In LAD Media Ltd v ICO, a monetary penalty by the ICO for unsolicited marketing texts has been reduced on appeal by the First-Tier Tribunal (Information Rights).
Having bought data from a 3rd party, LAD claimed that they had evidence that the people contacted had consented. This though amounted to general notices on websites, which the ICO felt was not clear enough to cover how the data would be used (so the individuals had not consented).
LAD appealed the ICO’s decision. The Information Tribunal upheld that there had been a serious breach, including adverts for loans being sent to names obtained from a gambling website. However, the Tribunal reduced the penalty from £50,000 to £20,000, taking into account that it was LAD’s first offence, their size and the amount of profit in the year of the breach.
The Tribunal listed the following factors as relevant:
- Circumstances and harm caused by the breach;
- If the breach was deliberate or negligent and steps taken to avoid the breach;
- Size, sector and financial circumstances of offender;
- Steps taken to avoid further breaches and any redress offered to those affected; and
- The penalty should serve as a deterrent
The case is a reminder to firms that ICO’s decisions can be appealed and the relevant factors for determining the level of penalties. However, from 25 May 2018 much larger fines will be possible through the EU General Data Protection Regulations (“GDPR”).
We are hosting a free webinar on Monday 24 July on the changes coming about through the GDPR. Signup can be found here.