Tag Archives: Telford Magistrates’ Court

Data Protection/Privacy Enforcement: July 2018

The summer period can often be a bit quitter than normal and that was certainly true in terms of the volume of data protection and privacy enforcement action published by the Information Commissioner’s Office (but not so much for me, which is why this month’s look at the previous month’s enforcement action is coming later in the month than usual). There were just three pieces of enforcement action published on the ICO’s website during the month of July: two monetary penalty notices and information relating to the prosecution of one business. The key points for this month’s blog post will not be unfamiliar to people who regularly read this feature.

Key Points

  • Remember that if you wish to directly market individuals by electronic mail (which includes SMS) then, unless you are able to avail yourself of the very limited “soft opt-in”, then you must have received (and be able to demonstrate that you have received) consent from the individual. The GDPR has not changed the rules around direct marketing by electronic means (or, indeed, by telephone). These forms of direct marketing continue to be governed by the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).
  • It is the responsibility of the person instigating direct marketing by electronic means to satisfy themselves that the campaign they are about to embark upon is lawful. Companies engaged in direct marketing campaigns where the data has come from a third party should undertake adequate checks to ensure that they can lawfully market to the intended recipients.
  • When sending out bulk E-mails it is important to ensure that proper procedures are in place and followed. Not placing the E-mail addresses into the “BCC” field is a fairly common error, which can be costly to an organisation (both in terms of the financial cost as well as reputation). If sending out bulk E-mails is going to be necessary, it may be worthwhile looking at investing in products and services which help to ensure that the personal data of the recipients is kept safe and secure.
  • It is important to ensure that data controllers comply with the terms of Information Notices served on them by the Commissioner. While it is no longer a criminal offence to fail to comply with an Information Notices (if it is served under the Data Protection Act 2018); the Commissioner can issue persons upon whom they are served with administrative fines should they fail to comply.
  • Notification is no longer required under the General Data Protection Regulation, but domestic law still requires data controllers (unless they fall into an exempt category) to pay a fee. The Commissioner has the power to issue a fixed penalty to controllers who have not paid a fee when they should have.

Enforcement action published during the month of July 2018

STS Commercial Limited
STS Commercial Limited, a welsh-based company, was served with a Monetary Penalty Notice in the sum of £60,000 [pdf] after it sent direct marketing by text message to over 270,000 people in contravention of Regulation 22 of PECR. The company was reliant upon consent which had been provided to a third party and carried out no due diligence of its own to ascertain that the consent met the requirements of PECR.

Independent Inquiry into Child Sex Abuse
The Independent Inquiry into Child Sex abuse was established by the Government to conduct an independent investigation into historic child sexual abuse. The Inquiry was served with a monetary penalty notice by the Information Commissioner in the amount of £200,000 [pdf] after it revealed the identities of abuse victims in a mass E-mail. The incident occurred after a member of the Inquiries staff entered the E-mail addresses of victims and survivors into the “to” field, instead of the “bcc” filed on more than one occasion. Each recipient of the E-mail therefore see the E-mail addresses of every other recipient, some of which contained the full name of the recipient (while others contained a partial name).

Prosecutions
Noble Design and Technology (based in Telford, Shropshire), was prosecuted by the Information Commissioner after it failed to comply with the terms of an Information Notice. The company had also failed to notify with the Information Commissioner, despite being required to do so. The company was convicted in its absence at Telford Magistrates’ Court and was fined £2,000 for failing to comply with an Information Notice. The company was also fined £2,500 for processing personal data without having notified (when it should have) and was also ordered to pay prosecution costs of £364.08 and a victim surcharge of £170.

Alistair Sloan

If you require advice and assistance in connection with any of the data protection/privacy issues above, or any other Information Law matter, please do contact Alistair Sloan on 0141 229 0880 or by sending him an E-mail directly.  You can also follow our dedicated information law twitter account.

Facebook, Fines and Enforcement: ICO investigation into political campaigning

In March the Commissioner executed a warrant under the Data Protection Act 1998, to much fanfare and press coverage, on Cambridge Analytica – the data analytics firm who had been involved in the election campaign by US President Donald Trump and who had allegedly undertaken work for Leave.EU in the 2016 referendum on whether the UL should remain a member of the European Union or not. At the same time the Information commissioner announced a much wider investigation into compliance with data protection and privacy laws in political campaigning.

