ICO (UK) - EA-2023-0252-FP: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 96: | Line 96: | ||
The Tribunal examined each website separately: | The Tribunal examined each website separately: | ||
'''a) Jobsearch website:''' The first consent statement ("I agree with Marketing Activity") was found to be too vague to be a specified purpose within the GDPR. The Tribunal noted that there was no indication of who would carry out the marketing activity or whether it included communication by email. The second consent statement ("I agree with 3rd parties policy") was found to be confusing as it linked to a general privacy policy rather than a specific third-party policy. The Tribunal held that it was unclear which parts of the privacy policy applied to which consent statement, making it impossible for data subjects to identify the consequences of their consent easily. The Tribunal found that the bundle of purposes included in the policy was too broad and vague to be a specified purpose within the GDPR. | |||
'''b) Jobinaclick and Findajob websites:''' The Tribunal applied the same reasoning as for the Jobsearch website, finding the consent statements and privacy policies similarly non-compliant. | |||
'''c) Job4you website:''' While the consent statements were more detailed, the Tribunal found they still did not provide sufficient clarity on the nature of the "offers" to be received. The Tribunal held that the categories of companies were meaningless due to the inclusion of a catch-all "general" category. The Tribunal noted that the confusion regarding registration and consent remained due to the wording on the registration form, welcome page, and privacy policy. | |||
'''d) SavingsDirect website:''' The Tribunal found that the consent statements were not clear that they were consenting to anything beyond receiving requested quotes for solar panel installations. The Tribunal noted that there was no reference to JTT or to the purpose of direct marketing in the consent statements. | |||
The Tribunal deemed the breach significant due to the vast number of unsolicited marketing emails sent by JTT—107 million emails to 437,324 recipients in one year—highlighting the privacy intrusion into individuals' inboxes and the burden on recipients to manage these emails. Despite the absence of complaints, which was seen as a minor mitigating factor, the Tribunal stressed that this had limited impact, given that recipients often have easier alternatives than filing formal complaints. The focus on JTT’s business being primarily direct marketing reinforced the seriousness of the breach. | The Tribunal deemed the breach significant due to the vast number of unsolicited marketing emails sent by JTT—107 million emails to 437,324 recipients in one year—highlighting the privacy intrusion into individuals' inboxes and the burden on recipients to manage these emails. Despite the absence of complaints, which was seen as a minor mitigating factor, the Tribunal stressed that this had limited impact, given that recipients often have easier alternatives than filing formal complaints. The focus on JTT’s business being primarily direct marketing reinforced the seriousness of the breach. |
Revision as of 04:32, 24 September 2024
ICO - EA-2023-0252-FP | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Article 2(1) GDPR Article 4(11) GDPR Article 22 GDPR Article 32 GDPR Privacy and Electronic Communications Directive 02/58/EC |
Type: | Other |
Outcome: | n/a |
Started: | |
Decided: | |
Published: | 02.05.2024 |
Fine: | 130,000 EUR |
Parties: | n/a |
National Case Number/Name: | EA-2023-0252-FP |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Confirmed Tribunal EA-2023-0252-FP |
Original Language(s): | English |
Original Source: | BAILII (in EN) |
Initial Contributor: | sarthak |
The General Regulatory Chamber ruled against the controller, Join the Triboo Ltd (JTT), for sending approximately 107 million marketing emails without valid consent, violating Regulation 22 of GDPR.
English Summary
Facts
The controller Join the Triboo Ltd (JTT) operates five websites: four job search websites (uk.job-search.online, uk.jobinaclick.net, findajob.website, uk.job4you.website) and one savings website (savings.direct). The controller is wholly owned by Triboo Direct, which is in turn owned by S.r.l. Triboo S.p.A, the ultimate controlling party with a market capitalization in excess of €20 million.
Between August 1, 2019, and August 19, 2020, the controller sent 108,769,000 marketing emails, of which approximately 107 million (98.3%) were received by 437,324 distinct individuals. On average, each individual received 244 emails during this period. The emails were distributed across the controller’s websites as follows: JobSearch 57%, JobinaClick 37%, FindaJob 2.8%, Jobs4U 2%, and SavingsDirect 0.7%. Users registering on the controller’s websites were presented with consent statements and privacy policies.
The original consent statements included two checkboxes: one for agreeing to receive marketing communications and another for agreeing to third-party data sharing. The registration forms also included statements such as "By Entering you agree to our privacy policy and to receive communications by email, phone, and SMS from Jobsearch." The controller’s privacy policies listed categories of third parties who might receive user data and send marketing communications. These categories included finance, insurance, utilities, telecoms, and others. Out of 459,562 people who registered on the controller’s websites during the relevant period, 253,774 (about 56%) ticked "yes" to receive marketing communications.
In August 2020, during an investigation into Leads Work Limited (LWL), the Information Commissioner's Office (ICO) became aware that the controller was selling user data to other companies. The ICO wrote to the controller on August 24, 2020 requesting information. The controller responded, identifying 20 companies to whom it had sold user data between August 1, 2019, and August 24, 2020.
The controller explained that it had managed 40 email marketing campaigns for third-party companies during the relevant period, with each email being sent to individuals on 18 occasions. The marketing emails sent by the controller included unsubscribe options at the top and bottom of each email.
In December 2021, the controller informed the ICO that it had taken steps to improve its consent statements and privacy policies. Changes included providing more details about data processing, and third-party involvement, and incorporating explicit language about "data processing" and "consent."
On 17 October 2022, the ICO issued a Notice of Intent to impose a monetary penalty and a Preliminary Enforcement Notice to the controller.
On 9 December 2022, the controller submitted representations, arguing that there was no breach of PECR regulation 22, and if there was, it was not serious. They also claimed the proposed penalty was disproportionate and that the proposed enforcement terms were excessive.
On 12 April 2023, the ICO issued a Monetary Penalty Notice of £130,000 and an Enforcement Notice to the controller for contravening regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).
On 10 May 2023, the controller filed a Notice of Appeal challenging both the Monetary Penalty Notice and the Enforcement Notice.
Holding
The General Regulatory Chamber (Tribunal) held that Join the Triboo Ltd (JTT) had contravened regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). This was based on JTT sending approximately 107 million marketing communications by email to 437,324 recipients between 1 August 2019 and 19 August 2020 without obtaining valid consent. The Tribunal determined that the consent obtained by JTT through its websites was neither specific nor informed as required by the GDPR definition of consent, which applies to PECR.
The Tribunal examined each website separately:
a) Jobsearch website: The first consent statement ("I agree with Marketing Activity") was found to be too vague to be a specified purpose within the GDPR. The Tribunal noted that there was no indication of who would carry out the marketing activity or whether it included communication by email. The second consent statement ("I agree with 3rd parties policy") was found to be confusing as it linked to a general privacy policy rather than a specific third-party policy. The Tribunal held that it was unclear which parts of the privacy policy applied to which consent statement, making it impossible for data subjects to identify the consequences of their consent easily. The Tribunal found that the bundle of purposes included in the policy was too broad and vague to be a specified purpose within the GDPR.
b) Jobinaclick and Findajob websites: The Tribunal applied the same reasoning as for the Jobsearch website, finding the consent statements and privacy policies similarly non-compliant.
c) Job4you website: While the consent statements were more detailed, the Tribunal found they still did not provide sufficient clarity on the nature of the "offers" to be received. The Tribunal held that the categories of companies were meaningless due to the inclusion of a catch-all "general" category. The Tribunal noted that the confusion regarding registration and consent remained due to the wording on the registration form, welcome page, and privacy policy.
d) SavingsDirect website: The Tribunal found that the consent statements were not clear that they were consenting to anything beyond receiving requested quotes for solar panel installations. The Tribunal noted that there was no reference to JTT or to the purpose of direct marketing in the consent statements.
The Tribunal deemed the breach significant due to the vast number of unsolicited marketing emails sent by JTT—107 million emails to 437,324 recipients in one year—highlighting the privacy intrusion into individuals' inboxes and the burden on recipients to manage these emails. Despite the absence of complaints, which was seen as a minor mitigating factor, the Tribunal stressed that this had limited impact, given that recipients often have easier alternatives than filing formal complaints. The focus on JTT’s business being primarily direct marketing reinforced the seriousness of the breach.
The Tribunal concluded that JTT should have been aware of the risk of violating regulations but failed to take reasonable precautions. This finding was based on the nature of JTT's business, which involved sending large volumes of direct marketing emails, the availability of clear guidance on consent requirements—such as the EDPB guidelines and the Planet49 judgment from October 2019—and the Tribunal's assessment that the relevant law was not ambiguous.
The Tribunal upheld the Commissioner’s decision to impose a Monetary Penalty Notice (MPN) of £130,000, considering it both appropriate and proportionate. Factors influencing this decision included the severity and length of the breach, JTT’s insistence during the investigation that their consent statements were compliant, their failure to promptly acknowledge the breach or take remedial action, and the need to deter similar businesses. The Tribunal also took into account JTT’s financial status, including its recent profitability and the backing of its parent company, deeming the penalty reasonable even after payment.
In the conclusion, the Tribunal found that the statutory precondition for issuing an EN was met, as JTT had contravened regulation 22 of PECR. However, the Tribunal deferred its final decision on the appropriateness of the EN pending review of JTT's current consent statements and privacy policies.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
[New search] [Context] [View without highlighting] [Printable PDF version] [Help] Neutral Citation Number: [2024] UKFTT 362 (GRC) Case Reference: EA-2023-0252-FP First-tier Tribunal General Regulatory Chamber (Monetary Penalty Notice) Heard on: 7 March 2024 Panel deliberations: 19 April 2024 Heard by: CVP Decision given on: 2 May 2024 Before TRIBUNAL JUDGE SOPHIE BUCKLEY TRIBUNAL MEMBER dave sivers TRIBUNAL MEMBER paul tayLor - - - - - - - - - - - - - - - - - - - - - Between join the triboo LIMITED Appellant and THE information COMMISIONER Respondent - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Representation: For the Appellant: Robin Hopkins (Counsel) For the Respondent: Eric Metcalfe (Counsel) - - - - - - - - - - - - - - - - - - - - - Decision: 1. The appeal against the Monetary Penalty Notice is dismissed. 2. The Monetary Penalty Notice is confirmed. 3. The tribunal will determine the appeal against the Enforcement Notice after it has received further submissions/evidence in accordance with the separate case management order. REASONS Introduction 1. Join the Triboo Ltd (JTT) is a web services provider operating a number of job search websites and savings websites. Its principal activities are web publicity display, e-mail marketing and mobile marketing services and client recruitment campaigns through the internet and affiliate marketing. It supplies marketing data to third parties and carry out direct marketing by email on behalf of other companies (referred to as hosted electronic marketing). 2. In a Notice of Appeal dated 10 May 2023 JTT seeks to challenge a Monetary Penalty Notice (MPN) imposing a fine of £130,000 and an Enforcement Notice (EN) both issued on 12 April 2023. The MPN and EN contain findings that JTT had contravened regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR) by means of sending unsolicited emails for direct marketing purposes over the period 1 August 2019 to 19 August 2020. 3. At that start of the hearing, we determined that JTT was entitled to raise certain arguments included in its skeleton argument without any need to apply to amend the grounds of appeal. 4. The Judge apologises to the parties for the delay in promulgating the decision. This was due to the need to reconvene for panel deliberations, because there was insufficient time to deliberate on the day of the hearing. Partly as a result of panel availability over the Easter break, it was not possible to reconvene earlier than 19 April 2024. 5. This is a lengthy decision. Much of this decision consists of the factual background and a summary of the pleadings and submissions, with which the parties are already familiar. For the benefit of the parties the discussions and conclusions begin at paragraph 189 on page 40. Factual background 6. We make these findings on the balance of probabilities. 7. In the course of the Commissioners investigation into Leads Work Limited (LWL) for sending unsolicited direct marketing messages in breach of regulation 22 PECR, LWL informed the Commissioner that it purchased data from, inter alia, JTT. 8. The Commissioner wrote to JTT on 24 August 2020. In its reply JTT identified 20 companies to whom it had sold its users data between 1 August 2019 and 24 August 2020. In the same period, JTT stated that it had made 8,717 direct marketing calls to users and sent 108,769,000 emails. 9. JTT sent the relevant emails to recipients who provided their email addresses via one or more of five websites operated by JTT (referred to below as the relevant websites). Four of those websites were concerned with job vacancies (the jobs websites). The fifth (the savings website) was concerned with money-saving offers and deals, e.g. on energy, education, finance and insurance. 10. The relevant websites are: (i) uk.job-search.online - 262,513 registered users (Jobsearch) (ii) uk.jobinaclick.net - 171,675 users (JobinaClick) (iii) findajob.website - 13,008 users (FindaJob) (iv) uk.job4you.website - 8,985 users (Job4you) (v) savings.direct - 3,381 users (SavingsDirect) 11. The versions of the consent statements and privacy policies in operation at the relevant time are referred to in this decision as the original versions/consent statements/privacy policies etc. Amended versions were introduced from, at the latest, December 2021. These are referred to as the new versions/consent statements/privacy policies etc. 12. In a letter to the Commissioner dated 20 September 2020, the director of JTT set out how the websites operated. He explained that it was necessary to register in order to use the services provided by the jobs website or to access exclusive content on the jobs websites, but that it was possible to opt in to or opt out of marketing communications by JTT and third parties: JTT operates also as a publisher, i.e. as the owner of several editorial websites (mostly focussed on job-related subjects) on which internet users can subscribe in order to access exclusive contents. When users land on the registration page, they are asked to fill out a web form in order to use the services offered by each site. The above-mentioned form, other than requiring users data functional to the subscription, provides for two additional checkboxes. Via the first one, the data subjects are asked whether they are willing to receive marketing communications; via the second one, users are instead asked whether they consent that their data may be transferred to third parties (partners/clients of JTT). The list of said third parties is constantly updated and can be consulted via in the privacy policy, which link is available in the registration form and in any websites footer. These checkboxes are not pre-flagged, and consent can be provided through them freely and in an unambiguous way by the user. In fact, if a data subject decides not to flag either of these two check boxes, he can still resume the registration process and use the services offered by the website freely and without any implication of impairment. If, on the other hand, the data subject flags the marketing communication checkbox, he will receive advertising communications (email or phone communication only) from JTT. Only if the second checkbox is flagged data will be transferred to third parties. 13. JTTs representatives when responding to the Notice of Intent in a letter to the Commissioner dated 9 December 2022, stated as follows: there is separation between data provided for Jobsearch purposes, which is held in one place, and data which is provided for direct marketing services, which is never in use for the job search process. Only if the user provides his or her information to our client for electronic marketing purposes does our client hold such data at all for marketing purposes. 