Below I reproduce my recent correspondence with the Information Commissioner's Office - which is supposed to regulate data protection and online and telecoms based marketing.
After a couple of cold calls from a firm with whom I have never had dealings and who specialize in conning vulnerable people out of their meager savings on the pretext of taking claims forward or sorting out debt problems, I decided to track them down and report them to the ICO.
All my phones are registered with the Telephone Preference Service (TPS) and the ICO is responsible for enforcing the law against firms that ignore TPS registration.
I am still waiting to hear about this specific case, but in the meantime, I put in a Freedom of Information (FOI) request:
Please could you inform me exactly (since the ICO was formed) how many criminal prosecutions, cautions, enforcement notices, monetary penalty notices, injunctions, or enforcement orders* have been successfully sought or applied by the ICO against UK firms that, in violation of the relevant law, repeatedly call numbers that have been registered with the TPS.
* “Forms of regulatory action” listed at http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_regulatory_action_policy.pdf
I received the following response:
Information Held
Before answering your specific request, it may help to explain that since November 2007 the ICO and the Telephone Preference Service (TPS) have had a procedure in place for complaints about the receipt of unsolicited ‘live’ (as opposed to automated) telephone calls to be referred to the ICO for investigation where the person receiving the call has previously complained to the TPS and, after the TPS have written to the offending organisation, further calls have been received. This constitutes a breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003, known as ‘PECR’. These ‘repeat breach’ complaints are notified to the ICO on a fortnightly basis and on receipt are set up on our electronic case management system in the same way as complaints made directly to the ICO. All of these ‘repeat breach’ cases referred by the TPS are also recorded on a separate spreadsheet.
Since this arrangement began in 2007 the TPS has, to date, referred 665 complaints to the ICO in this way. Each complaint referred to us by the TPS is individually pursued by the ICO until it is resolved. Depending on the organisation that is complained about the outcome may be that we write to the organisation and seek their assurances that the complainant’s telephone number is suppressed from their marketing lists. Alternatively, in some cases we may use an individual complaint to determine that formal action is appropriate, which would usually be either a formal undertaking (which requires the organisation concerned to commit to a particular course of action in order to improve its compliance), or an Enforcement Notice.
Because a breach of PECR is not a criminal offence we cannot initially instigate a prosecution against an organisation for a breach of the regulations. Instead, where appropriate we can take enforcement action requiring the data controller to cease their practices. Failure to comply with an Enforcement Notice is a criminal offence, so if an organisation fails to comply with a notice served by the ICO we can then consider whether prosecution is appropriate.
You may find the following link to our website helpful, which gives information about the way in which the ICO considers complaints made under PECR:
http://www.ico.gov.uk/tools_and_resources/document_library/privacy_and_electronic_communications.aspx
The following link also explains about the amendments which have recently been made to PECR, and the new powers which have been given to the Information Commissioner as a result of these amendments:
http://www.ico.gov.uk/what_we_cover/promoting_data_privacy/~/media/documents/library/Privacy_and_electronic/Practical_application/enforcing_the_revised_privacy_and_electronic_communication_regulations_v1.pdf
In response to your actual request I can confirm that since PECR came into effect the ICO has issued 8 formal undertakings and served 9 enforcement notices against organisations for breaches of PECR in connection with live telephone calls. The details are as follows:
Details of all undertakings and enforcement action taken against organisations since August 2009 (including copies of the relevant undertakings and enforcement notices) can be found on the ICO website via the following link:
http://www.ico.gov.uk/what_we_cover/privacy_and_electronic_communications/enforcement.aspx
When regulatory action is taken against an organisation, it is usually as a result of a number of complaints being made to the ICO from individuals directly affected as well as those referred to us by the TPS. The two enforcement notices which are available on the ICO website (relating to SAS Fire & Security Systems and Direct Response Security Systems) have both been served on the basis of complaints received by the ICO from members of the public direct and via the TPS.
I can confirm that the ICO has not prosecuted any organisation for failing to comply with an enforcement notice relating to unsolicited live telephone calls, nor has it issued any cautions, monetary penalty notices, injunctions or enforcement orders for the same reason.
Summary: we have taken meaningful action against zero firms and served "enforcement notices" against nine.
I wrote back:
Since signing up all our phones with the TPS a number of years ago (and checking regularly to make sure we are still registered) I have been plagued by nuisance calls on my home and office phones. I have complained occasionally to the TPS and the ICO about these calls, but beyond asking the companies concerned to stop - which they usually do anyway after speaking to me (only to have their place taken by another firm) - it seems there is nothing you are prepared to do.
I realize most of these companies are based overseas and/or withhold their numbers (quite why they are allowed to do this I fail to understand) but some of them (such as the firm who rang me twice recently) are UK based and didn't even bother to hide their number.
