![EA/2023/0314.FP - [2025] UKFTT 01119 (GRC)](https://backend.juristeca.com/files/emisores/logo_kmf8vDg.png){kind=logo}
EA/2023/0314.FP - [2025] UKFTT 01119 (GRC)
Fecha: 24-Sep-2025
THE LAW
THE LAW
Section 55A of the Data Protection Act 2018 (DPA) contains the power of the Commissioner to impose a monetary penalty and an enforcement notice for contravening regulations 21 and 24 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
Materially, s55A DPA reads as follows:-
S55A Power of Commissioner to impose monetary penalty
The Commissioner may serve a data controller with a monetary penalty notice if the Commissioner is satisfied that—
there has been a serious contravention of section 4(4) by the data controller,
the contravention was of a kind likely to cause substantial damage or substantial distress, and (c) subsection (2) or (3) applies.
This subsection applies if the contravention was deliberate.
This subsection applies if the data controller—
knew or ought to have known —
that there was a risk that the contravention would occur, and
that such a contravention would be of a kind likely to cause substantial
damage or substantial distress, but
failed to take reasonable steps to prevent the contravention.
A monetary penalty notice is a notice requiring the data controller to pay to the
Commissioner a monetary penalty of an amount determined by the Commissioner and
specified in the notice.
The amount determined by the Commissioner must not exceed the prescribed amount.
The monetary penalty must be paid to the Commissioner within the period specified in the notice.
The notice must contain such information as may be prescribed.
Section 55B(5) DPA provides the Appellant with a right to appeal to the tribunal against (a) the issue of the monetary penalty notice; and (b) the amount of the penalty specified in the notice.
The language of the PECR must be read in light of the purpose of Directive 2002/58/EC of 12 July 2002 (the Directive), which the PECR implemented. Thus, recital (42) to the Directive provides that:-
…forms of direct marketing that are more costly for the sender and impose no financial costs on subscribers and users, such as person-to-person voice telephony calls, may justify the maintenance of a system giving subscribers or users the possibility to indicate that they do not want to receive such calls. Nevertheless, in order not to decrease existing levels of privacy protection, Member States should be entitled to uphold national systems, only allowing such calls to subscribers and users who have given their prior consent.
Article 13(3) of the Directive further provides that:-
Member States shall take appropriate measures to ensure that, free of charge, unsolicited communications for purposes of direct marketing, in cases other than those referred to in paragraphs 1 and 2, are not allowed either without the consent of the subscribers concerned or in respect of subscribers who do not wish to receive these communications, the choice between these options to be determined by national legislation.
Reg 21 of PECR reads materially:-
—(A1) A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making calls (whether solicited or unsolicited) for direct marketing purposes except where that person—
does not prevent presentation of the identity of the calling line on the called line; or
presents the identity of a line on which he can be contacted.
A person shall neither use, nor instigate the use of, a public electronic communications service for the purposes of making unsolicited calls for direct marketing purposes where—
the called line is that of a subscriber who has previously notified the caller that such calls should not for the time being be made on that line; or
the number allocated to a subscriber in respect of the called line is one listed in the register kept under regulation 26.
A subscriber shall not permit his line to be used in contravention of paragraphs (A1) or (1).
A person shall not be held to have contravened paragraph (1)(b) where the number allocated to the called line has been listed on the register for less than 28 days preceding that on which the call is made.
Where a subscriber who has caused a number allocated to a line of his to be listed in the register kept under regulation 26 has notified a caller that he does not, for the time being, object to such calls being made on that line by that caller, such calls may be made by that caller on that line, notwithstanding that the number allocated to that line is listed in the said register.
Where a subscriber has given a caller notification pursuant to paragraph (4) in relation to a line of his—
the subscriber shall be free to withdraw that notification at any time, and
where such notification is withdrawn, the caller shall not make such calls on that line.
Paragraph (1) does not apply to a case falling within regulation 21A or 21B.
Although reg 22 of PECR is not directly relevant to this case, it is considered in relevant case law and the Appellant seeks to draw distinctions between it and reg 21 of PECR. Materially it reads:-
Use of electronic mail for direct marketing purposes
—(1) This regulation applies to the transmission of unsolicited communications by means of electronic mail to individual subscribers.
Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.
