The word ‘fine’ is easier and quicker to say than the phrase ‘civil monetary penalty’. Even if you truncate it to ‘CMP’, problems still arise when you get to verbs. ‘Fined’ is OK, but ‘CMPeed’ sounds silly. Occasionally, I am guilty of using ‘CMP’ and ‘fine’ interchangeably. The average attendee on a training course needs to know that there might be financial consequences for a faltering Data Protection framework, but what they really need to get to grips with is how to build and sustain that framework. Even so, if I catch myself using ‘fine’, I correct myself, even though it might not matter in context. To be clear, when you breach Data Protection, you *UPDATE* generally *UPDATE ENDS* run the risk of receiving a Civil Monetary Penalty, and not a fine. Both involve you handing over large sums of money, but the legal context is different.
News reporting is very different to a bald man doing jazz hands on a training course. When the marketing news website The Drum reported Roddy Mansfield’s success in suing John Lewis over unsolicited emails, their clumsy use of terminology meant that their story was wrong. The headline states that John Lewis were ‘fined‘ – they weren’t, they were ordered to pay damages. If John Lewis were being fined by a court, that would mean they had been found guilty of a criminal offence. Saying that John Lewis were ‘successfully prosecuted’ is the same mistake – John Lewis were sued (civil matter) not prosecuted (criminal matter). A bigger – and in context, more damaging – error came when the article stated ‘Existing EU legislation bans businesses from promoting their wares through marketing emails unless it can be proven that the recipient consented to them or was a customer‘. The relevant law here – the Privacy and Electronic Communications (EC Directive) Regulations 2003 – does not say that organisations can market to customers. It’s consent or nothing. There is a mechanism by which, during negotiations for a sale, the standard opt-in can be switched to an explicit opt-out for marketing about similar products or services. But that’s very different to saying ‘marketing to customers is OK’.
It’s a problem that The Drum is touting this misinterpretation because it is a common misconception / excuse for badgering people. PECR doesn’t give a right to market to your customers unless they have consented. If a website that is supposed to be a reliable news source is trotting out this nonsense, marketers will keep using it as an excuse for bothering people without consent.
There are some contexts in which precision is not just desirable, but essential. In the fevered rush to leap on the eBay bandwagon a week or so ago, the Information Commissioner once again demonstrated a fondness for the word ‘breach’ when talking about a big, eye-catching incident. Graham’s comment on his website was clear, in circumstances where clarity is absent: “on the face of it, this is a very serious breach“. It is the ICO’s job to decide whether incidents involving personal data indicate a breach of one of the Data Protection principles. When Graham uses the word ‘breach’, it can only mean one thing: a contravention of one of those principles. At the time his comment was issued, the ICO hadn’t even decided whether or not to launch an investigation into the incident. Given that eBay is based in Luxembourg, I think it’s all showboating and what anyone in Wilmslow thinks or doesn’t think is irrelevant.But the terminology is important. Until the matter is investigated, we don’t know if eBay have breached anything.
Graham’s deputy, David Smith, came unstuck at the Tribunal on the doomed Borders case because he could not separate the incident (papers in a recycling bin) from the breach (lack of proper contracts). I don’t think Borders should have received a CMP, but it’s not hard to see how such confusion hampered the ICO’s case that they should have.
You could argue that the misuse of the word ‘breach’ isn’t that important, and that everyone does it except me. However, can anyone say that it’s unimportant for the ICO to explain the consequences of its actions properly? Last week, they issued an Enforcement Notice on Wolverhampton City Council, following the council’s failure to train enough of its staff by a specific deadline. Unlike undertakings, which are a grandiose slap on the wrist, Enforcement Notices have legal force. There are consequences if the organisation doesn’t comply with them. It takes only a short trip to Section 47 of the Data Protection Act to find out what those consequences are. The text isn’t even ambiguous: “A person who fails to comply with an enforcement notice, an information notice or a special information notice is guilty of an offence“. So when the ICO’s press release says “The council must now make sure the training is provided to all staff within 50 days, or the matter will be treated as contempt of court“, it’s incorrect. Whoever wrote the press release either doesn’t know or doesn’t care that contempt of court is what happens when you breach an FOI enforcement notice. You’d think they understand the power that they actually use, rather than the one they’ve effectively retired, but apparently not.
UPDATE: the ICO picked up on a tweet that I sent over the weekend, and the offending line has now been removed.
You probably don’t care about this. My ‘ICO is clueless’ schtick has served me well over the years but it’s probably a tired routine and I need some new material. But it matters. News reporting of data protection is terrible – the Drum’s clumsy mishandling of Mansfield’s case is the standard. Misinformation is routinely spread around, especially by those who seek to apply lower standards. If the ICO is as guilty as everyone else of sloppy language and muddy thinking, there’s little hope that anyone will understand what they’re expected to do, or what might happen if they don’t.