In addition to reporting this firm to you (and not holding my breath) I also did a bit a research. It seems that this firm have a long history of ignoring TPS registration, are a bunch of fraudsters, and had an "Enforcement Notice" served on them several years ago by the ICO[*]. I also disvovered that the ICO has a range of penalties at its disposal that it can impose on firms that repeatedly and wilfully break the law in this way.
Armed with this information I decided to put in a FOI request to the ICO and discovered that, since the ICO began regulating in this area, exactly zero firms have been prosecuted or subjected to finacial penalties or cautioned or penalized in any meaningful way. I suggest that this fact entirely explains the problems I describe above.
So to come to the subject of my complaint: This is not about any specific case, it is about the ICO's manifest failure to regulate cold calling and punish firms that ignore TPS registration.
If your complaints department is not able to deal with general complaints of this nature, please advise me to whom I should redirect my complaint.
[*] I have since realized that the firm who rang me has a slightly different spelling from the firm listed above as under an "enforcement notice" and so (I assume) this firm has not previously been served with such a notice. I suppose the corollary of this is that I have no reason to assume that any of the above firms are fraudsters - though they are lawbreakers and pests. Sorry for mistake. The firm who rang me are, however, a bunch of fraudsters.
I received a paper reply which "appreciate[d] my frustration" but made it quite clear that the ICO has no intention whatsoever of regulating firms who ignore TPS any time soon.
I have just replied:
Dear ######
Thank you for your letter, but I’m afraid it entirely fails to explain what goes on (or, more accurately, doesn’t go on) behind the scenes at the ICO.
You say you can’t consider prosecution unless an organization fails to comply with an enforcement notice. Fine, so why not issue some enforcement notices to more than nine of the hundreds of firms involved? And why not prosecute the firms in this list of nine who have failed to comply with the enforcement notices they have been given.
You say you can issue civil monetary penalties of up to £500,000. Why not issue civil monetary penalties of up to £500,000 to more than zero of the firms who ignore TPS?
You suggest it is difficult to gather evidence, but this seems to be a matter of policy on your part rather than an obstacle to your policy: Why not:
1) Collect the evidence in one place rather than two (ie the TPS site and the ICO site – you could put in a through link)?
2) Use a simple web form instead of requiring complainants to fill in a Word form and then email it to you?
3) Receive complaints where only the number is known rather than requiring the complainant to track down the owner of the number (you could use the internet to trace the numbers yourself or even ask Ofcom who happily hand out the numbers to the spammers and scammers and presumably keep records).
4) Prohibit the use of CLI withholding by cold callers (OK you might need to involve Ofcom here).
5) Solicit the submission of evidence by engaging with sites like http://whocallsme.com/ and http://www.the-scream.co.uk/forums/f30.html?
I realize that you couldn’t possibly comment on what I am about to say next, but I also realize that you must know it to be true:
The firm “######” is clearly as bent as a £6 note. You would be doing everyone a favour (the victims of their frauds and the victims of their illegal cold calling) if you fined them £500,000 and put them out of business for good. Then publicized what you had done in the media!
In closing, should like to point out that I completely fail to understand whose interest you think you are serving by turning a blind eye to the spammers and scammers. It goes without saying that you are not serving the interest of the public. But nor are you serving the interest of commerce. I work for a private company and I know we all complain about “red tape”, but the deregulation and decriminalization of telecoms fraud (in all its forms) is resulting in a situation where normal commerce is becoming impossible. Every time I receive a phone call or an email or an SMS message these days I have to devote precious time and energy to making sure it is genuine. Ninety per cent of the time, it is not. I realize you could never fully eliminate telecoms fraud, but at the moment, you are not making the slightest attempt to even curtail it.
If your letter to me represents your final position, please inform me so I can take this matter to the Ombudsman.
Yours sincerely
Mike Ward
I await a response!
And here it is:
The response begins by pointing out that the company XXXXX who called me twice recently are not the same firm as the firm with a similar name against whom an Enforcement Notice was served - something I had already worked out for myself and corrected in a follow up message to the ICO (see [*] above).
The response goes on to say:
The TPS regularly updates the ICO on the ‘Top 20’ companies complained about and where they receive repeat complaints, we are notified and a case is created at the ICO.
Civil monetary penalties
The use of this power is limited to circumstances where:
• there has been a serious contravention of PECR; and
• the contravention was of a kind likely to cause substantial damage or substantial distress; and
• the contravention was deliberate or the person responsible knew or ought to have known that a contravention would occur and failed to take reasonable steps to prevent it.
The circumstances in which it is appropriate to serve a monetary penalty will be limited. The Commissioner does though take the view that the requirement to demonstrate the potential for “substantial damage or substantial distress” can be met by contraventions where the damage or distress to any one individual is more limited but large numbers of individuals are affected. Thus there is the potential to impose monetary penalties for serious contraventions of the PECR provisions relating to the sending of unsolicited marketing messages.
