Draft guidance on marketing fines issued

Updated August 2011

In May this year the Information Commissioner's enforcement powers were extended to include the power to issue fines of up to £500,000 for serious breaches of the Privacy and Electronic Communications Regulations 2003 (PEC Regulations). The PEC Regulations regulate a number of different areas, including rules in relation to marketing communications sent by email, SMS, phone and fax and rules relating to geo-location activities.

The Information Commissioner's Office (ICO) has recently published draft guidance for consultation which sets out the circumstances in which the ICO is likely to impose fines for breach of the PEC Regulations.

The ICO is empowered to impose a fine if an organisation commits a serious breach of the PEC Regulations and the breach is likely to cause substantial damage or substantial distress. In addition, the ICO must be satisfied that the breach was deliberate or that the data controller knew or ought to have known that there was a risk of a breach and failed to take reasonable steps to prevent it.

The draft guidance updates the existing guidance on monetary penalty notices which was published last year, when the power to impose fines for Data Protection Act breaches was introduced. The guidance provides examples of the types of breaches that the ICO is likely to consider sufficiently serious to merit a fine. This includes making a large number of repeated automated marketing calls, sending spam emails and covertly tracking an individual's location through use of location data on mobile phones.

The draft guidance also makes it clear that fines are more likely to be imposed if breaches are deliberate or reckless or where the same breach is persistently committed.

Of particular interest to organisations will be the recommendations provided in the ICO guidance in relation to the "reasonable steps" that can be taken to prevent such serious breaches. These steps include:

• undertaking a risk assessment audit;
• establishing good governance and audit arrangements; and
• having appropriate policies, procedures and practices in place.

Organisations should be pleased to note that these steps do not represent or introduce any new security practices but serve to reinforce the importance of having sound data protection practices in place.

The consultation on the draft guidance is open until 27 September. Details are available on the ICO's website (see related links). If you require any assistance in relation to data protection matters, please contact Alison Deighton.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at August 2011. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.

The information you access via the links on this update is subject to the terms and conditions of the website provider accessible via their home page and we recommend that you read such terms.

TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.