ICO (UK) - Unite the Union

From GDPRhub
Revision as of 21:47, 3 April 2022 by 92.19.255.221 (talk) (→‎Comment: mentions of articles 32 42 43 not relevant to this PECR case)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
ICO (UK) - Unite the Union
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law: Article 32 GDPR
Article 42 GDPR
Article 43 GDPR
Regulation 21 of the Privacy and Electronic (EC Directive) Regulations 2003, as amended
Section 55A of the Data Protection Act
Section 122 of the Data Protection Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 25.10.2021
Published:
Fine: 36000 GBP
Parties: n/a
National Case Number/Name: Unite the Union
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): English
Original Source: ICO Website (in EN)
Initial Contributor: Anike Malherbe

The ICO issued a penalty of £36,000 against Unite the Union for unsolicited direct marketing calls (in violation of Regulation 21 PECR) to 57,665 individuals who had not given informed valid consent to receive such calls.

English Summary

Facts

The Information Commissioner (“Commissioner”) was tasked with determining whether the conduct of Unite the Union (“Unite”), in which it contacted various individuals to promote life insurance, constituted “direct marketing” in contravention of Regulation 21 of the Privacy and Electronic (EC Directive) Regulations 2003, as amended (“PECR”) and whether, if contravened, a monetary fine is warranted in terms of Section 55A of the Data Protection Act (“DPA”).

The Commissioner’s office received a total of 27 complaints relating to unsolicited calls for the purpose of direct marketing made to individuals who maintained that they did not consent to such marketing and at least two complainants further complained that they explicitly opted out of such marketing directly to the call operator, yet still received further calls. Upon further investigation the Commissioner discovered that of the 726 853 calls which connected, 57 665 of these calls were to individuals registered with TPS for 28 days or longer. The Commissioner explains Regulation 21 PECR as not permitting a company “to make calls promoting a product or service to an individual who has a telephone number registered with the Telephone Preference Service Ltd (“TPS”)” unless that individual has “given their consent to that company to receive such calls”. The TPS is a company which maintains a register (on the Commissioner’s behalf), in terms of Regulation 26 of PECR, containing numbers of individuals who have indicated that they do not wish to receive direct marketing calls on those lines.

In order to confirm that this matter fell within the scope of Regulation 21 PECR the Commissioner considered the definitions of:

•“Direct marketing” as set out in Section 122(5) of the DPA 2018;

•“Consent” in PECR as set out in Article 4(11) the General Data Protection Regulation 2016/679 (the “GDPR”) read with recital 32, 42 and 43 of the GDPR; and

•“Individual” and “subscriber” in terms of Regulation 2(1) of PECR.

The Commissioner’s notice focussed mainly on whether consent was given by the individuals who were contacted by Unite. Unite insisted that the calls (made by a third party which operated with TPS screening) in question were merely calls updating members on the “services and benefits available to them under their union membership” which Unite did not consider to be unsolicited calls. Unite maintained that consent was given by its members when they concluded their membership. Upon studying a screenshot of the communication preferences referred to by Unite, the Commissioner concluded that there was only an option for members to opt out of communication but that opting in was automatic upon subscribing as a member, notably with no option to agree to:

•direct marketing from third parties;

•which specific third parties, if any; or

•through which media they are to be contacted.

In order to determine whether the calls could be construed as direct marketing the Commissioner considered the content of the script used in the calls. It was noted that the script was written in a “marketing style” and “in the form of a flow chart, with the ultimate objective of transferring members to a United Life advisor through whom they could purchase life insurance.” The Commissioner further noted that “complainants believed” these to be marketing calls despite United’s belief that they were not. [Para 28 & 29]

The Commissioner further considered the contract between Unite and the third party on which she then confirmed (on a balance of probabilities) that Unite was indeed the driving force behind these calls and therefore the responsible party.