The Commissioner is required to issue guidance on how he proposes to exercise his powers to impose civil monetary penalties. Now that the power has been extended to contraventions of PECR he will have to revise his existing guidance. The revised guidance will follow broadly the same approach as the current guidance. The revised guidance has to be approved by the Secretary of State and laid before Parliament before it can be issued. In addition the Commissioner will consult those likely to be affected by the revised guidance. This means that the revised guidance is unlikely to be issued before October 2011.
The Commissioner does not intend to impose any civil monetary penalties for PECR contraventions until the revised guidance has been issued. In any case he is not able to impose penalties for breaches that took place before the coming into force of the 2011 Regulations on 26 May 2011. The Commissioner may nevertheless start to gather evidence of non compliance from 26 May 2011 onwards for future use in connection with the imposition of civil monetary penalties. Furthermore, and subject to the provisions of this note, there is still the possibility of the Commissioner using his existing enforcement powers in connection with PECR contraventions. His new third party information notice powers will be available to assist him with this.
What Next?
This letter marks the end of our internal complaints process.
If you believe we have provided you with a poor service, or if you believe we have not treated you properly or fairly then you may be able to complain to
The Parliamentary and Health Service Ombudsman, Millbank Tower, Millbank, London SW1P 4QP
All complaints to the Ombudsman must be made through an MP. I would advise you to first call the Ombudsman’s Helpline on 0345 015 4033 or visit her website at www.ombudsman.org.uk to see if she is able to assist you further.
If, however, your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you. If you want to challenge our interpretation of the law, you should consider seeking legal advice.
Yours sincerely
etc.
So there you have it. Cold calling people who are registered with the TPS is (like phone hacking) illegal, but no action is ever taken against firms who break that law - though it might one day if one of them causes "substantial damage or substantial distress".
This is rather like saying: "it's illegal to drive at 100mph in a 30mph limit, but we'll only actually fine you if you knock someone down".
[NOTE I don't of course suggest that being called by these fraudulent scumbags is equivalent to being run over by a car, but if one of them ever stood in front of my car I'd be sorely tempted.]
Next stop the Ombudsman. As the ICO point out, he will reject my complaint: "if [...] your complaint relates to the way in which we have interpreted the law then the Ombudsman cannot help you", but perhaps something deep inside him will squirm slightly as he composes his refusal to do anything.
....... another postscript (I expect there will be many):
An email from the ICO about my specific complaint about the specific "claims management" firm that rang me up twice in spite of my TPS registration:
Dear Dr Ward
Thank you for your complaint form regarding the unsolicited marketing calls you have received from XXXXXX.
What we do
The Information Commissioner’s Office regulates the Privacy and Electronic Communications Regulations 2003 (PECR). The PECR are concerned with the way organisations send marketing material by fax, text, email and telephone. Marketing can include the promotion of goods, services, aims or ideals.
Direct marketing calls
Regulation 21 of the PECR says that unsolicited live direct marketing telephone calls cannot be made to a telephone number if:
• that number has been registered with the Telephone Preference Service (TPS) for 28 days or more; or
• the organisation has specifically been asked not to make marketing calls to that number.
Next steps
You have not advised us that you have already contacted the organisation to ask them to stop calling you. In addition you have not advised us of the telephone number on which you received the call. Telephone number xxxxx xxxxxx does not appear to be registered with the TPS although [my mobile number] does appear to be registered.
Unfortunately if the number is not registered with TPS we cannot pursue a complaint about these telephone calls under the PECR at this stage.
If the number is not registered we would strongly recommend that you now consider registering the telephone number with the TPS. TPS registration is free and takes 28 days to become fully effective.
The TPS’s contact details are:
Telephone Preference Service
DMA House
70 Margaret Street
London
W1W 8SS
www.tpsonline.org.uk
Registration line: 0845 070 0707
Complaints department: 020 7291 3320
Alternatively you could write to the organisation that is calling you to ask them to stop. We would suggest that you retain a copy of any correspondence you send as evidence. We would expect the organisation to act on this instruction within 28 days.
If the number you received the call on is registered with the TPS please advise us of the number. To help us deal with your complaint as quickly as possible, please reply to this email, being careful not to amend the information in the ‘subject’ field. Please quote the above case reference number in all future correspondence about this matter.
As we cannot progress your complaint without the information we have asked for it will now be closed until we hear from you again.
Yours sincerely
etc
Of course telephone number xxxxx xxxxxx does appear to be registered with the TPS if you enter it into their website (which I do at least once a year to make sure it is still registered) and I have sent Mr "etc" a link to the relevant confirmation message.
I shall post any responses!