On March 2, 2020, the Information Commissioner’s Office (ICO) issued a lead generator, CRDNN Limited (CRDNN), with a maximum £500,000 fine under the Privacy and Electronic Communications Regulations 2003 (PECR) for making more than 193 million automated nuisance calls. The full monetary penalty notice can be viewed here.
CRDNN first came to the ICO’s attention due to a significant number of complaints from subscribers regarding large volumes of unsolicited marketing calls marketing a number of different products and services. In total, the ICO received 3,399 complaints relating to calling line identification numbers used by CRDNN and its related companies. The ICO then investigated and subsequently raided CRDNN’s premises in March 2018, seizing computer equipment and documents for further analysis.
The ICO’s investigation revealed that CRDNN was making nearly 1.6 million calls per day about window scrappage, debt management, window, conservatory and boiler sales between 1 June and 1 October 2018. Some of the calls potentially also put people’s safety at risk as they were made to a Network Rail control centre and clogged up the line for drivers and pedestrians at unmanned level crossings, who were calling to check it was safe to cross the rails. The calls were all made from so-called ‘spoofed’ numbers, which meant that people who received the calls could not identify who was making them. The ICO found that CRDNN had breached PECR by not gaining consent from the phone owners to make those calls, not providing a valid opt out, and not providing information required under PECR (name of the organisation making the call and address or telephone number that can be reached free of charge). In addition, the ICO issued CRDNN with an enforcement notice requiring it to comply with PECR.
What does the fine tell us?
The ICO is prepared to use the full extent of its powers for serious PECR breaches. £500,000 is currently the maximum penalty the ICO can impose under PECR and this is the first time it has imposed a maximum fine for a breach of the direct marketing rules. The fine highlights the fact that direct marketing continues to be a priority for the ICO and that the ICO is increasingly willing to use the full extent of its fining powers in this area for the most serious cases.
It reminds us of the ICO’s powers to carry out raids. The ICO’s enforcement powers under the Data Protection Act 2018 include the power to issue assessment notices to determine whether a controller or processor is complying with its data protection obligations. This includes the right to enter specified premises and inspect equipment and documents, in certain circumstances with minimal or no notice. In this instance, the ICO executed a search warrant to enter premises. The fine serves as a reminder of these powers – and the ICO’s willingness to use them where necessary.
Failure to cooperate with the ICO is likely to be an aggravating factor. The ICO noted a number of aggravating features in the case, citing the large number of data subjects involved and huge volume of automated nuisance calls made as key factors in determining the amount of the fine, as well as the potential safety risks posed by the number of calls made to Network Rail’s control centre and the fact that the calls were made from “spoofed” phone numbers. The penalty notice places particular emphasis on the data controller’s attempts to avoid detection and evade the ICO’s jurisdiction. The ICO noted that CRDNN had continued to act in contravention of PECR even once it was under investigation by the ICO (amounting in the ICO’s words to a “total disregard of the law”) and had also transferred the service provision from the UK to Hong Kong after the investigation was opened in an attempt to avoid the ICO’s jurisdiction. In addition, CRDNN failed on multiple occasions to respond to correspondence from the ICO, including the Notice of Intent which preceded the final penalty. The fine therefore highlights the value of cooperating with the ICO in the course of investigations and in particular the importance of responding promptly to any formal requests or notices.
Directors’ behaviour can also be taken into account. The ICO throughout the monetary penalty notice references the behaviour of the directors of the company, including email correspondence obtained by the ICO as part of its investigation and search of the premises. This correspondence is cited in the monetary penalty notice as evidence that the breaches of PECR were deliberate. The ICO also notes that the directors liquidated previous companies that it was investigating, and the ICO took steps to prevent CRDNN being struck off the Companies House register. In addition, the ICO noted that the directors of CRDNN had “not been forthcoming with the Commissioner’s investigation”, and took measures to “evade detection and continue automated calling, upon learning of the Commissioner’s investigation”. This serves as a reminder that internal correspondence and actions of senior decision makers can be damaging in ICO enforcement proceedings.