14. The original consent statement for Jobsearch contains the following wording (p 252): I agree with Marketing Activity ¡ Yes ¡No I agree with 3rd parties policy ¡ Yes ¡No 15. The consent statement appears in the middle of the registration form for Jobsearch. At the top of the page is the word REGISTER. Below that is the heading REGISTER for free today!. The registration form has boxes for email, title, name, date of birth, mobile number, address and industry. It then includes the consent statement as set out above. 16. There is then a section on Trades Courses which contains a further yes/no check box in relation to contact from Trades Courses by SMS. 17. The registration form finishes with the following statement: By Entering you agree to our privacy policy and to receive communications by email, phone and SMS from Jobsearch. This is followed by a click box containing the word Register. 18. We have also been provided with a printout of a page on the website entitled Welcome to JobSearch which includes the following statement Register now with JobSearch to kickstart your search. It then states: By registering with JobSearch you will not be starting the actual application process and your details will not immediately be passed to the recruiter. By registering with JobSearch you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means. Koi Advertising also reserves the right to accept marketing fees from financial services institutions. 19. The hyperlinks to the privacy policy and the 3rd parties policy link to the same document. We refer to as the original privacy policy. It is entitled Privacy Policy and is at p 271 of the bundle. 20. We have read and taken account of the entire original privacy policy for Jobsearch, but we have reproduced some relevant extracts in an open annex to this decision. 21. The original consent statement for JobinaClick (p 256) is materially identical to the one for Jobsearch. 22. The original consent statement for Findajob is the same except it states I agree with 3rd parties policy including Scottish Power (p318). 23. The original privacy policies for Jobinaclick and Findajob are materially identical to the original Jobsearch privacy policy. 24. The original consent statement for Job4you is slightly different (p335). It states: Agree to receive offers by email from job4you, on behalf of selected companies (https://uk.job4you.website/registration/index.php?module=site&method=privacy) that we believe will be of interest to you. These companies are within the following categories: Automotive, Retail, Finance, Insurance or General. ¡ Yes ¡No Agree that job4you partners (https://uk.job4you.website/registration/ index.php?module=site&method=privacy) may contact you with more interesting offers by email or telephone. You can opt-out of these communications at any time. ¡ Yes ¡No 25. The registration page ends with a slightly different statement to the Jobsearch page: By clicking register you confirm that you have read and agreed to Job4you Privacy Policy. (https://uk.job4you.website/registration/index.php?module=site&method=privacy) 26. The welcome page is similar to that for Jobsearch. It also provides that: By registering with Job4you you will not be starting the actual application process and your details will not immediately be passed to the recruiter. By registering with Job4you you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means. Koi Advertising also reserves the right to accept marketing fees from financial services institutions. 27. The original privacy policy for Job4you is in the bundle. It is too small to read. The Commissioner notes in the PECR investigation report that it is identical to the privacy policies for the other jobs websites and we proceed on that basis. 28. The SavingDirect website states that its purpose is to help you find the best quote for your solar panel installation. It states Once you complete the form we will immediately begin to find the best quotes for you, based on your requirements, from up to four MCS certified installation companies. They will then get in touch with out directly with competitive quotes. 29. The SavingDirect consent statements are embedded in a box entitled Request a free quote with a final button reading Request a callback. The box has a number of sections for title, first name, email address and a dropdown box for what work do you require. The form then includes the following: ¡ I agree ¡ I do not agree By entering you agree to receive communications by email, phone, and sms from Saving Direct. ¡ I agree ¡ I do not agree By entering you agree to receive communications by email, phone, sms and post from 3rd parties. By entering you agree to our Privacy Policy and Terms and Conditions. 30. The original privacy policy for SavingDirect is similar but not identical to that used on the job websites. It contains the same categories and subcategories in which emails may be sent. The list of business partners and clients is much shorter and only includes three companies. 31. Over the relevant period, a total of 459,562 people registered on the relevant websites; of those, a total of 253,774 people, around 56% of those who registered, ticked the yes box to receive marketing communications. 32. In the period in question JTT sent 108,769,000 emails. Of these, approximately 107 million (equating to 98.3%) were received. JTT explained that it had managed 40 email marketing campaigns in the relevant period on behalf of third-party companies, with each email having been sent to individuals on 18 occasions. In each instance. The approximate percentage breakdown of the emails is: JobSearch 57%; JobinaClick 37%; FindaJob 2.8%; Jobs4U 2%; SavingDirect 0.7%. 33. The 107 million delivered emails were sent to 437,324 distinct individuals. This meant that each individual would have received on average 244 emails during the relevant period. 34. Examples of emails sent by JTT during the relevant period are at p 353 onwards. At the top of the email is the following: If you no longer wish to receive emails from us Click Here 35. At the bottom of the email is the following: Unsubscribe from this list You have received this email to [redacted] as a registered user of [Jobsearch]. If you no longer wish to receive emails from Join The Triboo Ltd VAT: GB102437752 - privacyuk@triboo.com please click the link above. Click here to see the privacy policy. This email and your data are controlled by Join The Triboo Ltd, 239 High Street Kensington, London, W8 6SN, United Kingdom. 36. The Commissioner has not received any complaints in relation to JTT about any of these emails. 37. JTT informed the Commissioner in December 2021 that it had taken certain steps to improve its consent statements and privacy policies. In its letter of 9 December 2021 JTT stated that the changes generally included: a. Providing more details about how the data subjects data will be processed, including the various means of communications; b. Providing more details about the steps that are likely to be taken in respect of the data subjects data where third parties are involved; c. Incorporating the language of data processing and consent to build upon the previous affirmative and unambiguous language in obtaining consent; and d. Including the name and the respective privacy policy (by hyperlink) of relevant third parties, if not already provided. 38. The new consent statement for JobSearch is worded as follows (p 410): I agree to the processing of my data for marketing purposes by email, phone, and SMS from Join the Triboo: Yes/No I consent to the communication of my data to third parties listed in the Join The Triboo's privacy policy and their customers for their marketing purposes: Yes/No 39. The other new consent statements are similarly worded. We have not been provided with copies of the new privacy policies. 40. On 17 October 2022 the Commissioner issued a Notice of Intent to issue a monetary penalty and a Preliminary Enforcement Notice to JTT. Representations were received on 9 December 2022. 41. In the representations JTT stated as follows: 41.1. There was no breach of regulation 22 PECR. 41.2. To the extent that there was a breach it was not serious. 41.3. The proposed monetary penalty was disproportionate. 41.4. The proposed enforcement terms were excessive relative to the wording of 22 PECR. 42. The MPN and EN were issued on 12 April 2023. 43. The turnover of JTT was as follows in 2019-2022: Year ending 31 December 2022: £1,508,662 Year ending 31 December 2021: £1,130,265 Year ending 31 December 2020: £956,144 Year ending 31 December 2019: £1,715,930 44. JTT made the following gross profit, before administrative and other operating expenses, in those years: Year ending 31 December 2022: £665,227 Year ending 31 December 2021: £478,561 Year ending 31 December 2020: £426,046 Year ending 31 December 2019: £547,586 45. JTT made the following annual operating profit or loss: Year ending 31 December 2022: £36,014 Year ending 31 December 2021: £9,715 Year ending 31 December 2020: (£180, 616) or (£141,801) before finance costs Year ending 31 December 2019: (£219,620) or (£184,871) before finance costs 46. In relation to bank accounts and cash reserves the information in the bundle relates to December 2022. At that stage JTT had no cash reserves and a negative bank balance. The accounts from 2021-2022 also show no cash reserves and a negative bank balance. 47. JTT is wholly owned by Triboo Direct which is wholly owned by S.r.l. Triboo S.p.A which is the ultimate controlling party. Triboo S.p.A has market capitalisation in excess of 20 million. 48. The following statement appears in JTTs accounts for the year ended 31 December 2022 on Companies House: The directors have considered the use of the going concern basis for the financial statements and have confirmed this is appropriate. It is fully expected that the company will continue to trade for at least twelve months from the date of these financial statements and has guaranteed support of its parent company to do so. The Law 49. The breaches relied on by the Commissioner took place between 1 August 2019 and 19 August 2020. At that date Regulation 2016/679 (the GDPR) was in force in the United Kingdom. The GDPR rather than the UKGDPR is the relevant underlying legislation for this appeal. 50. PECR implemented the Privacy and Electronic Communications Directive 02/58/EC (the Directive) in domestic law. The Commissioners power to impose a monetary penalty notice, JTTs right of appeal and the tribunals jurisdiction to hear the Appeal all derive from the Data Protection Act 1998 (DPA 1998). The repeal of DPA 1998 does not affect its operation insofar as it relates to PECR: paragraph 58 of Schedule 20 to the Data Protection Act 2018. 51. Regulation 22 of PECR provides: (1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers. (2) Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender. (3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where (a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; (b) the direct marketing is in respect of that persons similar products and services only; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication. (4) A subscriber shall not permit his line to be used in contravention of paragraph (2). 52. Reg 2(1) defines a subscriber as a person who is a party to a contract with a provider of public electronic communications services for the supply of such services. 53. Section 11(3) DPA 1998 defines direct marketing as, the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals. This definition applies for the purposes of the PECR. 54. The definition of consent under PECR is set out in article 4(11) of Regulation 2016/679 (the GDPR): consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. 55. We find that the following recitals are a helpful guide to interpretation of regulation 21(4). 55.1. Recital 32 of GDPR provides: When the processing has multiple purposes, consent should be given for all of them. 55.2. Recital 42 materially provides that: For consent to be informed, the data subject should be aware at least of the identity of the controller. 55.3. Recital 43 states that: Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case. 56. The Upper Tribunal in Leave.EU Group Limited and Eldon Insurance Services Limited v IC (GIA/921/2020, GIA/922/2020 & GIA/923/2020) (Leave.EU) considered the meaning of specific and informed consent as follows: 48. There are two decisions of the Court of Justice (CJEU) which are helpful in this context: Case C-673/17 Verbraucherzentrale Bundesverband eV v Planet49 GmbH (EU:C:2019:801) [2020] 1 WLR 2248 (Planet49) and Case C-61/19 Orange Romania SA v ANSPDCP (EU:C:2020:901) (Orange Romania) . 49. The Planet49 case concerned an online promotional lottery. The registration process involved the installation of cookies on users computers and pre-selected boxes agreeing to being contacted by third parties. In the first instance, users who wished to enter the lottery were presented with a generic opening statement as to their consent to receiving information from certain sponsors and cooperation partners. However, they then had the opportunity to specify their preferences in considerable detail (see the CJEU judgment at [26]-[30]). The Court of Justice ruled that the indication of the data subjects wishes referred to in Article 2(h) of Directive 95/46 must, inter alia, be specific in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subjects wishes for other purposes (at [58]). The Court also agreed with the Advocate General that clear and comprehensive information (as required by Article 5(3) of the 2002 Directive) implies that a user must be in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed (CJEU judgment at [74]). 50. Furthermore, the passage at paragraph [58] of the Court of Justices judgment was expressly adopted in Orange Romania (at [38]). Likewise, and notably, the Court reaffirmed the passage from Planet49 at [74] in Orange Romania at [40]: [40] As regards the requirement arising from Article 2(h) of Directive 95/46 and Article 4(11) of Regulation 2016/679 that consent must be informed, that requirement implies, in accordance with Article 10 of that directive, read in the light of recital 38 thereof, and with Article 13 of that regulation, read in the light of recital 42 thereof, that the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed (see, by analogy, judgment of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, paragraph 74). 51. We consider that Planet49 and Orange Romania are high authority as to the proper approach to the meaning of consent in this context. The decisions are especially helpful as regard the requirement that consent be both specific and informed. They set a relatively high bar to be met for a valid consent. 57. A breach of the Regulations is a matter falling under s 55A of the DPA 1988 which provides (when applied to regulations 19 to 24 of PECR, see regulation 2 of PECR 2015): (1) The Commissioner may serve a person with a monetary penalty notice if the Commissioner is satisfied that (a) there has been a serious contravention of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and (b) Subsection (2) or (3) applies. (2) This subsection applies if the contravention was deliberate. (3) This subsection applies if the person (a) knew or ought to have known that there was a risk that the contravention would occur, but (b) failed to take reasonable steps to prevent the contravention. 58. The Upper Tribunal in Leave.EU at paragraph 70 explains: 70. MPNs represent one part of a suite of enforcement measures available to the Commissioner. In this context we note that Directive 2009/136/EC (the 2009 Directive) amended the 2002 Directive, in part to strengthen enforcement of the rules governing the use of electronic mail for direct marketing. Article 15a(1) of the 2002 Directive, as amended, provides ( ): Members States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified. 59. The maximum limit for a MPN under the DPA 1998 is £500,000 (s 55A(5) and reg 2 of the Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010/31; the 2010 Regulations). The information that must be contained in the MPN includes, the reasons for the amount of the monetary penalty including any aggravating or mitigating features the Commissioner has taken into account. 60. S 55B sets out the procedural requirements of imposing a monetary penalty notice, including at subsection (1) that the Commissioner must serve the data controller with a notice of intent before serving the monetary penalty notice. Article 2 of the Data Protection (Monetary Penalties) Order 2010 (the Order) requires the Commissioner to consider any written representations made in relation to a notice of intent when deciding whether to serve a monetary penalty notice. 61. Section 55B(5) DPA 1998 provides: A person on whom a monetary penalty notice is served may appeal to the Tribunal against (a) the issue of the monetary penalty notice; (b) the amount of the penalty specified in the notice. 62. The s 55B(5) right of appeal is to be determined in accordance with s 49 DPA 1998. This provides that the tribunal shall allow the appeal and (or) substitute another Notice if the Notice is not in accordance with the law or to the extent that the Commissioner exercised her discretion, it should have been exercised differently. 63. S 160 DPA 2018 requires the Information Commissioner to publish a Regulatory Action Policy giving guidance about how she proposes to exercise her functions under the DPA 2018. This was published in November 2018. The Commissioner also publishes internal guidance which it uses when deciding the level of an MPN:- The [Case Working] Group will determine a starting figure that reflects the nature and seriousness of the contravention of the Act by the data controller or collection of breaches of PECR by a person. This will involve looking at the nature of the contravention or collection of breaches together with the scope of the potential harm caused, and a consideration of what is reasonable and proportionate, given the circumstances of the case. The initial view is based on the sanction available based on the statutory maximum of £500,000, which will be considered against a nature and seriousness rating as follows: Level A = £1 to £10,000 Level B = £10,001 to £40,000 Level C = £40,001 to £100,000 Level D = £100,001 to £250,000 Level E = £250,001 to £500,000 Once the level of nature and seriousness has been determined, the starting figure will be set by moving upwards or downwards in the band dependent on the specific circumstances of the case. For PECR breaches, the Group will take into account the number of unlawful communications which were the subject of complaints, the types of complaints and the period over which the collection of PECR breaches extended. 