The Information Commissioner has today published a report giving an update on that wider investigation [pdf]. There has been much fanfare around this report and in particular a suggestion that Facebook has been served with a Monetary Penalty Notice in the amount of £500,000. This would be big news; it may not be a large sum of money to Facebook, but £500,000 is the maximum that the Information commissioner can serve a Monetary Penalty Notice for under the Data Protection Act 1998.

However, it has become clear that Facebook has not been served with a Monetary Penalty Notice in the amount of £500,000. The first thing to note here is that the Data Protection Act 1998 still applies; the alleged breaches of data protection law that the Commissioner is concerned with pre-dated 25 May 2018 and therefore the powers under the General Data Protection Regulation (GDPR) do not apply. What has happened is that the Information Commissioner has served a “Notice of Intent” on Facebook indicating that the Commissioner intends on serving Facebook with a Monetary Penalty Notice in the amount of £500,000. This is the first stage in the process of serving a Monetary Penalty Notice, but it is by no means guaranteed that (a) a Monetary Penalty Notice will be issued; and (b) that it will be in the amount of £500,000.

Facebook will have the opportunity to make written representations to the Information Commissioner on various matters, including whether the statutory tests for serving a Monetary Penalty Notice have been met and on the amount of the Penalty. The Commissioner must take account of these representations when making a final decision on serving the Monetary Penalty Notice: not to do so would likely result in an appeal against the Notice to the First-Tier Tribunal (Information Rights), which could ultimately result in the Monetary Penalty Notice being reduced in amount or quashed altogether. If Facebook brings forward evidence to the Commissioner that means she can no longer make certain findings in fact that will have an impact on both her ability to serve the Monetary Penalty Notice and the amount of that notice.

It could be many more weeks, if not months before we know whether a Monetary Penalty Notice is in fact being served on Facebook and how much it is for. The Commissioner must serve the Monetary Penalty Notice on Facebook within six month of serving the Notice of Intent.

There are some other aspects of the Commissioner’s report that are worthy of some brief consideration. The Commissioner has announced that she is intending on prosecuting SCL Elections Limited. The information given by the Commissioner suggests that this prosecution is to be limited to one very specific issue: their failure to comply with an Enforcement Notice previously served on the company. The Enforcement Notice was served on the company after they failed to comply with a subject access request received by them from a US academic. The company was in administration when the Enforcement Notice was served and remains in administration today. The Information Commissioner is able to prosecute offences under the legislation it is responsible for enforcing in its own right; except in Scotland where it requires to report the matter to the Procurator Fiscal in the same way as every other law enforcement agency is required. How successful that prosecution will be and what benefit it will bring remains to be seen given that the company is in administration. Even if the company is successfully

We have also seen what appears to be the first piece of enforcement action taken under the Data Protection Act 2018 and the General data Protection Regulation.  The Commissioner has served an Enforcement Notice on the Canadian company, Aggregate IQ [pdf]. This amounts to what could be termed as a “stop processing notice” and it requires Aggregate IQ to, within 30 days, “cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising.”

Failure to comply with an Enforcement Notice under the Data Protection Act 2018 and the GDPR is not (unlike under the Data Protection Act 1998) a criminal offence; however, a failure to comply can result in an administrative fine of up to €20 million or 4% of global turnover (whichever is the greater). How successful the ICO will be at enforcing this enforcement notice, given that the company is located in Canada and appears to have no established base in the UK, or any other EU member state, remains to be seen.

Other investigations are still ongoing. The Commissioner appears to be continuing to investigate whether there was any unlawful data sharing between Leave.EU and Eldon Insurance. Investigations are also being undertaken into the main ‘Remain’ campaign in the EU referendum and also into all of the UK’s main political parties. It remains to be seen what will happen there.

The Commissioner’s report also informs us that the appeal by the United Kingdom Independence Party (UKIP) against an Information Notice previously served upon them has been dismissed. The First-Tier Tribunal (Information Rights) has not yet published a decision in that case on its website, but should it do so I shall endeavour to blog on that decision (especially given that there has never to my knowledge been an appeal to the Tribunal against an Information Notice). Failure to comply with an Information Notice is a criminal offence, and a company was recently fined £2,000 at Telford Magistrates’ Court for that very offence.

Alistair Sloan

If you require advice or assistance on a matter relating to data protection or privacy law then you can contact Alistair Sloan on 0141 229 0880 or send him an E-mail. You can also follow our twitter account dedicated to information law matters.