A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
the direct marketing is in respect of that person’s similar products and services only; and
the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.
A subscriber shall not permit his line to be used in contravention of paragraph (2).
In Microsoft Corporation v McDonald [2006] EWHC 3410 (Ch), Lewison J said:-
13….What is the meaning of the word ‘instigate’? [Counsel for Microsoft] submits that it has its ordinary dictionary definition which includes urging or inducing somebody to do something. I accept that submission. I do, however, consider that to urge or incite somebody to do something requires more than the mere facilitation of the action concerned; it requires, in my judgment, some form of positive encouragement.
In Leave.EU Group Ltd and Eldon Insurance Services v Information Commissioner [2021] UKUT 26 (AAC), it was common ground between the parties that the Microsoft test was ‘an accurate statement of the law as to the meaning of ‘instigate’’ (para 64).
In relation to whether a breach is serious the comments of the UT in Leave.EU are noted at para 54:-
[W]e agree with the FTT that ‘although the complaints from subscribers were few in number, they seem to us accurately to describe the problem’ (paragraph [86], see paragraph 34 above). In any event, the volume of complaints cannot be a reliable let alone determinative metric for deciding whether there has been a PECR breach, given that subscribers have easier default options than lodging a formal complaint with the Commissioner.
Pursuant to art 4(7) UK GDPR, the Appellant was responsible for ‘determin[ing] the purposes and means of the processing’. Art 24(1) UK GDPR also obliged the Appellant to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary’.
In relation to the level of penalty imposed, in Doorstep Dispensaree Ltd v Information Commissioner [2024] EWCA Civ 1515, the Court of Appeal found that it was open to a Tribunal tasked with reviewing afresh a monetary penalty imposed by the Commissioner under s163 DPA to nonetheless ‘attach weight to the fact that something said in a penalty notice was informed by the knowledge and expertise of an individual to whom Parliament has given functions and responsibilities as regards data protection’ (para 57).
The Commissioner’s role under art 83(1) UK GDPR is to consider whether a penalty was ‘effective, proportionate and dissuasive’, and to have due regard to the matters set out in art 83(2). Art 83(2) reads as follows:-
When deciding whether to impose an administrative fine and deciding on the amount of the administrative fine in each individual case due regard shall be given to the following:
the nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
the intentional or negligent character of the infringement;
any action taken by the controller or processor to mitigate the damage suffered by data subjects;
the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them pursuant to Articles 25 and 32;
any relevant previous infringements by the controller or processor;
the degree of cooperation with the Commissioner, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
the categories of personal data affected by the infringement;
the manner in which the infringement became known to the Commissioner, in particular whether, and if so to what extent, the controller or processor notified the infringement;
where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned with regard to the same subject-matter, compliance with those measures;
adherence to approved codes of conduct pursuant to Article 40 or approved certification mechanisms pursuant to Article 42; and
any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.
BACKGROUND
The Appellant is a business energy supplier licensed by Ofgem and a private company registered in England.
On 7 July 2020, the Appellant concluded an agreement with Aims Contact Technologies Pvt Ltd (AT), a marketing company registered in Pakistan. Under the agreement, AT promised to ‘ensure the successful switch over of customers to [the Appellant]’, in return for the payment of commission. Amongst other things:-
the parties agreed that AT would ‘give priority to the provision of the Services to [the Appellant] over any other business activities undertaken by [AT]’ for the duration of the contract;
the parties stipulated that the Appellant was the controller of all personal data processed by AT for the purposes of the agreement; and
although the agreement committed the Appellant and AT to comply with ‘applicable requirements of the DP legislation’ - defined as the GDPR and Data Protection Act 2018 - it made no mention of the parties' corresponding obligations under the PECR.
under the agreement, AT agreed to comply with the Appellant's Code of Conduct as set out in Schedule 3 to the agreement. Schedule 1 of that Code set out TPI ‘monitoring arrangements’ including (i) ‘call monitoring of a proportional sample of sales against the principles set out in the code’; and (ii) compliance assurance reviews to ‘ensure we are delivering the right outcomes for our customers and fulfilling our regulatory obligations’.
Pursuant to Schedule 1 of the Code, AT also agreed to comply with ‘all applicable laws and governmental rules, regulations, industry agreements and orders’. Schedule 1 of the Code also set out the various means by which the Appellant would undertake ‘risk-based monitoring and assurance of the Code’, including site visits, remote audits, targeted monitoring and requests for evidence.