64. In relation to seriousness the Upper Tribunal in Leave.EU emphasised that it was a factually specific issue in each case but noted at para 81 that the number of emails involved gives a sense of scale. On any reckoning, over a million emails is a serious number and the FTT was entitled to take that as a starting point. 65. The European Data Protection Board (EDPB) has produced guidelines on consent (Guidelines on consent under Regulation 2016/679, Version 1.1, Adopted on 4 May 2020). In Rondon v Lexisnexis Risk Solutions UK Ltd [2021] EWHC 1427 (QB) Collins Rice J stated at paragraph 87 that guidelines produced by EDPB have weight which goes beyond expert commentary on the primary text. They do not constitute law but are an important indicator of whether or not ambiguity genuinely exists and, if it does, the best approach to understanding it. They have to be given commensurate weight. 66. Section 40 DPA 1998 (as it applies to PECR) provides: (1) If the Commissioner is satisfied that a person has contravened or is contravening any of the requirements of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (in this part referred to as the relevant requirements), the Commissioner may serve him with a notice (in this Act referred to as an enforcement notice) requiring him, for complying with the principle or principles in question, to do either or both of the following- (a) to take within such time as may be specified in the notice, or to refrain from taking after such time as may be specified, such steps as a so specified, or (b) to refrain from processing any personal data, or any personal data of a description specified in the notice, or to refrain from processing them for a purpose so specified or in a manner so specified, after such time as may be so specified. (2) In deciding whether to serve an enforcement notice, the Commissioner shall consider whether the contravention has caused or is likely to cause any person damage. 67. Section 160(6) of the DPA 2018 provides in relation to Enforcement Notices that the Commissioner must produce and publish guidance on his regulatory action policy as follows: (6) In relation to enforcement notices, the guidance must include (a) provision specifying factors to be considered in determining whether to give an enforcement notice to a person; (b) provision about the circumstances in which the Commissioner would consider it appropriate to give an enforcement notice to a person in reliance on section 150(8) (urgent cases); (c) provision about how the Commissioner will determine how to proceed if a person does not comply with an enforcement notice. 68. In accordance with section 160(6)(a), the Regulatory Action Policy (RAP) guidance on enforcement notices (pp.22-23) reads as follows: Enforcement notices will usually be appropriate where specific correcting action (or its prevention) may be required. Although this is not an exhaustive list, an enforcement notice may be required in such circumstances as: • repeated failure to meet information rights obligations or timescales for them (e.g. repeatedly delayed subject access requests); • where processing or transfer of information to a third country fails (or risks failing) to meet the requirements of the data protection legislation; • where there is an ongoing NIS [Network and Information Systems] incident requiring action by a digital service provider; • there is a need for the ICO to require communication of a data security breach to those who have been affected by it; or • there is a need for correcting action by a certification body or monitoring body to ensure that they meet their obligations. 69. This is not intended to be a comprehensive code covering every circumstances in which an enforcement notice may be appropriate (see paragraph 99 of Leave.EU). 70. Section 47 provides that a person who fails to comply with an enforcement notice is guilty of an offence. 71. In relation to proportionality the Upper Tribunal said the following at paragraph 107 of Leave.EU: 107. We start from the proposition that, as Lord Reed put it in Pham v Secretary of State for the Home Department [2015] UKSC 19; [2015] 1 WLR 1591 at paragraph [113]: it is helpful to distinguish between proportionality as a general ground of review of administrative action, confining the exercise of power to means which are proportionate to the ends pursued, from proportionality as a basis for scrutinising justifications put forward for interferences with legal rights. 108. The present types of appeals plainly fall into the former rather than the latter camp. The correct proportionality test in a full merits review appeal is simply whether a fair balance has been struck between means and ends (see e.g. R v Barnsley Metropolitan Borough Council, Ex p Hook [1976] 1 WLR 1052). Structuring this approach through the prism of the three-fold EU proportionality test does not work - as Mr Knight pointed out, there will always be a less restrictive alternative to the imposition of a penalty (such as an informal warning or no regulatory action at all). Moreover, if the EU proportionality argument had any legs in this context, we would have expected it to have been run in previous case law. It is noteworthy in that regard that very experienced counsel made no such submissions in Central London Community Healthcare NHS Trust v Information Commissioner [2013] UKUT 551 (AAC), despite launching a head-on challenge to many other aspects of the MPN regime, and an analogous argument did not find favour with Judge Wikeley in UKIP v Information Commissioner [2019] UKUT 62 (AAC) at paragraphs 28-29. The jurisdiction of the First-tier Tribunal 72. This is a full-merits review type of appeal. We stand in the shoes of the Commissioner. If there is a mistake by the Commissioner, whatever the nature of that mistake, we make the decision that the Commissioner could have made. The MPN 73. The contravention is detailed in the MPN as follows: 44. The Commissioner finds that between 1 August 2019 to 19 August 2020, 107 million direct marketing emails were received by subscribers. The Commissioner finds that JTT transmitted those direct marketing messages, contrary to regulation 22 of PECR. 45. JTT, as the sender of the direct marketing, is required to ensure that it is acting in compliance with the requirements of regulation 22 of PECR, and to ensure that valid consent to send those messages had been obtained. 46. In this instance JTT is required to demonstrate that the consent is freely given, specific, informed, and contains an unambiguous indication from the individual via an affirmative action. 47. Consent is required to be specific as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. 48. Consent will not be informed if individuals do not understand what they are consenting to. Organisations should therefore always ensure that the language used is clear, easy to understand, and not hidden away in a privacy policy or small print. Consent will not be valid if individuals are asked to agree to receive marketing from or on behalf of similar organisations, partners, selected third parties or other similar generic description. 49. The consent statement for uk.job-search.online, uk.jobinaclick.net and findajob.website simply states I agree with marketing activity. It is not specific and does not inform an individual as to what marketing activity will take place, via what means, nor who the marketing will be by or on behalf of. Indeed, the privacy policy states that marketing may be carried out for third parties who may operate in any business sector and are referred to as business partners and clients. There is then a list of broad generalised categories and subcategories of organisations on behalf of which marketing may be sent. This statement was active on three out of four job websites, which obtained 96.8% of the consents obtained by JTT during the relevant period. 50. The UK.Jobs4you.website consent statement is more descriptive, but is neither specific nor informed. It refers to receipt of emails on behalf of selected companies and contains broad categories, including general. Individuals could not possibly be informed as to what a general company might be. The privacy policy is the same as detailed above. 51. The Savings.Direct consent statement pre-packages all the consent channels into a single statement and thus cannot be said to be specific. It also not informed as it does not describe that any marketing will occur, instead stating that communications will be sent. Again, the privacy policy is the same as the job websites save that it includes details of three named business partners or clients. 52. The Commissioner has considered the consents obtained by JTT and finds that in each case they do not comply with the requirements of Article 4(11) of the GDPR. 53. The Commissioner is therefore satisfied from the evidence he has seen that JTT did not have the necessary valid consent for the 107 million direct marketing messages received over the relevant period. 54. As the data was not collected during the course of a sale or negotiation between JTT and the recipients of the emails, the Commissioner is satisfied that the provisions of regulation 22(3) PECR (the soft opt-in) do not apply in this case. 74. The Commissioner went on to consider if the conditions under s 55A were met. 75. The Commissioner was satisfied that the contravention was serious because over a period of approximately one year a confirmed total of 107 million direct marketing messages sent by JTT were received by 437,324 distinct individuals. This means that each individual received on average 244 emails during the relevant period. These messages contained direct marketing material for which subscribers had not provided valid consent. 76. The Commissioner acknowledged that no complaints have been identified in relation to the sending of these emails, but is unsurprised by this given that the email marketing was hosted, and JTTs role would not necessarily have been apparent to recipients. This is particularly so given that the broad range and content of the marketing emails was far removed from the context of the job search websites to which recipients had registered. 77. The Commissioner concluded that JTT knew or ought to have known that there was a risk that this contravention would occur because: 77.1. The Commissioner has published detailed guidance, the ICO operates a telephone helpline and ICO communications about previous enforcement actions are readily available; 77.2. The issue of unsolicited marketing has also been widely publicised by the media as being a problem; 77.3. JTT is an experienced host marketer and data supplier which has been operating in excess of 10 years, and so should have had a full understanding of the obligations imposed on them; 77.4. JTT was aware of the Commissioners prior investigation into LWL, and his concerns about the validity of consent to send marketing messages based upon data supplied by third parties, including JTT. This should have alerted JTT to the possibility that the consent it used to send marketing emails was inadequate. 78. The Commissioner concluded that JTT failed to take reasonable steps to prevent the contravention because JTT should have familiarised itself with, and ensured that the consent statements in its websites complied with Article 4(11) of GDPR in order to collect compliant data. JTT could have consulted ICO guidance or obtained further advice if it was unclear. The consent statements and privacy policies should have been specific as to what and how marketing was to occur, and informed as to the identity of third parties on whose behalf JTT hosted marketing. Whilst JTT stated it has undergone a legal review of its processes and procedures, and has since updated its consent statements, the Commissioner considered that the changes made were still insufficient to equate to compliant consent statements, particularly as all marketing channels remain bundled together and do not reference any of the third parties on behalf of whom JTT host marketing. 79. In determining to issue a MPN the Commissioner considered that there were no aggravating features. 80. The Commissioner took account of the mitigating feature that JTT had taken some steps to change its consent statements, however these were insufficient to satisfy the requirements of PECR, and so the Commissioner did not view this as justification to reduce the penalty. 81. The Commissioner attempted to consider the likely impact of a monetary penalty on JTT and decided on the information available to him that a penalty remained the appropriate course of action. 82. The Commissioner stated that his underlying objective in imposing a monetary penalty notice is to promote compliance with PECR. The Commissioner stated that he had had regard to the factors set out in s108(2)(b) of the Deregulation Act 2015; including: the nature and level of risks associated with non-compliance, including the risks to economic growth; the steps taken by the business to achieve compliance and reasons for its failure; the willingness and ability of the business to address non-compliance; the likely impact of the proposed intervention on the business, and the likely impact of the proposed intervention on the wider business community, both in terms of deterring non-compliance and economic benefits to legitimate businesses. 83. In relation to the amount of the penalty, the Commissioner decided that a penalty in the sum of £130,000 was reasonable and proportionate given the particular facts of the case and the underlying objective in imposing the penalty. The EN 84. The EN relies on the same breach as that set out in the MPN. In relation to the issuing of the EN the Commissioner stated: 27. The Commissioner has considered, as he is required to do under section 40(2) of the DPA (as extended and modified by PECR) when deciding whether to serve an Enforcement Notice, whether any contravention has caused or is likely to cause any person damage or distress. The Commissioner has decided that it is likely that JTTs actions had the potential to, or did, cause damage or distress to the subscribers who received the unlawful marketing messages. 28. In view of the matters referred to above the Commissioner hereby gives notice that, in exercise of his powers under section 40 of the DPA, he requires JTT to take the steps specified in Annex 1 of this Notice. 85. The EN required JTT to take the following steps within 30 days of the date of the notice: Except in the circumstances referred to in paragraph (3) of regulation 22 of PECR, neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified JTT that he clearly and specifically consents for the time being to such communications being sent by, or at the instigation of, JTT. The Appeal 86. The grounds of appeal are, in summary, as follows: Ground One JTT did not contravene regulation 22 PECR as alleged by the Commissioner Ground Two Even if it did contravene regulation 22 PECR, the MPN and EN could not have been issued because other statutory preconditions were absent. Ground Three Even if the Commissioner had a discretionary power to issue the MPN and/or EPN it exercised that discretion wrongly. Ground 1 - there was no contravention 87. JTT argues that the Commissioners conclusion that the opt-ins were insufficiently specific and informed is wrong because: 87.1. The Commissioner ought to have asked itself whether these opt-ins were specific indications of agreement to the purpose of the intended processing, i.e. marketing communications by electronic means. 87.2. The Commissioner wrongly interpreted Article 4(11) GDPR as requiring specificity as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. 87.3. In any event the opt-ins were sufficiently specific and provided on a sufficiently informed basis. 87.4. Both the specific and sufficiently informed criteria need to be assessed in context. The only realistic conclusion is that individuals knew what they were signing up for and chose to sign up. That is reinforced by the fact that the Commissioner did not receive a single complaint. JTT made clear, on each of the emails that it sent, that it was the sender, and it included a clear opt-out with which it complied promptly. Ground 2 - the MPN and EN could not have been issued. 88. JTT argues that the contravention was not serious. At its highest it is a technical and marginal contravention based on differing views as to the requisite standard for specific and informed consent. There was no damage or distress nor any (or any material) impact on individuals privacy rights. The volume of emails does not support a conclusion of seriousness. 89. It is submitted that JTT did not have the requisite guilty mind within the meaning of s. 55A(3) DPA 1998. JTTs interpretation of and approach to consent was (at its lowest) reasonable, and it was thus reasonable for it not to take other steps to change its approach at that time. It is insufficient to simply assert that JTT should have known what the law was. 90. It is submitted that there is no basis for concluding that the alleged contraventions of regulation 22(2) were likely to cause anyone damage. The Commissioner has apparently applied a standard of likely to have the potential to which is wrong in law. Ground 3 - wrong exercise of discretion 91. It is submitted that the Commissioner exercised its discretion wrongly because: 91.1. The Commissioner failed to properly apply its policies and this case was not sufficiently serious to justify enforcement action. The MPN and EN are disproportionate. 91.2. The Commissioner unfairly implied that JTT was not a legitimate company. 91.3. The alleged contravention is not serious. 