider this a serious contravention, in part due to the number of messages, but also for this reason: “there is no evidence before of us any direct harm but it appears to us that there is a high likelihood of harm by offering loan services to those who may already have financial difficulties or addictions.”

Third, LAD ought to have known of the risk of the contravention and taken steps to prevent it: it used individuals’ data without being fully aware of the terms on which it was sourced, and its due diligence on its data suppliers was “woefully inadequate”.

Fourth, the ICO was right to issue a monetary penalty. These factors were relevant: seriousness of the contravention; woefully inadequate due diligence; failure fully to assist the ICO during its investigations; no admission or remorse.

Fifth, however, £50k was too high, given in particular (i) the size of the company, and (ii) the low levels of profits generated through the unlawful activity.

The first four points above went squarely against the company. The last is of interest because it is one of the first attempts by a Tribunal to set out in general terms the types of consideration that may inform the amount of a monetary penalty:

  • The circumstances of the contravention;
  • The seriousness of that contravention, as assessed by the harm, either caused or likely to be caused, as a result; whether the contravention was deliberate or negligent; and the culpability of the person or organisation concerned, including an assessment of any steps taken to avoid the contravention.
  • Whether the recipient of the MPN is an individual or an organisation, including its size and sector;
  • The financial circumstances of the recipient of the MPN, including the impact of any monetary penalty;
  • Any steps taken to avoid further contravention(s);
  • Any redress offered to those affected.

That list has a common-sense quality and contains no real surprises. It is of course not binding on anyone else. But it is one step on the road to judicial principles governing the setting of monetary penalties, and for that reason this decision is worthy of note ahead of the GDPR (insert usual reference to “eye-watering penalties” etc).

Chris Knight acted for the ICO in this one.

Robin Hopkins