Holding

1. Contravention of Regulation 21

The Commissioner noted three elements of consent which had to be met in order for a company to consider valid consent to have been given by an individual. These were that consent had to be (1) freely given, (2) specific (as to the type of marketing as well as the specific or type of organization sending the communication) and (3) informed. In order for consent to be informed the Commissioner stated that an individual must understand what they are consenting to, in language that “is clear, easy to understand, and not hidden away in privacy policy or small print.” The onus to prove that valid consent is given rests on the company. The Commissioner found that on the above-mentioned facts, the individuals were only “broadly informed” that their personal information will be used and this, according to the Commissioner, is insufficient to establish valid consent. The Commissioner went on to state that this violation of Regulation 21 was serious as it concerned 57 665 calls over a period of twelve months and led to 27 complaints.

2. Monetary penalty

Turning to the conditions set out in Section 55A DPA the Commissioner found that Unite “did not deliberately set out to contravene the PECR...” but that it was indeed negligent in not making use of the tools and resources provided by the Information Commissioner’s Office (“ICO”) which was published publicly on their website and freely available in addition to a helpline to clear up any remaining confusion. Therefore, the Commissioner finds that Unite ought to have known that there was a risk of contravention as it should have been familiar with its responsibilities. She further noted that Unite employees were trained on the “PECR compliant principles” in respect of emails but not telephone calls and that TPS would’ve contacted Unite with each complaint (as is their standard practice) thereby bringing it to Unite’s attention that there was a risk of contravention which it needed to attend to. The Commissioner found that Unite failed to take reasonable steps to prevent such a risk of contravention materialising and considered the complaints of “recurring calls” by some of the complainants and the volume of calls to confirm this belief. Therefore, the requirements in Section 55A(1)(b) was met.

In her assessment of whether a monetary penalty was appropriate, and if so, which amount, the Commissioner considered the fact that Unite ignored (or did not act upon) the resources provided by the ICO as an aggravating factor. She further noted the remedial action taken by Unite when it became aware of the contravention as a mitigating factor. However, she found that a monetary penalty would still be appropriate in the circumstances. In determining the amount, the Commissioner went on to consider the impact of such a penalty on Unite in order to avoid “causing undue financial hardship.” It was emphasised that the monetary penalty “should act as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance...” and that the underlying objective of such penalty is to “promote compliance with PECR.”

The Commissioner issued a monetary penalty in the sum of £45 000 (to be discounted with 20% to £36 000 in the event that the fine is paid timeously and no appeal pursued).


Comment

The mention of art 32 42 and 43 GDPR might not be relevant to this case.

urther Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.


        

    
        
            
    
        
                
                        Action we've taken/
                
                
                        Enforcement/
                
                
                        
                            Unite the Union
                        
                
        
    
                Unite the Union
            
        
    
        
        
            
                        Date
                            25 October 2021
                        Type
                            Monetary penalties
                        Sector
                            Membership association
            
        
    

    
        
            

        

                
            There were multiple breaches of regulation 21 by Unite the Union arising from the organisation’s activities over a twelve-month period, resulting in 57,665 unsolicited direct marketing calls to subscribers who were registered with the TPS.  These 57,665 unsolicited calls led to a total of 27 complaints being made to the Commissioner over the period of contravention.

        

        Further Reading
            
                
                    
                        Unite the Union monetary penalty notice
                            
                                    Action we've taken
                                    PDF (279.44K)
                            
                        
                    
                
        

        
    

    
    
        
            
    
        
                
                        Action we've taken/
                
                
                        Enforcement/
                
                
                        
                            Unite the Union
                        
                
        
    
                Unite the Union
            
        
    
        
        
            
                        Date
                            25 October 2021
                        Type
                            Monetary penalties
                        Sector
                            Membership association
            
        
    

    
        
            

        

                
            There were multiple breaches of regulation 21 by Unite the Union arising from the organisation’s activities over a twelve-month period, resulting in 57,665 unsolicited direct marketing calls to subscribers who were registered with the TPS.  These 57,665 unsolicited calls led to a total of 27 complaints being made to the Commissioner over the period of contravention.

        

        Further Reading
            
                
                    
                        Unite the Union monetary penalty notice
                            
                                    Action we've taken
                                    PDF (279.44K)
                            
                        
                    
                
        

        
    
EnglishCymraegEnglishCymraeg