91.4. Both the MPN and the EN would cause unjustifiable and enormous harm to JTTs legitimate business. JTT provided information showing inter alia that, for the year to 31 December 2020, it had an operating loss was £141,801. A MPN of £130,000 would be terminal for JTTs business in those circumstances. The ICO either failed to consider the detailed information JTT provided about financial impact, or it failed to appreciate the terminal impact of this MPN, or it intended the MPN to have that terminal impact. On any of those scenarios, the ICO was wrong to impose this MPN. 91.5. The ICO has treated JTT unfairly in failing to acknowledge any mitigating steps, except to note at para. 73 of the MPN that JTT has taken some steps to change its consent statements 91.6. The EN contains no reasoning. There is no utility in issuing an EN that simply requires compliance with the law, and the ICO should not have done so here. The response of the Commissioner Ground 1 - JTTs contravention of reg 22 PECR was plain and obvious 92. It is noted that JTT cites no authority for a watered-down approach to the issue of specific consent. Read in light of the CJEUs decisions in Verbraucherzentrale Bundesverband eV v Planet49 GmbH (EU:C:2019:801) [2020] 1 WLR 2248 (Planet49) and Case C-61/19 Orange Romania SA v ANSPDCP (EU:C:2020:901) (Orange Romania) it is submitted that the Commissioners requirement that direct marketers demonstrate each users consent as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it is hardly an exacting or an excessive standard. 93. The opt-ins in relation to three of JTTs websites (uk.job-search.online, uk.jobinaclick.net and findajob.website) were no more specific than I agree with marketing activity. 94. As regards the link to the privacy policy, there was no separate 3rd party policy referred to but only a bland reference to marketing activities for third parties, who may operate in any business sector and who are elsewhere referred to as JTTs business partners and clients. Individuals are informed in the policy that they may be contacted by email within 11 broad categories including financial or clubs, organisations and web sites/portals. The policy also contains a very broad statement concerning the potential disclosure of data. 95. In relation to uk.jobs4you.website, the consent statement referred to offers by email fromjob4you on behalf of selected companies that we will be of interest to you within one of five specified categories including the catch-all General. In relation to savings.direct, the consent statement stated that by entering you agree to receive information & offers by email, phone, SMS and post from 3rd Parties, but makes no mention of any marketing, only communications made for purposes unspecified and unknown. 96. In all the circumstances, it is submitted that the Commissioner was plainly right to conclude that JTT had failed to provide users of the websites with sufficiently detailed information about its direct marketing to enable them to give consent that was both specific and informed. 97. It is submitted that the fact that half of users signed up and half did not says nothing whatsoever about whether the information provided was sufficiently detailed to enable an informed choice to be made. 98. The Commissioner submitted that it is unsurprising that the Commissioner received no complaints since users who received the emails would not have appreciated any link to the websites operated by JTT. 99. It is submitted that sending 107 million marketing emails in the space of little over 12 months was plainly an intrusion into the privacy of those recipients who had never properly consented to them in the first place. Ground 2 - the Commissioner was entitled to issue the notices 100. It is submitted that sending 107 million emails in little more than a year without valid consent cannot be described as technical or marginal. JTT does not know if there was damage or distress or material impact on recipients privacy rights. The potential for very large numbers of infringements is a reason for greater caution. 101. The Commissioner submitted that JTTs argument that it could not have known about the risk is fanciful. The PECR guidance made clear the need for specific and informed consent and JTT is an experienced operator. 102. The Commissioner found that there was damage as well as distress and it is submitted that the exclusion of distress only applies to the making of an EN not a MPN under section 55A. Ground 3 - the decisions to issue the notices involved a correct exercise of discretion, 103. It is submitted that there has been no failure by the Commissioner to follow his own Regulatory Action Policy or his Internal Procedure. JTT remains unable to point to any specific respect in which they are incompatible with his published policies. 104. The Commissioner submitted that the reference to legitimate companies made in a press release following the issue of the EN has no bearing on the validity of the EN. 105. It is submitted that if the statutory conditions are satisfied it cannot be argued that the contravention was not serious. It is not unlawful for the Commissioner to exercise his discretion to issue notices in cases where the statutory criteria for those notices to be issued are met. 106. Although JTT has an operating loss of £1414,801 in the year ending 31 December 2020, JTTs annual revenues for the same year were £956,114. JTT is part of a large international group whose parent company has market capitalisation in excess of 20 million. The Commissioner submitted that it is very unlikely that the monetary penalty notice would have a terminal impact on JTTs business. 107. The Commissioner submitted that he took into account that JTT had taken steps to change its consent statements. He disagreed that JTTs interpretation was reasonable. 108. Given, however, that JTT continued its operations even after being notified of the Commissioners concerns, an enforcement notice, according to the Commissioner, was plainly a necessary and reasonable step to prevent further contraventions of the law. Reply by JTT 109. To the extent that the Commissioner took information about Triboo SpA into account, he failed to include this in the Notices. Consequently, it is submitted that the Notices are defective for, and the decision to serve them is vitiated by, a failure to give adequate reasons. It is submitted that the Commissioner unlawfully and unfairly failed to give JTT an opportunity to address this issue. The market capitalisation of Triboo SpA is irrelevant. 110. It is submitted that the revenue of JTT is irrelevant when considering its ability to pay a penalty. JTT accordingly stands by the point that a MPN of £130,000 would be terminal for JTTs business. Evidence 111. The tribunal read and took account of a bundle of documents. The issues 112. The issues for the tribunal to determine are: 112.1. Were the relevant emails sent in contravention of regulation 22(2) PECR because the consent was insufficiently specific and informed? 112.2. Were the statutory conditions for issuing a MPN present: 112.2.1. Was the convention serious? 112.2.2. Did JTT know or ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention? 112.3. Were the statutory conditions for issuing an EN present? 112.4. If so, should the Commissioner have issued the MPN and/or the EN? Skeleton arguments/oral submissions Skeleton argument/oral submissions of JTT (i) Summary of key points 113. Mr. Hopkins submitted that it was highly relevant that some 2.5 years had elapsed between the end of the relevant period (August 2019 to August 2020) and the decision to issue the notices in April 2023. He submitted that the tribunal, standing in the shoes of the Commissioner in April 2023, should take into account the new versions of the consent statements when deciding whether to exercise discretionary enforcement functions. Mr. Hopkins submitted that the Enforcement Notices was entirely useless because things had changed by then. He said that the notices were an irrational and pointless exercise of the discretion to impose sanctions because they were directed at a target that has long since fallen away, because JTTs practices had been changed since at least December 2021. 114. Mr. Hopkins submitted that any contravention cannot possibly be categorised as serious. He drew the tribunals attention to an important structural feature of this case which he says distinguishes it from many other PECR cases that end up before the tribunal, in that the marketing emails are triggered by a voluntary opt-in box. He submitted that users of the website were entitled to choose without any adverse consequences whether to say yes or not to third party contact. There is no pre-ticked box, there is no reliance on users having done something else such as transacted with JTT or signed up for a produce or a service. In those circumstances Mr. Hopkins submitted that it makes no sense to call a contravention serious and issue draconian enforcement notices where emails have been sent specifically because individuals decided to tick the yes box. This is bolstered by the fact that there were no complaints. 115. Mr. Hopkins submitted that even if the Commissioner establishes that the statutory conditions were met, he was wrong to exercise his discretion to take enforcement action, relying on the same points relied on in relation to seriousness. Further it was submitted that it is simply wrong to issue a monetary penalty notice that would be terminal for JTTs business. (ii) Relevant facts 116. Mr. Hopkins submitted that marketing emails were only sent by JTT or third parties to those who chose to register on one of these website and filled in the registration details. However that was not sufficient. The individual also had to tick a yes or no box. Mr. Hopkins stated that it was important to note that this was not a regime where, if you did not tick yes, you could not proceed. Mr. Hopkins submitted that you could register and receive updates about job vacancies even if you chose to say no to the marketing communications. 117. In support of this Mr. Hopkins relied on the letter from JTT to the Commissioner dated 21 September 2020 which states at p 294 of the bundle: These checkboxes are not pre-flagged, and consent can be provided through them freely and in an unambiguous way by the user. In fact, if a data subject decides not to flag either of these two checkboxes, he can still resume the registration process and use the services offered by the website freely and without any implication or impairment. 118. Mr. Hopkins took the tribunal to examples of the consent statements and privacy policies in the bundle. 119. Mr. Hopkins submitted that even if the tribunal took the view that the wording was ambiguous in relation to whether or not consent was given merely by entering the website or registering, in fact emails were not sent unless the consent box was ticked. He submitted that these enforcement notices relate to the sending of the emails, they are not a penalty for having materials that are not clear or transparent. 120. Mr. Hopkins submitted that the consent statement had to be read as a package with the privacy policy. He submitted that the privacy policy gives a comprehensive and detailed list of the third parties who might contact the individual and gives links to their privacy policies. It provides specific details of the different types of marketing activities and the different sectors. The individual will understand what they will be getting: they are going to be sent offers for products and services within the categories in the list by the companies in the list. 121. On the basis of the privacy policy, Mr. Hopkins submitted that there is amply sufficient information to enable the people using the website and contemplating whether to click no or yes to understand exactly what they were signing up for if they clicked yes. 122. Mr. Hopkins argued that the fact that over the relevant period around 56% ticked the boxes saying yes, suggests that people could and did exercise a genuine choice and understood what they would receive. The fact that around half said yes and half said no does not support the impression that this was skewed so as by default to trick people into signing up for things they didnt understand. 123. Mr. Hopkins took the tribunal to an example of one of the marketing emails from during or shortly after the relevant period (p353). Mr. Hopkins drew the tribunals attention to the unsubscribe links and the fact that the email states how the individual came to receive such emails (You have received this email to [redacted] as a registered user of Jobsearch). If the Commissioner is right that insufficiently specific information is provided on the basis of the consent boxes, Mr. Hopkins argued that any information gap is quickly remedied in the first email which specifies which website they signed up on and gives an option to unsubscribe. 124. Mr. Hopkins submitted that this is a vital part of the analysis in relation to seriousness and in exercising the discretion to take enforcement action bearing in mind the guiding principles of purposiveness and proportionality. 125. Mr. Hopkins took the tribunal to the new versions of the consent statements introduced in 2021 (see p 410). Mr. Hopkins submitted that this was not a concession that the earlier versions were inadequate but JTT trying to improve, taking advice and making improvements to enhance the information provided. 126. Mr Hopkins submitted that the financial position of JTT does not enable them to pay a fine of £130,000. He relies on the email to the Commissioner at p 127 of the bundle and the profit and loss accounts at p 189 which show an operating loss of £180,616 for the financial year up to December 2020, and an operating loss excluding finance costs of £141,801. 127. Mr. Hopkins submitted that the Commissioner is wrong to rely on JTTs revenue. Further, he argued that it is fundamentally misconceived to take into account speculation that JTTs parent company might bail them out. Ground 1 - no contravention of PECR 128. Mr. Hopkins submitted that there was no alleged contravention in relation to whether consent was freely given or unambiguous. He submitted that the issue was whether the consents were sufficiently specific or informed to meet the standards in Article 4(11) GDPR. Mr. Hopkins drew the tribunals attention to what he termed a specific acceptance at p 219 by the Commissioner in the enforcement decision record to the effect that consent was freely given. 129. In relation to the meaning of specific and informed Mr. Hopkins submitted that this is not defined in the legislation. The meaning is context dependent. 130. Mr. Hopkins submitted that specific means that the tribunal has to ask if the opt-ins were specific indications of agreement to the purpose for which data will be processed. Specific does not mean that there needs to be specificity as to the particular party or sector. Mr. Hopkins relied on the European Data Protection Board (EDPB) Guidelines 05/2020 on consent under Regulation 2016/679 to support his submission. 131. Mr Hopkins argued that individuals were asked to give consent to the specific purpose of marketing, which was hived off from registration to the website. 132. In relation to informed consent, Mr. Hopkins noted that the EDPB is of the opinion that at least the following information is required for obtaining valid consent: i. the controllers identity, ii. the purpose of each of the processing operations for which consent is sought, iii. what (type of) data will be collected and used, iv. the existence of the right to withdraw consent, v. information about the use of the data for automated decision-making in accordance with Article 22 (2)(c) 36 where relevant, and (vi) on the possible risks of data transfers due to absence of an adequacy decision and of appropriate safeguards as described in Article 46.37 133. Mr. Hopkins submitted the express descriptions of emails, marketing activity, sectors and the third parties taken together comfortably falls within the EDPB guidance on what informed consent looks like. 134. Mr. Hopkins noted that the Commissioner at para 47 of the MPN states that: Consent is required to be specific as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it. 135. Mr. Hopkins argued that that is not what the EPDPB guidance says, which is that it has to be specific as to purpose not as to the granular detail. 136. Mr. Hopkins submitted even applying the Commissioners gloss on the standard, JTT met that threshold. He argued that the consent statements and the privacy policy provided sufficiently clear specific granular information about what the email address would be used for, and who would be sending the communications. 137. Mr. Hopkins submitted that, for the same reasons, the opt-ins were provided on a sufficiently informed basis. Marketing is a very common and well-understood aspect of 21st century life, in particular in the context of registrations on websites. Those who were interested in more information about the kinds of organisation who might send them marketing communications could click the hyperlink to the privacy policy. Within that privacy policy, JTT described the types of third parties who may send marketing communications (e.g. by sector or type of offer). For the jobs websites, the privacy policy also provided a lengthy illustrative list specifying companies who may send marketing communications (e.g. Scottish Power, O2, Sky UK), together with links to the privacy policies of those companies. 138. Mr. Hopkins argued that it is not open to the Commissioner or the tribunal to micro-manage. the exact way in which the information was presented, if that information complies with the minimum standard imposed by law. 139. Mr. Hopkins submitted that it is important to take a step back and take a purposive and proportionate approach. The Commissioners approach, he submitted, is divorced from reality in a case where half the individuals opted in and half did not, and where there have been no complaints. Mr. Hopkins submitted that there was a strong resonance between this case and Xerpla Limited v ICO (EA/2017/0262), where the tribunal overturned a MPN issued for alleged contraventions of regulation 22(2) PECR. 140. Mr. Hopkins submitted that data protection legislation, including PECR, must be read purposively not mechanically Dixon v North Bristol NHS Trust [2022] EWHC 3127 (KB); 191 BMLR 148 at para. 104. 