The Information Commissioner's Office ('ICO') which is the UK's data protection supervisory authority, recently issued a fine of £100,000 to EE Limited, a telecoms company operating in the UK. The fine was issued in response to EE Limited having sent two and a half million unsolicited direct marketing messages to its customers, back in early 2018. The direct marketing messages were sent without EE Limited having first obtained the required consent to send them to its clients.
The messages in question were sent in two batches, the first suggested to customers to download and use the company's mobile phone app to manage their account. The second batch was sent to encourage those who had not yet engaged with the first message to do so. The ICO found these messages to be in breach of electronic marketing rules, specifically the national laws enacted to implement the ePrivacy Directive, which came into force in 2011.
The Maltese law which transposes the ePrivacy Directive is the Processing of Personal Data (Electronic Communications Sector) Regulations1. This law provides that the general rule is that the consent of recipients is required ('opt in rule') prior to them receiving any direct marketing via electronic communications. "Electronic communications" is understood to include automatic calling machines, facsimile machines and electronic mail (which in turn incorporates text messages and emails). Since the introduction of the GDPR, for such consent to be valid, it must be freely given, informed and specific.2 A point worth noting is that the interplay between the ePrivacy Directive and the GDPR, when it comes to the issue of consent, amongst other things, may expose those entities carrying out direct marketing to fines issued by supervisory authorities overseas, if they are not careful.
The only exception to the general opt in rule is the soft opt in rule which dictates that prior opt in consent would not be required if all four of the following criteria are met:
- The recipient's contact details were originally obtained "in relation to the sale of a product or service";
- The entity sending the direct marketing must necessarily be the same one which had originally obtained the recipient's contact details;
- The marketing messages sent to the recipient must relate to "similar products or services" to those in relation to which the recipient's details were originally collected; and
- The recipient must be given the chance to object to receiving any direct marketing messages both at the time of the collection of his contact details as well as in each message after that.
Since EE Limited had neither obtained the recipients' consent, nor had it fulfilled the soft opt in criteria, the messages it sent led to it being in breach of direct marketing rules in the UK.
The ePrivacy Regulation, which will, if adopted, replace the ePrivacy Directive, is currently being discussed in the European Parliament.
1 Subsidiary Legislation 586.01
2 It should be noted that since at the time of the EE Limited case the GDPR was not yet in force, the added requirements for valid consent were not yet in force either.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.