In August, Which? called for more stringent action against the directors of companies that make nuisance calls. In a blog post on its website, Alex Neill, director of campaigns and policy, said: “Millions of people are still being pestered by nuisance calls and it’s time for tougher action that holds responsible company directors personally accountable for the unlawful actions of their companies.”
She said that this will stop rogue company directors from stepping around the rules by closing one company and re-establishing a new one, and avoiding fines for making nuisance calls. But what kind of action is she calling for exactly? Who should be carrying out this “tougher action”? And what action is being taken right now?
Although Which? declined a request to elaborate on the issue, others in the data industry think they know precisely what the consumer organisation is referring to. Mike Lordan, director of external effairs at the Direct Marketing Association (DMA) says: “The addition of custodial sentences will allow the authorities to crack down on the businesses committing these crimes, as well as the repeat offenders behind them.”
The “authorities” Lordan speaks of is the Information Commissioner’s Office (ICO), the independent body that regulates the privacy rights of individuals by enforcing the Data Protection Act and openness among public bodies by enforcing the Freedom of Information Act. The newly-installed Information Commissioner is Elizabeth Denham.
Lordan thinks that custodial sentences would be a strong deterrent and the threat of such would be enough to stop rogue companies who have been fined for nuisance calls from shutting up shop and reopening under another name.
“We would encourage the government or Parliament to give the Information Commissioner custodial powers, in particular cases when companies are being wound up by rogue callers,” says Lordan.
Both Lordan and Robert Bond, partner at law firm Charles Russell Speechlys, recall the previous Information Commission, Christopher Graham, calling for greater powers to be able to hand down custodial sentences. Denham took over as Information Commissioner in July 2016 and Bond has no doubt that she will be just as forceful in her call for custodial sentences.
He says: “I’ve had the good fortune to work with Elizabeth Denham over the past ten years. I am quite sure that she is going to make examples of all sorts of businesses who do not comply.”
However, Christine Andrews, MD of DQM GRC, a data governance, audit and advsory business, is not convinced this is the right approach. She says: “I think that custodial sentences are probably not the way to make people comply. There is a very small number of companies who continually morph into another call centre and they are most likely to go offshore into another jurisdiction,” she says.
She goes on: “They will set up in India or the Phillippines or somewhere like that and will call from there, so there will always be rogue callers who will continue to behave as they shouldn’t.”
According to Which?, over 83,000 nuisance calls have been reported to the regulator using its free tool. To tackle this problem and punish the offenders, the ICO can impose fines of up to £500,000. However, the ICO has been having difficulty in getting those companies to pay up.
In the year to April 2016, the ICO says it has issued 19 fines – only three of those have been paid in full and one is being paid in installments. Four firms are still within or are very close to the deadline and two companies are appealing the fine. The remaining nine have not paid or have gone into liquidation. The ICO says it is “actively pursuing” them.
Andy Curry, enforcement group manager at the ICO, admits that, as these companies tend to be limited, “directors can be quick to look to liquidation as a way out of paying fines.” It is also worth noting that the fines could be seen as being low in value in comparison to the number of calls being reported. In 2015, the ICO said that it fined ten companies a total of just under £1 million. This works out to an average of around £100,000 per firm.
As well as issuing monetary penalty notices, the ICO has other ways of putting pressure on rogue companies. All data controllers are required by law to register with the ICO. Failure to do so can lead to a separate fine. In November 2015, ICO fined Direct Security Marketing Ltd and its company director £1,184 for failing to register and £70,000 for making nuisance calls.
The ICO can also issue a request for information and, if the company ignores the request, the ICO can then send an ”information notice” compelling the company to respond. If it does not, the ICO can take it to court. This is what happened to Nuisance Call Blocker Ltd in October 2015. The court issued a fine of £2,500 and subsequently the ICO fined it £90,000 for making nuisance calls.
If the company making nuisance calls is not based in the UK, but is located anywhere else in the European Economic Area, the ICO can pass on any evidence that is has to regulators in that country. These are the existing powers the ICO has under the Data Protection Act (1998), the main piece of legistlation that covers the protection of personal data in the UK.
The General Data Protection Regulation (GDPR) is set to replace the DPA in May 2018 and will allow the Information Commissioner to issue much greater fines. For a technical breach, a potential fine coud be 2% of global turnover or €10 million, whichever is greater. For a serious breach, the potential fine could be up to 4% of global turnover or €20 million, whichever is greater.
Lordan is unsure of what will happen with the GDPR following the Brexit decision in June. However, Bond is certain that the UK will have to abide by the GDPR regardless of how the Brexit negotiations play out. Bond says: “According to our prime minister, we are not going to exercise the mechanism to trigger us leaving until next year. If it is going to take two full years, that takes us into 2019 and the GDPR will have arrived in May 2018 and we will still be part of the EU.”
"Nobody has ever been seen to be crucified. There aren’t the eye-watering fines to get it elevated to a board issue.”
He says that, as the UK will still be doing business with the EU, he doesn’t see this country wanting to have different regulations or be seen to not provide adequate data protection laws. To Bond, the larger fines that could be imposed under the GDPR would be a deterrent to the companies the make nuisance calls.
He says that, over the last ten years, compliance with the DPA has not been on the agenda of many businesses in the same way that compliance with anti-bribery and anti-trust law has. “This is because nobody has ever been seen to be crucified,” adds Bond. “There aren’t the eye-watering fines to get it elevated to a board issue.”
Both Bond and Andrews say the threat of reputational damage might stop some companies from making huge numbers of nuisance calls. And, indeed, it seems that is one of the weapons the ICO believes it has at its disposal. “Fining the culprits hits the headlines and sends a clear messaege that we’re prepared to come down hard on the law breakers,” said Curry of the ICO in a February blog post.
But Andrews thinks that this business model of making nuisance calls is so lucrative that it far outweighs any possible financial penalty or bad press. She says: “They’ll continue if their irritating activity actually delivers results for them.”
Bond adds that some business may even see fines from the ICO as an unfortunate business expense. He says: “Some companies will have taken the view that it is easier to write the cheque.” Both Lordan and Bond are worried about the knock-on effect that these rogue nuisance callers are having on the law-abiding members of the marketing sector.
Bond says: “I am concerned that the majority of good businesses that reach out by phone or SMS are suffering because of the few that simply don’t comply. That is always very frustrating. The actions of the few make life difficult for the rest of the businesses.”
Lordan says: “In general the nuisance calls get the legitimate marketing industry tarred with the same brush as the rogue companies.” Andrews thinks that, while it is important for the ICO to continue to take enforcement action, “that’s not the panacea” and individuals need to take action as well.
As spam texts and emails are also problematic, she says that we should unsubscribe wherever posible. We should ask companies where they got our data from, make subject access requests so we know what information they have about us, and threaten to report them to the Information Commissioner. In essence, Andrews advises us to “take control wherever we possibly can.”
Related articles: Lies, damned lies and compliance reports