141. The purpose of PECR, as set out in recital 40 to Directive 2002/58/EC is the protection of privacy. Mr. Hopkins submitted that the emails sent by JTT and third parties in this case did not intrude or cause any meaningful interference in an individuals privacy given the voluntary sign-up. 142. Further, it is submitted that the Commissioner lost sight of the proportionality principle when it applied a gold-standard gloss to the terms specific and informed in ways that overlook: (i) the context in which recipients voluntarily signed up for such emails, and (ii) the fact that any lack of understanding a recipient may have had about the marketing they might be consenting to was swiftly alleviated once they received the emails themselves. 143. It is submitted that the EN is fatally undermined by the fact that it is a forward-looking document issued in April 2023, yet it fails to say anything about the new versions of JTTs consent statements and privacy policy. Ground 2 - the statutory criteria are not present 144. Mr. Hopkins submitted that whatever breaches the tribunal might find, they would constitute marginal and technical, rather than serious contraventions, based on differing views as to the required standards for specific and informed. It is not an egregious case where accessing some kind of service is conditional on consent, or where repeated emails are sent after opting out. 145. There is no damage or distress. JTT does not understand how it is said that damage or distress would be likely where there is an opt in consent model accompanied by opt-outs in the emails. 146. It is submitted that the volume of emails is unsurprising given the kind of business that JTT operates, and the large number of customers who ticked a box to agree to receive such emails. 147. Mr. Hopkins submitted that it is accepted that the contravention was not deliberate, and it cannot be said that it knew or ought to have known about the risk because the law is not clear. JTTs interpretation of/approach to consent was (at its lowest) reasonable, and it was thus reasonable for it not to take other steps to change its approach at that time. 148. In relation to the EN Mr. Hopkins submits that the has contravened limb in section 40(1)DPA 1998 must be subject to a qualifier that the alleged contravention is (i) sufficiently recent, and (ii) risks being repeated. 149. It is submitted that the EN refers to distress when that is omitted from section 40(2) DPA 1998 as it applies to PECR. Ground 3: The MPN and EN should not have been issued 150. Mr. Hopkins relied on the points made under ground 2 and emphasised the following: 150.1. A MPN of £130,000 would be terminal for JTTs business. 150.2. The ICO failed properly to apply its own guidance. 151. Mr. Hopkins submitted that the tribunal should ask itself, in the light of the changes made to the polices, if something less draconian would do. Skeleton argument/oral submissions of the Commissioner Ground 1 - the contravention of PECR was plain and obvious 152. The Commissioner accepted that there is no suggestion that anyone was compelled to give consent but the concepts of freely given consent and informed consent very much go together, because, as is clear from the case law, you cannot freely give consent if you do not properly understand what you are being asked to consent to. 153. The Commissioner submitted that consent has to be judged in context and the factual matrix in Xerpla is very different: the Upper Tribunal noted in paragraph 64 of Leave EU the specific factual matrix described by the First-tier tribunal in Xerpla, it was obvious what its subscribers were consenting to. It was obvious because of the service Xerpla was offering. Whether consent is informed has to be judged in context. The nature of Xerplas discounts/deals website was that subscribers could be sent third party offers about any products and services. That is why they subscribed to it. Had they wished to subscribe to a service offering only certain types of products and services, this was not the website for them. 154. There is no meaningful comparison to this appeal, Mr. Metcalfe submitted, where individuals were using the primary websites to look for jobs. 155. The Commissioner submitted that, in light of the CJEUs decisions in Planet49 and Orange Romania, the Commissioners requirement that direct marketers demonstrate each users consent as to the type of marketing communication to be received, and the organisation, or specific type of organisation, that will be sending it is hardly an exacting or an excessive standard 156. The Commissioner relied in particular on the statement by the CJEU in Orange Romania in that the data controller was required to: provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. 157. It is submitted that the Commissioners guidance is entirely consistent with the requirement to provide users with sufficiently detailed information to understand the consequences of any consent they may give. 158. Mr. Metcalfe submitted that the EDBP guidance does not support JTTS case. 159. Mr. Metcalfe highlighted paragraph 71 of the Commissioners guidance on direct marketing: The crucial consideration is that the individual must fully understand that their action will be taken as consent, and must fully understand exactly what they are consenting to. There must be a clear and prominent statement explaining that the action indicates consent to receive marketing messages from that organisation (including what method of communication it will use). Text hidden in a dense privacy policy or in small print which is easy to miss would not be enough 160. Mr. Metcalfe also referred to p 30 of the Commissioners detailed guidance on direct marketing: · specific and informed: Your request for consent must be prominent, in plain language and separate from your privacy information. It must clearly explain what the consent is for (e.g. to send direct marketing emails), who wants to rely on the consent (e.g. you or another organisation) and how people can withdraw consent; 161. Mr Metcalfe submitted that any third party controllers who are going to rely on the direct marketing consent have to be identified at the point at which consent is given and it is not enough to rely on a list of sectors or a list of particular companies buried at the end of the privacy policy. 162. Mr. Metcalfe took us to the consent statement of Jobinaclick and submitted that there is no specificity, the third party controller is not identified and there is no detail of the purpose beyond marketing activity, no description of the type of processing and no indication as to how to withdraw consent. 163. Mr. Metcalfe submits that the consent statement is not saved by the reference to the privacy policy. The specific sectors are only identified at page 7 out of 12 and the list of business partners at page 9. 164. Mr Metcalfe submitted that the fact that there have been no complaints does not assist. He submitted that realistically anyone aggrieved will turn on the spam filter and click unsubscribe rather than complain to the Commissioner. 165. Mr Hopkins relied on the fact that half the individuals clicked the opt in box. Mr. Metcalfe submitted that if consent is not properly informed it is not consent and it follows that every email then received is an invasion of privacy because it is unsolicited. It still causes distress even if it is not as serious as a more substantial breach of privacy. Ground 2 - the Commissioner was entitled to issue the notices 166. JTTs contravention involved sending out 107 million emails to 437,324 individuals in the space of little more than a year, in circumstances where it had failed to obtain their valid consent. It is submitted that a breach of such magnitude can hardly be described as technical or marginal. 167. Mr. Metcalfe submitted that the fact that JTT is dealing in such very large numbers is all the more reason why they need to take very particular care in making sure that the consent form conforms with the requirements. 168. It is submitted that JTTs argument that it could not have known about the risk is simply fanciful: JTT has been active in direct marketing for over 10 years and must be taken to be aware not only of the law relating to the GDPR and PECR but also all applicable guidance (including the EDPB guidance it cites repeatedly without appearing to have read its contents). In this case, both the EDPB guidance and the Commissioners own PECR guidance made clear the need for specific and informed consent and, in failing to follow that guidance, JTT - an experienced operator in this field - evidently ran the risk of a breach occurring. 169. Mr. Metcalfe submitted that the new consent forms were not in place until 16 months after the events under consideration. Ground 3 - the Commissioners decision to issue the notices involved a correct exercise of his discretion in each case 170. It is submitted that there has been no failure to follow the Commissioners own policies. 171. Mr. Metcalfe submits that it is unusual to suggest that the operating loss for a single year should somehow be determinative. There is no obvious reason why a penalty which falls to be paid in accordance with the regulations should be given less weight than the other costs of JTTs business. 172. Mr. Metcalfe submits that it is for JTT to give evidence as to the broader financial picture. JTT made a profit the following year and in the year ending 2022. The penalty would be paid now, not in 2020. 173. The Commissioner took into account the fact that JTT had put in place new consents in December 2021, but was not satisfied that they were necessarily compliant. It was clear to the Commissioner that JTTs conduct in the relevant period was in breach and that is what is material to the lawfulness and the exercise of the commissioners discretion. 174. In relation to the parent company, Mr. Metcalf submits that there is nothing to say why a parent companys resources cannot be taken into account where JTT submits that a penalty would be terminal. 175. In relation to the assessment of the amount of the penalty Mr. Metcalfe submitted that the tribunal was entitled to take account of the financial position as it stands in April 2024. 176. In relation to the enforcement notice, Mr. Metcalfe submitted that JTT continued its operations under the original consent forms for a period of 16 months after it was first notified of the Commissioners investigation. Mr. Metcalfe submitted that it was entirely lawful for the Commissioner to issue an enforcement notice to spell out exactly what JTT has to do in order to meet the requirement. The Commissioner's view was that the additional consents and privacy policies were not necessarily compatible, and the enforcement notice can be a mechanism whereby the Commissioner can more swiftly take steps if there are any continuing breaches in the future. Mr. Hopkins reply 177. When questioned by the Judge on the clarity of some of the wording in the consent statements and the privacy policies Mr. Hopkins accepted that it could be worded better but did not accept this was anywhere near a substantive problem of people not knowing what they were getting into. 178. Mr. Hopkins submitted that, factually, this appeal was much closer to Xerpla than Leave EU and Planet 49. He stated that the highest these cases go in terms of principles is that there is a relatively high bar for valid consent. They do not provide that there must, for example, be a list of opt in boxes listing every single person who might send you marketing communications. 179. Mr. Hopkins submitted that Leave EU does not say anything about the relevance of the number of complaints to seriousness or the exercise of discretion and therefore this can still be taken into account under grounds 2 and 3. 180. Mr. Hopkins noted that the detailed guidance referred to by the Commissioner dates from December 2022 so cannot be used as a pointer to what JTT ought to have known. In any event the general principles in that guidance are unproblematic. JTT were specific in the privacy policy that this was email marketing and listed every company that was going to send emails. The option to unsubscribe is contained in the emails. The Commissioner complains that the information appears in the small print. Mr Hopkins submits firstly that the online journey would look slightly different to the print out and in any event that the Commissioner is micromanaging exactly how he wants the notices to be laid out which is not permissible. 181. Mr. Hopkins submitted that the bottom line appeared to be that the Commissioner says that in order to be valid there has to be a list of every intended sender with a tick box next to each one. He submitted that is not what JTT does, nor what anyone does, nor what the law requires. 182. Mr. Hopkins drew the tribunals attention to the other financial information in the bundle. The yearly profit for the year ending 2022 was just less than £40,000. The accounts for 2020 include the figure for 2019. The details provided in the letter at p 127 show that the company did not have the cash reserves to pay the penalty. 183. Mr. Hopkins noted that Mr. Metcalfe had stated that the new versions of the consent statements were not necessarily compliant. Mr. Hopkins stated that JTT had never been told what was wrong with the new versions. 184. It is submitted that the idea of the enforcement notice being used expressly to enable the Commissioner to punish JTT for future infractions illustrates why it should not be in force. An enforcement notice cannot simply say that JTT should comply with the law, they are obliged to do that in any event. The enforcement notice has to specify what practice needs to change and what JTT must do to avoid potential future sanctions. Discussion and conclusions 185. We undertake a full merits review, although we accord due respect to the Commissioner as regulator. GROUND 1: JTT did not contravene regulation 22 PECR as alleged by the Commissioner Overarching issues in relation to breach 186. Whilst we have needed to examine the wording of the consent statements and privacy policies in detail, we do not accept that this is micro-managing the exact way in which the information is presented. 187. Information does not need to be presented in a particular way, but the Controller must provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. (para 40 Orange Romania) 188. We accept that data protection legislation must be construed purposively and not mechanically. Mr. Hopkins referred us to recital 40 to Directive 2002/58/EC which reads: (40) Safeguards should be provided for subscribers against intrusion of their privacy by unsolicited communications for direct marketing purposes in particular by means of automated calling machines, telefaxes, and e-mails, including SMS messages. These forms of unsolicited commercial communications may on the one hand be relatively easy and cheap to send and on the other may impose a burden and/or cost on the recipient. Moreover, in some cases their volume may also cause difficulties for electronic communications networks and terminal equipment. For such forms of unsolicited communications for direct marketing, it is justified to require that prior explicit consent of the recipients is obtained before such communications are addressed to them. The single market requires a harmonised approach to ensure simple, Community-wide rules for businesses and users. 189. Mr. Hopkins submitted that the notion that unsolicited emails might impose a burden and/or cost on the recipient was somewhat out of date. We note that the ECJ in Pegnitz (Case C-102/20 StWL Städtische Werke Lauf a.d Pegnitz Gmbh v Eprimo Gmbh [2022] 2 C.M.L.R. 21), which was decided in 2021, proceeded on the basis that unsolicited emails (spam) did impose a burden. An individual is only able to free the space to see all their exclusively private emails after they have checked the content of the unsolicited email and actively deleted it (paragraph 41 Pegnitz). 190. We agree with the Advocate Generals opinion in Pegnitz at paragraph 57 that unsolicited emails do amount to an invasion of privacy because users regard their private email inbox as coming within their private sphere. Thus we do not accept that there is no meaningful invasion of privacy where those emails are unsolicited and prior consent, as defined, has not been obtained. 191. We accept that whether consent is informed has to be construed in context. Mr. Hopkins submitted that there was a strong resonance between this case and Xerpla. That case concerned consent given on a discounts/deals website where subscribers could be sent third party offers about any products and services. 192. That is very different to the websites in this appeal which are either (a) a website that provides assistance with searching for jobs or (b) in the case of Savingdirect a website for finding the best quote for solar panel installation. Unlike subscribers in Xerpla those who register on a jobs website or a solar panel installation quote website are not registering in order to be sent third party offers about any products and services. They are registering specifically for assistance with job searches or for getting the best quote for solar panel installation. That is the context in which we must construe whether or not the consent was informed. 193. We have taken care not to apply any gloss, and certainly no gold-standard gloss to the terms specific and informed. We have interpreted them in the light of the statute, the case law and, where appropriate, the EDPB guidance. 194. We do not accept that any information contained in the emails themselves is relevant to the question of whether the prior consent was informed or specific. 195. The changes made after the relevant period are not relevant to the question of whether or not there was a contravention of PECR in the relevant period. 196. The fact that no complaints were made is not, we find, relevant to the question of whether or not there has been a breach of PECR. As the Upper Tribunal stated at paragraph 54 of Leave.EU, the volume of complaints cannot be a reliable let alone determinative metric for deciding whether there has been a PECR breach, given that subscribers have easier default options than lodging a formal complaint with the Commissioner. Did JTT contravene regulation 22 of PECR between 1 August 2019 and 19 August 2020? 