American Express Service Europe Limited (“Amex”) was fined a hefty £90,000 by the Information Commissioner’s Office (“ICO”) as a result of a “serious contravention” of regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (“PECR”).
WHAT IS PECR?
The ICO is an independent authority in the UK that upholds information rights in the public interest. The ICO offers advice and guidance to service providers to ensure compliance with PECR. It also has the power to enforce any breaches by imposing fines on the contravening company or individual.
During the ICO investigation, it was found that between 1 June 2018 and 21 May 2019, Amex had sent over 4 million unsolicited marketing emails to individual customers without their prior consent. It was held by the ICO that not only did Amex act negligently, but that it has also failed to take reasonable steps to prevent the violation of PECR, in particular regulation 22, which governs specifically the use of email for direct marketing purposes. This offence was held by the ICO to be an even more severe breach considering that Amex has failed to review its marketing model despite receiving complaints from customers.
While regulation 22(3) allows for some exceptions to the rule, none of these was applicable in the present case.
The recipients of these unsolicited marketing emails include customers that have opted out from receiving marketing messages from Amex, and as such, directly contravened the opt-in regime introduced by the regulation. Moreover, the ICO deemed that these emails were sent deliberately, as they had the effect of encouraging recipients to make purchases using their Amex cards, which in turn generates financial gains for Amex. The gravity of the breach was, therefore, reflected in the fine.
For more information, and any guidance or advice on PECR and other data protection laws, Cleveland & Co External in-house counsel™, your specialist outsourced legal team, are here to help.