On 16 April 2021, the City of London Police notified the Commissioner that it was investigating a number of energy supply companies, including the Appellant, in relation to nuisance phone calls to small businesses and possible fraudulent activity.
Following the notification, the Commissioner identified 116 complaints concerning the Appellant for the period January 2019 and March 2021. A number of small businesses complained of receiving calls - in some cases, repeatedly - inviting them to switch their contracts to the Appellant. In several cases, the callers purported to be calling on behalf of the businesses' existing energy company or the National Grid.
A further search revealed similar complaints from persons who had registered with the no-call list with the Telephone Preference Service (TPS) and Corporate Telephone Preference Service (CTPS).
Additionally, the Commissioner identified a complaint dated 29 March 2021 from a person on the TPS no-call list. The complainant had made a subject access request to the Appellant seeking copies of call-recordings and documents relating to a mis-sold energy contract, but received no response.
In keeping with a number of the other complaints, the complainant said that he had been called from someone purporting to be from his existing energy supplier who invited him to switch his contract to the Appellant, assuring him it would be substantially cheaper (which assurances proved to be false).
Further enquiries by the ICO in November 2021 revealed that calling line identifiers (CLIs) linked to the Appellant complaints had been assigned to AT. This included CLI 020 8068 8407.
On 10 December 2021, the Commissioner wrote to the Appellant, stating that his office and the TPS/CTPS had received a number of complaints about unsolicited direct marketing calls that appear to have been made by or on behalf of the Appellant in breach of the PECR and that, in light of these complaints, he had commenced an investigation of its compliance with the PECR. Attached to the Commissioner's letter was a spreadsheet of 24 complaints received by the ICO, TPS and CPTS between January 2020 and November 2021 from 20 separate subscribers concerning calls made on the Appellant's behalf from CLI 020 8086 8407. Fourteen of the subscribers were registered with the TPS/CPTS.
The Commissioner asked the Appellant to provide information concerning its relationship with AT, including:-
whether the Appellant carried out due diligence checks to ensure that any call lists provided by third parties were accurate;
whether the Appellant had screened the data against the TPS and CTPS registers prior to making unsolicited marketing calls;
whether the Appellant operated an internal suppression list of numbers where it had been advised that the subscriber did not want to receive any marketing communications from it; and
copies of any policies or procedures regarding contact with customers and the Appellant's responsibilities under the PECR.
On 18 January 2022, the Appellant responded substantively to the Commissioner's request for information, in which, materially, it admitted to using AT to make marketing calls but insisted that AT:-
…have proper management system in place. They source data from 3rd Party Data Vendors, customer referrals and in house data base of already signed customers. Prior to dialling they do data scrubbing against all their leads which they source through all above mentioned means against the Do not Call list (DNC). They have protocols and SOPs in place to ensure TCPA, TPS Compliance. Their work force is trained to ensure any contact established and reported as on TPS, they immediately apologies and ensure the number is being reported and blocked on all channel of communication. This is their Standard Operating Procedure. They have provided screen shots of this practice. They maintain and ensure all such numbers are immediately suppressed and blocked and they also maintain proper record.
The Appellant also maintained that, until it had received the Commissioner's letter, it had ‘not received a single complaint that our TPIs has breached the guidelines of TPS or PECR’.
On 10 February 2022, the Appellant provided the Commissioner with a list of 26 TPIs which it worked with in the period between December 2020 and November 2021, including AT. The Appellant provided 14 call recordings to telephone numbers that matched those on the Commissioner's complaints spreadsheet. It also provided a spreadsheet entitled 'Quality Assurance and Self-Assessment Form', completed by AT.
On 21 February 2022, the Commissioner asked the Appellant to provide further information, including a detailed description of the procedure used by AT for screening numbers against the TPS/CPTS.
On 7 March 2022, the Appellant responded further to the Commissioner's inquiries but failed to provide any detail concerning AT's screening procedures.
On 14 December 2022, having taken its submissions into account, the Commissioner notified the Appellant of his intention to issue it with a monetary penalty notice and an enforcement notice. Again, the Appellant was given the opportunity to make representations, which it did.