197. Between 1 August 2019 and 19 August 2020 JTT sent approximately 107 marketing communications by email, either on its own behalf or on behalf of other organisations, to 437,324 recipients who had provided JTT with their email addresses via one of five websites. 198. These were unsolicited communications. Under regulation 22 PECR such emails can only be sent if the recipient of the electronic mail has previously notified JTT that he consents for the time being to such communications being sent by JTT. 199. For the purposes of regulation 22, consent is defined in article 4(11) GDPR as follows: consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her; 200. We accept that the Commissioner did not base the MPN or the EN on the grounds that the consent was not freely given or unambiguous and the parties and thus our focus is primarily on whether the consent was specific and informed. However, there is significant overlap between the different elements, and a number of factors that would be relevant to whether consent was freely given and unambiguous will also be relevant to whether consent was, in particular, informed. The fact that recipients of emails voluntarily signed up for such emails does not carry weight if they did not sign up on an informed basis. 201. We accept Mr. Hopkins submission, which he based to a large extent on the EDPB guidelines, that consent has to be specific as to purpose. At paragraph 58 of Planet 49 the Court of Justice ruled that the indication of the data subjects wishes referred to in Article 2(h) of Directive 95/46 must, inter alia, be specific in the sense that it must relate specifically to the processing of the data in question and cannot be inferred from an indication of the data subjects wishes for other purposes. 202. The purpose for which personal data is collected must, under article 5(1)(b) GDPR, be specified, explicit and legitimate. Specified implies that the purpose of the collection must be clearly and specifically identified. The purpose has to be defined sufficiently precisely and specifically, because it enables the assessment of, for example, whether further processing is for compatible purposes, and in order to apply other GDPR requirements including, for example, the adequacy, relevance and proportionality of the data collected. [1] 203. Thus, the purpose has to be sufficiently defined to delimit the scope of the processing operation. The EDPB quotes p 17 of the Article 29 Working Party Opinion 3/201 on purpose limitation of 2 April 201 (WP29 Opinion 3/2013) at FN30 of its guidance on consent: For these reasons, a purpose that is vague or general, such as for instance improving users experience, marketing purposes, IT-security purposes or future research will - without more detail - usually not meet the criteria of being specific. 204. Consent also has to be informed. In Planet49 the Court agreed with the Advocate General that clear and comprehensive information (as required by Article 5(3) of the 2002 Directive) implies that a user must be in a position to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed. It must be clearly comprehensible and sufficiently detailed so as to enable the user to comprehend the functioning of the cookies employed (CJEU judgment at paragraph 74). 205. The Court reaffirmed the passage from Planet49 at paragraph 74 in Orange Romania at paragraph 40: As regards the requirement arising from Article 2(h) of Directive 95/46 and Article 4(11) of Regulation 2016/679 that consent must be informed, that requirement implies, in accordance with Article 10 of that directive, read in the light of recital 38 thereof, and with Article 13 of that regulation, read in the light of recital 42 thereof, that the controller is to provide the data subject with information relating to all the circumstances surrounding the data processing, in an intelligible and easily accessible form, using clear and plain language, allowing the data subject to be aware of, inter alia, the type of data to be processed, the identity of the controller, the period and procedures for that processing and the purposes of the processing. Such information must enable the data subject to be able to determine easily the consequences of any consent he or she might give and ensure that the consent given is well informed (see, by analogy, judgment of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, paragraph 74). Jobsearch 206. Turning to the question of whether or not JTT had obtained consent under regulation 22, we look first at the two Jobsearch consent statements: I agree with Marketing Activity ¡ Yes ¡No I agree with 3rd parties policy ¡ Yes ¡No 207. We refer to the marketing activity consent statement as the first consent statement and the 3rd parties policy consent statement as the second consent statement. The first consent statement - marketing activity 208. The first consent statement does not contain any indication of what marketing activity might be carried out. The stated purpose of Marketing Activity is too vague to be a specified purpose within the GDPR and accordingly the consent is not specific. There is no indication of who will be carrying out the marketing activity or whether the controller is JTT or third parties or both. There is no indication that the marketing activity will include communication by email. The consent statement does not show that the data subject had consented to such communications as required by regulation 22 of PECR. 209. Mr. Hopkins asks us to consider the consent statement in conjunction with the privacy policy. The privacy policy is not hyperlinked from the first consent statement, but is hyperlinked from a number of other places. 210. There is a third consent statement on the page, which was not referred to in this appeal, which allows the data subject to tick a yes or no box in relation to receiving marketing from Trades Courses. That consent statement contains a hyperlink to the privacy policy as follows: By selecting yes, you consent to Trades Courses sending you marketing about their products/services that are relevant to you. You can unsubscribe at any time. Read the Privacy Policy to find out more. Thank you! Read. 211. The hyperlink to the privacy policy is also at the bottom of the page, above a button labelled Register in the following statement: By entering you agree to our privacy policy, and to receive communications by email, phone & sms from Jobsearch. The ordinary meaning of entering would be entering a website. In this context it might also be construed to mean clicking the register button. What it cannot sensibly mean is By clicking yes to the first of three different consent statements above. 212. It would have been apparent to anyone considering selecting yes in relation to marketing from Trades Courses and to anyone wondering what the consequences of registration were that more information could be found in the privacy policy. 213. In contrast it is not made clear to the data subject wondering whether or not to click yes or no to marketing activity that there is another information layer applicable to that particular consent statement. 214. In any event, whilst a layered way of presenting information can be appropriate, the first layer in JTTs first consent statement does not even specify the purpose of the processing or the identity of the controller. Particularly in the light of the lack of clarity as to where further information in relation to this particular consent statement could be found, the data subject is not in a position to be able to determine easily the consequences of any consent he or she might give. 215. We note the following passage from FN42 to the EDPB guidance: Note that when the identity of the controller or the purpose of the processing is not apparent from the first information layer of the layered privacy notice (and are located in further sub-layers), it will be difficult for the data controller to demonstrate that the data subject has given informed consent, unless the data controller can show that the data subject in question accessed that information prior to giving consent. 216. In addition, although we accept JTTs evidence that it was not necessary to tick yes to the first consent statement to register, and that registration alone provided access to job bulletin emails, this is not clear from the registration and welcome pages. 217. At no point was the data subject informed that receiving job related emails was not conditional upon giving consent to marketing activity. 218. We agree with the Advocate General in Planet49 when he gave his opinion at paragraph 67 that, in relation to the obligation to inform, it must be made crystal-clear to a user whether the activity he pursues on the internet is contingent upon the giving of consent. A user must be in a position to assess to what extent he is prepared to give his data in order to pursue his activity on the internet. There must be no room for any ambiguity whatsoever. A user must know whether and, if so, to what extent his giving of consent has a bearing on the pursuit of his activity on the internet. 219. JTTs welcome page and registration page are, at best, ambiguous as to whether it is possible to register without consenting to marketing activity. The bottom of the registration form states clearly that by entering you agree to our privacy policy and to receive communications by email, phone and sms from Jobsearch. Further information is provided in a notice on a page headed Welcome to Jobsearch. This page states By registering with JobSearch you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means. It is not at all clear that registering to receive job related emails is separate to agreeing to marketing activity. 220. Read as a whole, particularly given the use of the broad phrase marketing activity we find that data subjects might well form the view from the first information layer that receiving job emails or registering to receive such emails was conditional on ticking yes to marketing activity. It is not clear that separate consent can be given to those separate purposes. 221. Even if a data subject understands that further information is available in the privacy policy, we are not satisfied for the following reasons that the consent statement, considered in conjunction with the privacy policy, meets the requirements of regulation 22. 222. First, it is not clear from the policy what a data subject is separately consenting to by clicking the yes box to marketing activity. As set out above, data subjects are informed that by entering (presumably registering or using the website) they have agreed to the privacy policy, and to receive communications by email, phone & sms from Jobsearch. They are also informed that by registering with Jobsearch they have permitted Jobsearch the right to pass some or all of their information to third parties who may send them marketing material via email, SMS or other means. 223. The nature of the communications that are sent to those who simply register without opting in to marketing (whether job alerts or otherwise) is not made clear in the privacy policy, and therefore the additional communications that are covered by the separate consent tick box are unclear. 224. For example, the privacy policy sets out on the first page that it describes how Join The Triboo Ltd, will use the information that you provide to it (whether by completing the registration form or using its website job-search.online). It does not identify which purposes are related to which consent statement and which arise purely from filling in the registration form or using the website. 225. The privacy policy creates further confusion as to whether it is possible to register without agreeing to marketing activity. 226. For example, under your personal information the policy states that personal information is collected when you register with us and that We use this information for directing advertising campaigns and that Once you register with us and agree to the terms and conditions of this Privacy Policy that govern how your information will be processed, you will not be anonymous to us and our partners and clients and will become of our users. 227. Under disclosure of personal information the policy states By registering with us you permit us or our partners or clients to use such information that you provide to alert you to a range of promotions etc.. and When you register with us you consent to us sending personally identifiable information about you to our partners or our clients and in particular we may share, rent or sell such information for marketing purposes send the information to our partners or clients who work with us for marketing purposes. 228. It also states, under Your acceptance of these terms, By using this site you consent to the collection and use of this information by use and to our privacy policy. 229. Under the heading Data Sharing the privacy policy states Following explicit consent in the registration form Triboo may share you email address and job-related preferences with vendors that they use to send them email job alerts. It is unclear which consent statement in the registration form is intended to apply to the sending of job alerts. 230. Finally, the heading Opting-out (Deregistration) follows a table setting out the list of Commercial Purposes, referred to above, which includes technical administration of the web site, research and development, customer administration, marketing and trading in personal data. Under the Opting out (Deregistration) heading the privacy policy states: Should you wish to opt out of your data being used for these purposes, please unsubscribe. The consequences of deregistration are that your account details will be placed in a suppression file and you will not receive any further communications from job-search online. Every email that job-search.online sends contains a link to unsubscribe. 231. This opt-out paragraph creates the clear impression that registration and consent to marketing and trading in personal data are intrinsically linked. By opting out from marketing, data subjects are told that they will not receive any further communications from Jobsearch. 232. Even having read the privacy policy we find that data subjects might well form the view that receiving job emails or registering to receive such emails was conditional on ticking yes to marketing activity. It is not clear that separate consent can be given to those separate purposes. 233. Mr. Hopkins argued that the fact that over the relevant period around 56% of those registering ticked the boxes saying yes, suggests that people could and did exercise a genuine choice and understood what they would receive. He said that the fact that around half said yes and half said no does not support the impression that this was skewed to trick people into signing up for things they didnt understand by default. 234. We accept that those that said no (around 44%) presumably did not form the view that receiving job emails or registering to receive such job emails was conditional on ticking yes. However, in relation to those that said yes, we do not know what their understanding was. For the reasons set out above, we find that the information provided to them was not clear enough on this issue to make such consent informed consent. 235. Further, it is not clear from the privacy policy which parts apply to the first consent statement (as opposed to those parts that are consented to by registering or using the site or ticking the 3rd parties policy box or agreeing to the privacy policy by entering or by ticking the Trades Courses box). Accordingly, it is not clear which purposes set out in the policy have been consented to by agreeing to the first consent statement. As a result, it is not clear who will be carrying out marketing activity that has been consented to and it is not clear what type of marketing activity is covered. On that basis we are not satisfied that the consent is informed or specific. 236. If we are wrong about this, and in the alternative, if it is adequately clear that references to marketing activities included all marketing activity in the privacy policy, we find that the bundle of purposes included in the policy is too broad and too vague to be a specified purpose within the GDPR and accordingly the consent is not specific. 237. The start of the policy states that JTT carry out marketing activities for third parties (who may operate in any business sector) and are referred to in this Privacy Policy as Our Business Partners and Clients. Those marketing activities are said to be web publicity display, e-mail marketing and mobile marketing services to promote a wide range of products and services and client recruitment campaigns through the internet and affiliate marketing. 238. Marketing Activities is defined differently later in the policy in the context of third parties as the communication directly to particular individuals by e-mail, post, telephone or sms of any advertising or marketing material in response of any product or service from us, our partners or clients. The purpose of Marketing activities is thus extremely broad and non-specific, including direct marketing by JTT and others, by a variety of means and also the undefined purpose of client recruitment campaigns. 239. We find for all the reasons set out above that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above. 240. We conclude that the consent given by agreeing to the first consent statement was not informed or specific and accordingly that the recipients of the marketing emails had not previously notified JTT that they consented for the time being to such communications being sent by JTT. The second consent statement - 3rd parties policy 241. The second consent statement states I agree with 3rd parties policy. The wording 3rd parties policy is hyperlinked to the privacy policy. 242. We do not accept that ticking this box amounts to informed consent. First. whilst a layered way of presenting information can be appropriate, the first layer in JTTs second consent statement does not even specify the purpose of the processing or the identity of the controller. Particularly in the light of the confusing nature of the information that is provided in the second information layer, the data subject is not in a position to be able to determine easily the consequences of any consent he or she might give. We have already set out the relevant passage from FN42 to the EDPB guidance. 