Is your organisation carrying out “rigorous checks” on third party suppliers?

News of Information Commissioner’s Office (“ICO”) fines issued to companies for nuisance calls and messages seem as though they appear across our news feeds on a daily basis.  In March alone ICO reported 196 cases under investigation with close to £600,000 of fines issued.  In one of ICO’s most recent fines, action was taken against a used car company in Radcliffe (the “Company”) for unlawfully and unfairly using data it obtained from other organisations (“Third Parties”) to send over 300,000 unsolicited text messages. 

Why is this case important?

This case may have gone unnoticed given that the total fine issued against the Company was a modest £40,000.  However, when digging into the reasoning behind the fine (buried in the detail of the Monetary Penalty Notice), we found wider implications that would catch the attention of many organisations; namely that ICO considers it (i) unacceptable “to rely on assurances given by third party suppliers without undertaking proper due diligence”; and (ii) an aggravating factor if an organisation is in breach of a compliance issue that has been widely publicised by media and regulatory guidance.  This case also supports a continuation of a broader trend in ICO enforcement action that we have identified from our recently published Privacy and Security Enforcement Tracker where we are increasingly seeing ICO’s portfolio of cases addressing a broader range of more technical non-compliance issues.

What rules did the Company breach?

During the course of ICO’s investigation, the Company explained that it had obtained the data (used to send the unsolicited text messages) from a number of approved Third Parties with whom they had introducer agreements.  The Company provided ICO with the “opt-in statements” it relied on from the Third Parties which included the following statement:

“Please be aware that once you use our Services, you will be regarded as having given your consent to us disclosing your personal information to… other third party organisations for the purpose of marketing. These organisations may contact you about their products or services with your prior consent”    

Regulation 22(2) of PECR[1] requires recipients of electronic mail (the text messages in this case) to directly notify the sender (the Company) that they consent to messages being sent by that sender.  Although such consent was not provided directly by the recipients in the present case, the Company relied on indirect or third party consent as captured by the “opt-in statements” above.  ICO recognised that reliance on indirect consent is valid but only to the extent that the relevant third party statements relied upon are clear and specific enough.  Having considered the evidence, ICO found that the Company was unable to prove that appropriate consent had been obtained from the recipients (whether directly or indirectly) and it was therefore in breach of Regulation 22(2) PECR.

Carrying out proper due diligence

ICO emphasised the need for organisations to undertake proper due diligence on third party suppliers when buying marketing lists by carrying out “rigorous checks” to satisfy themselves that the third party had the necessary consents and obtained personal data fairly and lawfully. ICO also reminded organisations to take extra care in ensuring that such consents are reasonably recent and that they clearly extended to them specifically or to organisations fitting their description (pages 10-11 of the Monetary Penalty Notice provides a list of due diligence questions suggested by ICO). In this regard, the Company failed to take reasonable steps to prevent the PECR breach as it could not provide evidence that appropriate due diligence on the Third Parties had been undertaken.

Tracking media and regulatory guidance

ICO also highlighted the Company’s heavy reliance on direct marketing and that the issue of unsolicited text messages was widely publicised by the media as being a problem.  Further, ICO referenced the guidance it has published for those carrying out direct marketing explaining their legal obligations under PECR.  As a result of these reasons, ICO considered the Company’s action as negligent as it knew or ought to have known that there was a risk that a breach of the PECR would occur. 

What are the wider implications for organisations?

Firstly, the importance of tracking regulatory guidance and ensuring that any relevant advice is operationalised within an organisation should not be underestimated.  In the context of ICO’s code of practice on privacy notices, we drew attention in a previous blog to the fact that although ICO cannot take action over a failure to adopt good practice, it can have due regard to advice provided in the code when considering whether or not provisions of the Data Protection Act 1998 have been breached.  Similarly in this case, ICO referenced its guidance on PECR and the publicity in the media which effectively put the Company “on notice” that any relevant breach would inevitably be considered a “negligent” breach and therefore an aggravating factor when determining the consequences of non-compliance.    

Secondly, although this case focused on direct marketing in the context of electronic communications, there appears to be a broader trend developing in that ICO is moving away from predominantly focusing on areas such as breaches of security (the 7th data protection principle) and entering into the realm of dealing with more varied and technical non-compliance issues.  It is clear from this case that simply relying on written statements from third parties that may broadly cover an organisation’s data processing activities is a risky strategy.  Even if it does cover such activities, ICO is demanding more from organisations by expecting rigorous due diligence checks on third parties – anything short of this is considered unacceptable by ICO.  

The wider implications really start to surface once you extend the application of ICO’s strict due diligence stance in this case to other scenarios such as the provisions included in third party data processing contracts.  In these circumstances, organisations should fully expect ICO to investigate whether such provisions they rely on are worth the paper they are written on and whether organisations can adequately demonstrate compliance to an acceptable level; a cornerstone of the GDPR[2] under the “accountability principle”. Again, we are witnessing yet another example of how regulators are operating “as if” the GDPR already applies.

[1] The Privacy and Electronic Communications (EC Directive) Regulations 2003

[2] EU General Data Protection Regulation

Tughan Thuraisingam  | Solicitor – Cyber Security and Data Protection Legal Services | PwC - UK
[email protected] | +44 (0)20 7804 3770

More articles by Tughan Thuraisingam