Introduction
Earlier this month the UK Information Commissioner’s Office (ICO) fined the parenting organisation Lifecycle Marketing (Mother and Baby) Ltd., better known as Emma’s Diary, for collecting and selling personal data in ways that were in serious breach of data protection law.
What is the background to the case?
In May 2017, Emma’s Diary, which provides advice on pregnancy and childcare, collected and then sold 1,065,220 records under a data supply agreement to Experian Marketing Services (Experian). Emma’s Diary is known to many across the UK as a source of pregnancy advice for mums-to-be and for childcare advice – often being brought to the attention of mums-to-be by their doctor, midwife or another healthcare professional.
Each record contained the following personal data:
- parent’s name
- household address
- the presence of children up to 5 years old in the household
- date of birth of mother and child.
- Emma’s Diary obtained this data through its online registration system on its website and also through an offline registration form.
Experian, acting for the Labour Party (either as its agent or data processor) put those records on a database that it hosted for the Labour Party to assist it with a direct marketing mail campaign for the 2017 UK General Election. According to the information Emma’s Diary gave the ICO, this would allow the Labour Party to send political marketing communications to those with young children, about, for example, the Labour Party’s intention to protect Sure Start children’s centres (a government childcare etc. programme to assist children). Experian listed the Labour Party as Experian’s client.
What did the ICO determine?
Emma’s Diary informed the ICO that “All data supplied agreed to be contacted via the postal channel and by 3rd party marketers and the usage of the mums’ data is fully outlined within our Privacy Policy [sic]”. However, the ICO’s investigation concluded that this was not in fact the case and that up to the time when it provided the records to the Labour Party, Emma’s Diary had not given any indication that personal data might be shared with the Labour Party – as the ICO put it “Based on the information provided data subjects would not have foreseen that their data would be shared with a political party as described [in the Privacy Policy].”
In legal terms, the ICO found that Emma’s Diary had failed to comply with the data protection ‘fairness’ principle, which includes a transparency duty requiring a data controller to provide or make available to data subjects information about the purposes for which their personal data will be used. Further, according to the ICO, “The ‘fairness’ requirement […] also included a substantive duty to treat individuals fairly when using their personal data. In particular, fairness involves adhering to individuals’ reasonable expectations of how their data will be used and not using their data in ways that cause them damage or distress, unless there is some sufficiently weighty justification for doing so. As indicated [by the ICO] the data subjects would not reasonably have expected their personal data to be disclosed to a political party for the purposes of political marketing. Given in particular the party-political use of this data, this disclosure risked causing distress to some affected data subjects. [Emma’s Diary] had no adequate justification for acting as it did. Its actions appear to have been motivated by financial gain.”
In addition, the ICO found that although Emma’s Diary’s privacy policy suggested that Emma’s Diary had tried to justify its disclosure of data to third parties for marketing purposes by reference to data subjects providing consent, the conditions for consent had not been met because “they were not specific and informed, given that the data subjects were not told that their data may be shared for the purposes of political marketing by the Labour Party or any other party.” The ICO also ruled out the possibility of so-called ‘legitimate interests’ applying because “Given its failure to inform data subjects that their personal data may be shared with the Labour Party or indeed for any political purposes, the [so-called] balance of interests entailed [under the “legitimate interests” conditions] tipped against [Emma’s Diary].”
The ICO concluded that the breach was a serious one due to:
- the high number of affected data subjects including young children;
- the fact that the disclosure went against the privacy policy;
- the creation of a real risk of distress; and,
- because individuals were exposed to a significant loss of control over their data which was exacerbated by the fact that Emma’s Diary had not informed individuals about the disclosure before or after it had taken place.
The ICO also set out why it also considered the breach was one likely to cause substantial damage or distress including the fact that “At least some of the affected data subjects are likely to have been distressed by [the] failure to adhere to their expectations about how their data would be used. At least some data subjects would reasonably feel misled.”
Due to the nature, seriousness and potential consequences of the breach the ICO concluded that a fine of £140,000 was reasonable and proportionate.
The ICO’s full decision can be found here: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/08/emma-s-diary-fined-140-000-for-selling-personal-information-for-political-campaigning/
What are the takeaways?
This case was decided under prior data protection law, the Data Protection Act 1998 (DPA 1998) which has now been replaced by the General Data Protection Regulation (GDPR) and in the UK by the Data Protection Act 2018 (DPA 2018).
Lessons to be learnt from this case for compliance with the new regime include:
- Generally-speaking under GDPR, when collecting personal data there must be full transparency about who personal data will be shared with including under a privacy policy (which essentially means naming those parties) – if consent is the basis on which personal data will be acquired full transparency about who personal data will be shared must be made clear prior to obtaining consent.
- You can’t rely on a new privacy policy to retrospectively justify what you did before. This case shows that the regulator will want to look at the privacy policy in place when the data was collected in most cases – especially if you rely on a privacy policy to make your data collection lawful (for example by consent or a legitimate interests statement).
- When purchasing marketing lists this case shows the need to do full due diligence on the seller and put in place the appropriate contractual data protection terms with them. You’ll need to do a full check on how consent was obtained etc. – also consider doing a Data Protection Impact Assessment.
- The fines in this case were imposed under the DPA 1998 rules where the maximum imposable fine was £500,000. Under the new regime fines for serious breaches may be imposed of up to a maximum of 4% of total annual global turnover or €20 million, whichever is the greater. So, had this case been determined under GDPR the fines would likely have been far greater.
- Looking ahead, the ICO is currently looking into the practices of data-broking organisations and in addition it will be auditing the data-sharing practices of the UK’s main political parties. This serves as a reminder of the wide auditing powers that regulators like the ICO have under GDPR.
- Reputations can be hit – after the initial announcement of the ICO’s investigation a number of organisations said that they were reviewing their relationship with Emma’s Diary. In July, The Royal College of General Practitioners (a network of more than 52,000 family doctors) said that it had commissioned “an urgent report and legal advice” on its relationship with Emma’s Diary.
- Last but not least, it may be that compensation claims will follow for any distress that may have been caused. In the UK civil actions like this are on the increase and notable cases include the Home Office spreadsheet case (see here for our article about it: http://www.corderycompliance.com/uk-appeal-court-ruling-on-spreadsheet-data-breach-damages-case-2/), the Morrisons supermarket case (see here for our article and film about it: http://www.corderycompliance.com/client-alert-morrisons-data-breach-litigation-succeeds), and the Vidal-Hall/Google case (see here for our article about it: http://www.corderycompliance.com/vidal-hall-data-protection-class-action-appeal-settled/).
Note that it is not only GDPR that may need to be taken into consideration in matters concerning marketing but also the E-Privacy rules (known as PECR in the UK). Be aware that the E-Privacy rules are in the process of being updated – for more on this please see our FAQs here: http://www.corderycompliance.com/proposed-eu-e-privacy-regulation/
We report about data protection issues, including breaches, here: http://www.corderycompliance.com/category/data-protection-privacy/. For more about GDPR please also see our GDPR FAQs which can be found here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our EU Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary
Cordery’s GDPR Navigator includes resources to help deal with data protection compliance – for more on Navigator please see here: http://www.corderycompliance.com/solutions/cordery-gdpr-navigator/
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
André Bywater
Office: +44 (0)207 075 1785
andre.bywater@corderycompliance.com
Office: +44 (0)207 075 1784
jonathan.armstrong@corderycompliance.com