243. Further, and in any event, clicking on the link does not lead to a 3rd parties policy. It leads to the privacy policy. This is confusing and may well lead data subjects to assume that the link is not working. 244. Even if a data subject scrolled down to attempt to find the 3rd parties policy there is no section headed 3rd parties policy. The first substantive reference to third parties is a reference to the placing of cookies by LiveRamp and its group companies. A reader might assume that this is the 3rd parties policy to which they are agreeing. 245. As the 3rd parties policy tick box is separate to the marketing activity, a data subject might assume that the second consent statement is not a consent to marketing activity. They might assume that it is, for example, consent to emails from third parties containing job opportunities. Because there is no separate 3rd parties policy or explanation of what this separate consent means, even if the data subject clicks on the hyperlink it is not possible for the data subject to identify easily the consequences of any consent he or she might give. On this basis we find that the consent is not informed. 246. Further, the purpose for which consent is given via this tick box is not specified and therefore the consent is not specific. First, as set out above, the 3rd parties policy does not exist, either as a separate document or as a separate section within the privacy policy. It is accordingly not possible to identify the purpose for which consent is given. 247. Second, the sections which refer to the use of data by third parties in the privacy policy include purposes as wide as any Commercial Purpose including marketing activities (p 324). There is a table within the privacy policy that lists purposes that are referred to in the policy as Commercial Purposes, this includes research and development, marketing and trading in personal data. This bundle of purposes is too broad and too vague to be a specified purpose within the GDPR and accordingly the consent is not specific. 248. Finally there is confusion in relation to whether it is possible to register without agreeing to the 3rd parties policy in the way that is set out in detail above in relation to the first consent statement. 249. We find for the reasons set out above that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above. 250. We conclude that the consent given by agreeing to the second consent statement was not informed or specific and accordingly that the recipients of the marketing emails had not previously notified JTT that they consented for the time being to such communications being sent by JTT. Jobinaclick and Findajob 251. The above reasoning deals with the Jobsearch consent statement and privacy policy. The reasoning and conclusions apply equally to Jobinaclick. The minor difference in the wording of the consent statement on the Findajob website does not affect our conclusions and thus the reasoning and conclusions also apply to Findajob. Job4you 252. The original consent statement for Job4you states: Agree to receive offers by email from job4you, on behalf of selected companies (https://uk.job4you.website/registration/index.php?module=site&method=privacy) that we believe will be of interest to you. These companies are within the following categories: Automotive, Retail, Finance, Insurance or General. ¡ Yes ¡No Agree that job4you partners (https://uk.job4you.website/registration/ index.php?module=site&method=privacy) may contact you with more interesting offers by email or telephone. You can opt-out of these communications at any time. ¡ Yes ¡No 253. The registration page ends with a slightly different statement to the Jobsearch page: By clicking register you confirm that you have read and agreed to Job4you Privacy Policy. (https://uk.job4you.website/registration/index.php?module=site&method=privacy) 254. The welcome page is similar to that for Jobsearch. It also provides that: By registering with Job4you you permit us the right to pass some or all of your information to third parties who may send you marketing material via email, SMS or other means. Koi Advertising also reserves the right to accept marketing fees from financial services institutions. 255. The original privacy policy for Job4you is in the bundle, but it is too small to read. We assume that it is materially identical to the privacy policies for the other jobs websites. 256. Much of our reasoning set out above applies equally to the Job4u statement, particularly because the privacy policy is the same. 257. Certain elements of our reasoning do not apply in the case of the Job4you consent statements because the wording of the consent statements is different. The consent statements attempt to set out the purposes with more specificity. They contain specific reference to emails. Both contain a link to the privacy policy. 258. The first consent statement specifies that the agreement is to receive offers by email from job4you on behalf of selected companies that job4you believes will be of interest to the data subject within the following categories: automotive, retail, finance, insurance or general. The statement contains a link to the privacy policy after the words selected companies. 259. The second consent statement specifies that the agreement is that job4you partners may contact you with more interesting offers by email or telephone. The statement also includes a link to the privacy policy after the words partners. 260. Whilst offers could be read as referring to marketing activity, in the context of registering for a jobs website, we do not accept that the data subject can identify easily the consequences of any consent he or she might give from this statement. Neither statement mentions advertising or marketing. It is not clear from the consent statement that the consent extends beyond offers relevant to the data subjects job search. 261. Further, even if it is understood to refer to marketing offers, there is insufficient information to allow the data subject to identify easily the consequences of any consent he or she might give. The categories of companies are meaningless because they include the catch all category general. JTT, the controller of the data, is not identified. The privacy policy, for all the reasons set out above, is confusing. 262. The confusion as to what consent is given by registering/entering the website remains, because of the wording of the registration form, on the welcome page and in the privacy policy. It remains unclear which parts of the privacy policy apply separately to the first consent statement (as opposed to those parts that are consented to by registering or using the site or agreeing to the privacy policy or by entering or by ticking the Trades Courses box). The bundle of purposes set out in the privacy policy is, for the reasons set out above, too vague and broad to be a specified purpose. There is confusion in relation to whether it is possible to register without giving consent for the reasons set out above. 263. We find for those reasons, along with those set out in relation to Jobsearch where relevant, that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above. 264. We conclude that the consent given by agreeing to the consent statements on the Job4you website was not informed or specific and accordingly that the recipients of the marketing emails sent by JTT on behalf of third parties had not previously notified JTT that they consented for the time being to such communications being sent by JTT. SavingDirect 265. In relation to SavingDirect the consent statements are embedded in a box entitled Request a free quote and the final button reads Request a callback. There is no reference to marketing in the first consent statement which merely states I agree to receive communications by email, phone and sms from Saving Direct. The second consent statement refers to information & offers by email, phone, sms & post from 3rd parties. 266. Looked at in the context of the webpage, it is not clear that the consents are to anything other than receiving the requested no obligation quotes. There is no reference to JTT and no reference to the purpose of direct marketing. On that basis, particularly in the light of the confusing nature of the information that is provided in the privacy policy, the data subject is not in a position to be able to determine easily the consequences of any consent he or she might give. 267. Although both consent statements include an I agree and I do not agree box, they both begin with the wording By entering you agree to . The statement at the end of the request a free quote box reads By entering you agree to our to Privacy Policy and Terms and Conditions. As with the jobs websites it is not clear that it is possible to consent separately to being contacted about the no obligation quote as opposed to the broad range of marketing communications referred to in the privacy policy, many of which bear no relation to solar panel installations. The privacy policy contains much of the same wording in this regard set out above in relation to Jobsearch. 268. It remains unclear which parts of the privacy policy apply separately to the first consent statement (as opposed to those parts that are consented to by entering or by agreeing to the second consent statement). The bundle of purposes set out in the privacy policy is, for the reasons set out above, too vague and broad to be a specified purpose. 269. We find for those reasons, along with those set out in relation to Jobsearch where relevant, that there is not sufficient information to enable the data subject to be able to identify easily the consequences of any consent he or she might give and that the purpose to which the agreement related was not specified, in the sense discussed above. 270. We conclude that the consent given by agreeing to the consent statements on the SavingDirect website was not informed or specific and accordingly that the recipients of the marketing emails had not previously notified JTT that they consented for the time being to such communications being sent by JTT. Conclusions on ground 1 271. For all of those reasons, we are not satisfied that the recipients of the emails sent by JTT had previously notified JTT that they consented to such communications being sent by JTT. On that basis, we find that JTT was in breach of regulation 22 of PECR in that it sent approximately 107 marketing communications by email, either on its own behalf or on behalf of other organisations, to 437,324 recipients between 1 August 2019 and 19 August 2020. 272. Although our reasons differ in some aspects to the Commissioners we agree that the consent was not specific or informed and therefore this ground of appeal does not succeed. GROUND TWO: Even if it did contravene regulation 22 PECR, the MPN and EN could not have been issued because other statutory preconditions were absent. 273. The statutory preconditions for issuing a MPN are that the breach is serious and that the controller knew or ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention. Was the breach serious? 274. Mr. Hopkins argued that any breaches that we find can be categorised as marginal and technical and are based on differing views as to the required standards for specific and informed. 275. The case law gives clear guidance on the standards required and we have applied that, assisted by the EPBD guidance, to the facts. 276. On the Jobsearch website, the controller and the specific purpose are not provided in the first layer of information. The EDPB guidance was relied on by JTT. That guidance expressly states that marketing purposes will - without more detail - usually not meet the criteria of being specific and that when the identity of the controller or the purpose of the processing is not apparent from the first information layer of the layered privacy notice (and are located in further sub-layers), it will be difficult for the data controller to demonstrate that the data subject has given informed consent. 277. The EDPB guidance is not law, but it is a good indication of how the Commissioner or the tribunal is likely to interpret the GDPR and PECR. 278. JTTs privacy policy is poorly signposted. It is confusing. Statements on the website and in the privacy policy contradict JTTs position that registration alone is not treated as consent to direct marketing. It is impossible to identify which purposes relate to which specific consents. 279. In those circumstances the breaches cannot be categorised as marginal and technical. We do not accept that there is any genuine doubt or uncertainty as to whether there was a contravention of PECR. We do not accept that the breaches are based on differing views as to the required standards for specific and informed. 280. We understand that the nature of JTTs business is the sending of large numbers of direct marketing emails. Therefore, if it does not obtain consent, the number of emails in breach of PECR sent will necessarily be large. The fact that the number of emails sent is not surprising, does not, in our view, affect the impact of that number on the seriousness of the breach. 107 million marketing communications to 437,324 recipients in one year is a serious number, and we take that as a starting point. 281. In terms of the impact on individuals, we do not need to find damage or distress. We do take account of the fact that unsolicited direct marketing by email is a burden and an invasion of privacy. It intrudes into the private sphere of an individuals inbox which is for private correspondence. Spam filters are not always effective. Marketing emails take up storage space. They take up physical space on the display and have to be checked and deleted to make way for private correspondence. 282. The fact that any individual who received an email had clicked a yes box, does not reduce the burden or invasion of privacy in circumstances where we have found that they were not properly informed about what they were agreeing to receive. 283. We accept that this is not a case where the controller has sent repeated emails after an opt out. We accept that the emails, when they are sent, identify JTT and give a number of opt-out options. Further, we accept that in fact registering is not conditional on signing up to marketing activity, albeit that this is not made clear to the data subject. These are factors that are relevant to the level of seriousness, but in our view taken along with the other matters dealt with in this section do not mean that the breach is not serious. 284. The fact that there have been no complaints is of limited assistance in assessing the seriousness of the breach. As the Upper Tribunal noted at paragraph 54 of Leave.EU recipients of unwanted emails have easier default options than lodging a formal complaint with the Commissioner. For example, JTT provided an opt-out button in the emails, some email providers have a report as spam button or recipients can simply delete the email. Nonetheless we accept that this does have some relevance to our assessment of seriousness. People do make complaints to the Commissioner, and if there had been a large number of complaints we would have taken that into account as an indication of an even more serious problem. The lack of complaints is therefore a small but significant factor when assessing seriousness. 285. Taking account of all the matters set out above, we find that sending approximately 107 million marketing communications to 437,324 recipients in one year without having obtained prior consent is a serious breach of PECR. Did JTT know or ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention? 286. It is accepted that the contravention was not deliberate. 287. We do not accept that the law is unclear, as set out above. The relevant parts of the EDPB guidance are set out above. The judgment in Planet49 is dated 1 October 2019. The Commissioner has produced a number of guidance documents which are relevant to consent. 288. JTTs business was the sending of large numbers of direct marketing emails either on its own behalf or others, via personal data obtained through websites offering unrelated services helping people find jobs or obtain solar panel quotes. 289. In those circumstances such a business should have been fully aware of the risk that consent statements and privacy policies of the type used on these five websites presented at least a risk of a contravention of PECR. 290. We do not accept that the approach to consent taken by JTT was reasonable. This is clear from our reasoning on why the consent was neither specific or informed. 291. For those reasons we find that JTT ought to have known that there was a risk that the contravention would occur, but failed to take reasonable steps to prevent the contravention. Conclusions on ground 2 292. We find that the statutory preconditions for issuing a monetary penalty notice were present in that the breach was serious and JTT ought to have known that there was a risk that the contravention would occur but failed to take reasonable steps to prevent the contravention. 293. There are no statutory preconditions for issuing a EN other than that the Commissioner must be satisfied that a person has contravened or is contravening any of the requirements of PECR. There is no basis upon which we could, as argued by Mr. Hopkins, read into section 40(1) DPA 1998 additional requirements that the alleged contravention is (i) sufficiently recent, and (ii) risks being repeated. 294. For the reasons set out above we have concluded that JTT has contravened regulation 22 of PEC. The statutory precondition for issuing the Enforcement Notice is accordingly present. 295. In summary whilst our reasoning differs to some extent from the Commissioners, we agree that the statutory preconditions were met and therefore this ground of appeal does not succeed. GROUND 3: Was it appropriate to issue a MPN and/or an EN and, in the case of the MPN, in what amount? The MPN 296. Once the statutory preconditions are met, the Commissioner must determine (a) whether it is appropriate to issue a MPN and (b) if so, the amount of the MPN. 297. Article 15a(1) of the 2002 Directive, as amended provides: Members States shall lay down the rules on penalties, including criminal sanctions where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties provided must be effective, proportionate and dissuasive and may be applied to cover the period of any breach, even where the breach has subsequently been rectified. 298. We note that article 15a(1) explicitly recognises that penalties may be applied to cover the period of any breach, even where the breach has subsequently been rectified. 299. The RAP at pages 23-24 sets out the factors that the Commissioner will consider when deciding whether to impose a penalty and the amount of the penalty. These include: · the nature, gravity and duration of the failure · the intentional character of the failure or the extent of negligence involved · any action taken to mitigate damage or distress · the degree of responsibility of the controller · any relevant previous failures · the degree of cooperation with the Commissioner, in order to remedy the failure and mitigate the possible adverse risks of the failure · the categories of personal data affected · how the Commissioner became aware of the infringement including whether, and if so to what extent, the controller notified the Commissioner of the failure · other aggravating or mitigating factors, including financial benefits gained as a result of the failure · whether the penalty would be effective, proportionate and dissuasive. 300. Although these factors are a useful indicator or the relevant factors, the requirement is that the Commissioner exercise his powers in accordance with the statutory framework and there is nothing in the RAP that precludes him from so acting, as the Upper Tribunal said in Leave.EU at paragraph 104 Guidance cannot fetter discretion, so expecting it to be too prescriptive or interpreting it as if it were is not permissible. 301. The factors set out in section 108(2)(b) of the Deregulation Act 2015 are also relevant, including the nature and level of risks associated with non-compliance, including the risks to economic growth; the steps taken by the business to achieve compliance and reasons for its failure; the willingness and ability of the business to address non-compliance; the likely impact of the proposed intervention on the business, and the likely impact of the proposed intervention on the wider business community, both in terms of deterring non-compliance and economic benefits to legitimate businesses. 302. We have had regard to all the above factors, where relevant. 303. In particular, we note that JTT have maintained throughout the Commissioners investigation and throughout the tribunal process that the original consent statements were not in breach of PECR. Although JTT amended their consent statements and privacy policies from, at the latest, December 2021, this was after a significant period of time had passed and they did so explicitly on the basis that they maintained that the original consent statements were compliant. This is not a case where the organisation acknowledges the breach at an early stage and takes steps to remedy the failure. 304. In any event, although some improvements have been made, we are not satisfied that the new consent statements (i.e. those introduced at the latest in December 2021) were compliant with regulation 22 PECR. 305. We note that the first information layer does now name the controller (Join the Triboo) and includes reference to emails, but it still only includes the non-specific broad marketing purposes. The welcome page is the same, so is the statement at the bottom of the registration page that by entering you agree to our privacy policy. Although the privacy policy is hyperlinked from the bundle, we have not been provided with copies in the bundle and therefore we do not know how the content of the privacy policies differed in December 2021. For those reasons we are not satisfied, on the evidence before us, that JTT had remedied the issues in relation to specificity and information that we have identified in our section on breaches above. 306. We take account of the fact that awarding a penalty would have deterrent effect in relation to businesses engaging in similar practices, and would reinforce the need to ensure that consent is specific and informed. 307. The fact that there are no complaints, is of some relevance. If there had been a large number of complaints we would have seen this as evidence of a very significant level of intrusion into peoples privacy, which would have been an aggravating factor. That is not present in this case. However, as was made clear in Leave.EU, there are easier options than complaining to the Commissioner, and therefore an absence of complaints does not lead us to conclude that there was no burden or invasion of privacy for the individuals receiving unsolicited marketing emails. 308. We have taken account of the nature and gravity of the failure. The nature of the failings in the consent statements and privacy policies is clear from our detailed consideration of the consent statements and privacy policies above. A serious and significant number of emails were sent without proper consent over a year, each of which carries with them a small but significant intrusion into the private sphere of each individual, and a small but significant burden as a result of having to take action in relation to each of those emails. 309. We have also taken account of the matters considered under seriousness above. 310. In our view, taking all those factors into account it is proportionate to issue a monetary penalty, applying proportionality in the sense that this is a fair balance has been struck between means and ends. 311. Looked at in the round, we agree with the Commissioner that it was appropriate to issue a monetary penalty notice in this case. 312. In terms of the amount of penalty, many of the considerations considered above in relation (a) the statutory criteria and (b) whether the MPN should be issued are relevant to the amount of penalty. We have taken all the factors set out above into account. 313. We have also taken particular account of the financial impact on JTT. 314. When considering the financial impact on JTT it is appropriate to take into account the current financial position of JTT, given that the penalty will have to be paid now. 315. We take account of the fact that with a revenue of around £1-1.5 million this is a comparatively small enterprise and that it has no cash reserves and a negative bank balance. Further we note that the company made significant operating losses in 2019 and 2020. Since 2020 the amount of profit made by the business has increased every year. In 2021 the company made a small profit of £9,715. In 2022 the company made a profit of £36,014. 316. In relation to Mr. Hopkins submission that a fine of £130,000 would be terminal to JTT, we note that even if JTTs profits do not continue their upward trajectory, and even if expenditure remains the same, after paying the fine JTT would make an operating loss of about £93,000. This is much lower than the operating losses made in 2019 and 2020 which were not terminal for the business. 317. Further, we find that that the resources of JTTs parent company can properly be taken into account in the light of the following statement that appears in JTTs accounts for the year ended 31 December 2022 on Companies House: The directors have considered the use of the going concern basis for the financial statements and have confirmed this is appropriate. It is fully expected that the company will continue to trade for at least twelve months from the date of these financial statements and has guaranteed support of its parent company to do so. 318. By analogy with R v NPS London [2019] EWCA Crim 228, in our view it is proper to have regard to the likely provision of funds by the parent company of the group, Triboo SpA, given the guaranteed support set out in JTTs most recent published accounts and the fact that the parent company has market capitalisation in excess of 20 million. 319. For all those reasons, we are not persuaded that the fine would be terminal to JTT. 320. Looked at as a whole, taking into account the circumstances and seriousness of the contravention, and all the other factors set out above, we consider that the fine of £130,000 was proportionate in the sense that a fair balance has been struck between means and ends. 321. For the reasons set out above, ground 3 of the appeal fails in relation to the MPN. Was it appropriate to issue an enforcement notice? 322. As any enforcement notice will be forward looking, we have concluded that it is appropriate to consider the current consent statements and privacy policies operated by JTT, before determining this issue. The Judge has issued a separate case management order requiring JTT to provide the current consent statements and privacy policies and allowing the parties to provide written submissions on this issue. The parties have also been asked to indicate if they consent to the remaining issue being dealt with on the papers. Signed SOPHIE BUCKLEY Date: 2 May 2024 Judge of the First-tier Tribunal OPEN ANNEX Relevant extracts from the Jobsearch privacy policy Modern information and communication technologies play a fundamental role in the activities of an organization like Join The Triboo Ltd. We are a web services provider based in the United Kingdom. Our principal activities are: • web publicity display, e-mail marketing and mobile marketing services to promote a wide range of products and services. • client recruitment campaigns through the internet and affiliate marketing. We carry out such marketing activities for third parties (who may operate in any business sector) and are referred to in this Privacy Policy as Our Business Partners and Clients. This privacy policy describes how Join The Triboo Ltd. will use the information that you provide to it (whether by completing the registration form or using its website, jobsearch.online Providing Visitors with Anonymous Access You can access our Web site home page and browse our site without disclosing any personal data. Data Collection and Purpose Specification We collect the personal data that you may volunteer while using our services. To access the table of personal data types collected and purposes for which they are used, go to the end of the page. Please note that any purposes listed in the table below are referred to in this Privacy Policy as Commercial Purposes. We do not collect or use personal data for any purpose other than those referred to in the table below. If we wish to use your personal data for a new purpose, we will give you the opportunity to consent to this new purpose: by indicating in a box at the point on the site where personal data is collected. Your personal information When you register with us we ask for personal information such as your name, date of birth, contact details, and other details listed in the table below. We use this information for directing advertising campaigns, but never to process, or aid the process of, job applications. Your gender and date of birth information will always remain confidential to any recruiters or employment companies that we work with. When you are registering with us it is not until you click the Sign Up or "Register" button that your information is transferred. Once you register with us and agree to the terms and conditions of this Privacy Policy that govern how your information will be processed, you will not be anonymous to us and our partners and clients and will become one of our users. Disclosure of personal information 274 With your consent, we may share, rent and sell your personal data or sell or rent our entire database to our partners and clients in any sector for any Commercial Purpose including marketing activities. By marketing activities, we mean the communication directly to particular individuals by e-mail, post, telephone or sms of any advertising or marketing material in respect of any product or service from us, our partners or clients. By registering with us, you acknowledge that we will not process any job application or submit any information on your behalf to any recruiter in respect of any job. You will have sole responsibility for your application in respect of any job vacancy. If you subsequently decide you no longer wish to receive direct marketing/information from us, or no longer wish us to pass your information to third parties you should notify us accordingly by e-mail to: privacyuk@triboo.com By registering with us you permit us or our partners or clients to use such information that you provide to alert you to a range of promotions and competitions in respect of any products or services. We may contact you regarding site changes or changes to such products or services that you use. When you register with us you consent to us sending personally identifiable information about you to our partners or our clients and in particular we may: • share, rent or sell such information for marketing purposes; • share your information with third parties as required to provide the service or the product you have requested; • send the information to our partners or clients who work with us for marketing purposes; • respond to subpoenas, court orders or legal process; Your acceptance of these terms By using this site, you consent to the collection and use of this information by us and to our privacy policy. If we change our privacy policy in any way, we will post these changes on this page. TABLE of personal data collected and purposes for which they are used Primary personal data/Business information x volunteered by each visitor Primary personal data Technical administration of the Web site Research & Development Customer Administration Marketing Trading in personal data Name X X X X X Gender X X X X X Address X X X X X E-mail address X X X X X Phone/Fax number X X X X X CV X X X X X Data Sharing Following explicit consent in the registration form Triboo may share your email address and job-related preferences with vendors that they use to send them email job alerts. Furthermore, a user can easily unsubscribe from them. You may be contacted by e-mail within the following categories Various contests: Offers for surveys, sweepstakes, prize draws and free giveaways Financial: Offers for professional associations; consumer, automobile and housing loans; household, automobile, travel and accident insurance; Claims (PPI/PBA). Our preferred partners in the claims sector are HQ Consultancy Ltd, Ascend Finance and Neilson Financial (Smart Insurance & British Seniors Insurance) Credit Report Pharmaceutical Magazines and newspapers: Offers for newspapers and magazines on fashion, nature, photography, interior decorating, science, economics, fitness and lifestyle Beauty and health tips: Offers for weight-loss products, dietary supplements, vitamins, creams and dental hygiene products Clubs, organisations and web sites/portals: Charitable organisations, film clubs, dating sites and fitness centres Electronics: Offers for TV providers, internet, mobile telephone service and web pages Clothing, fashion and lifestyle: Offers for underwear, designer clothing, jewellery and makeup Games and gambling: Offers to register on web sites featuring bingo, gambling and scratch games, for example Transport, autos, travel and holidays: Offers for petrol, roadside assistance, airline tickets, motoring holidays, skiing holidays, charter trips and summer house rentals. Opting Out (Deregistration): Should you wish to opt out of your data being used for these purposes, please unsubscribe. The consequences of deregistration are that your account details will be placed in a suppression file and you will not receive any further communications from job-search.online Every email that jobsearch.online sends contains a link to unsubscribe. Opting out at a later date Once you have given your consent, you can however still control whether or not you continue to receive communications or see such advertisements from such third parties. The method of control depends on the channel of communication or advertising Use of your personal information We use your personal information collected via the Jobianclick website to: Provide you with information about the products and services we offer Provide you with a more personalised service Conduct market research Pass on to selected companies to provide you with other offers and promotions Help other companies profile and extend their databases Facilitate communication between yourself and others Our Business Partners & Clients: Brand processed by Lead 365, 6th Floor, Alexandra Warehouse, West Quay, Gloucester Docks, Gloucester, Gloucestershire, GL1 2LG, Companies House - 09973434 Utilita Energy Limited Secure House, Moorside Road, Winchester, Hampshire, SO23 7RX Privacy Policy = https://utilita.co.uk/terms Telephone channel Utility sector Company number - 04849181 [Privacy Policy lists 12 other companies with similar details] Our Business Partners & Clients: • RS DATA TECH, LTD t/as ukcreditratings.com - Privacy Policy • Results Generation - Austinshire Partners, LLC • Marketing Punch • Click Labs Group and their Client Portfolio • We Breathe Media and their Client Portfolio • British Seniors Insurance Agency (Neilson Financial Services Ltd) • Smart Insurance (Neilson Financial Services Ltd • Property Rescue • Save Today • SJB66 • DMLS site & Client Portfolio • Dr Money Saver • Pharmacy2U • ZIp Recruiter • UK - Trades Courses • UK - O2 Free Sim • UK - Adzuna • UK - GoGroopie Company Number - 07363687 Company Address - Alpha House, 100 Borough High Street, London SE1 1LB • UK - Price Reactor. • UK - Adzuna • .UK - Saving.Direct Life Insurance • .UK - The Casino • UK - Restoration Media • UK - Scottish Power - 320 St. Vincent Street, Glasgow, Scotland, G2 5AD • UK - Avon • UK - Choose Leads Limited 1. [1] On this see para 124 of the judgment in Case C-205/21 Ministerstvo na vatreshnite raboti (Enregistrement de données biométriques et génétiques par la police); paragraphs 37-42 of the Advocate Generals opinion in Case C-77/21 Digi Távközlési és Szolgáltató Kf v Nemzeti Adatvédelmi és Információszabadság Hatóság, p 15 and 17 of the Article 29 Working Party Opinion 3/201 on purpose limitation of 2 April 2013 and paragraphs 56 and 59 of the EDPS Investigation in to use of Microsoft 365 by the European Commission (Case 2021-0518). The Opinion 3/2013 on purpose limitation has not been adopted by the EDPB but it is referred to in FN28 of the EDPN Guidance on consent as providing further guidance on the determination of purposes.