Leave.EU data breach: Why firms should take note of the Privacy and Electronic Communications Regulations

Advertisment
Alexander Edwards

The ongoing data breach scandal surrounding the Leave.EU campaign financed by Aaron Banks and one of his companies, Eldon Insurance (trading as GoSkippy), has drawn further attention to the way data are handled, particularly when it is used for political purposes. This is just months after the Cambridge Analytica scandal, which blindsided the political establishments in both Britain and the United States.

A notice of intent to fine was recently issued by the ICO to fine both Leave.EU, the pro-Brexit campaign group, and Eldon Insurance (trading as GoSkippy) for serious breaches over the way they have handled customers’ and subscribers’ data. In light of the ongoing public interest in data management and analytics used for political purposes, it is worth taking a closer look and identifying where the compliance failures occurred. This is of particular significance for firms because of the nature of the breach and the set of regulations which govern them, which are often overlooked by firms and businesses when interacting with their customers.

The reasons for the ICO issuing the notice of intent to fine are that firstly; over one million emails were sent to Leave.EU subscribers containing marketing for GoSkippy without the subscribers’ consent, and secondly, for the sending of a Leave.EU newsletter to 319,000 GoSkippy subscribers. The ICO intends to fine both Leave.EU and Eldon Insurance (trading as GoSkippy) £60,000 for serious breaches of the Privacy and Electronic Communications Regulations 2003 (PECR), and a further £15,000 for Leave.EU for sending an Leave.EU newsletter to GoSkippy customers.

As a result of the actions taken in breach of PECR, the ICO’s has also issued a preliminary enforcement notice under the Data Protection Act 1998 to Eldon Insurance, which will require them to take specified steps in order to ensure compliance with Regulation 22 of PECR. An audit of Eldon Insurance will then follow to ensure that the required steps are being taken. If further wrongdoing is discovered during the audit, further fines may well be imposed by the ICO.

It is important to stress that the ICO has not issued a monetary penalty notice, but a letter of intent. It is after the conclusion of the audit that the ICO will make a final decision on whether to serve a monetary penalty notice, which should be made on or after 5 December 2018. As such, the ICO is at present ‘poised to fine’ Leave.EU and Eldon Insurance.

The violation

Regulation 22 of PECR governs the transmission of electronic communications to individual subscribers. Under the Regulation, a person is unable to send unsolicited direct marketing emails unless the recipient has previously notified the sender that he/she consents to receive such communications. There are very limited circumstances whereby prior consent of the subscriber is not required – these are known as “soft opt-in” exceptions, which did not apply in this case.

Whilst the ICO did not believe that Leave.EU and Eldon Insurance deliberately contravened Regulation 22 of PECR, the ICO was satisfied that the breaches were serious and both Leave.EU and Eldon Insurance should have reasonably known that there was a risk of contravention of Regulation 22 of PECR.

In its report, the ICO states that the fines are intended to “promote compliance with PECR,” given that unsolicited marketing emails “is a matter of significant public concern,” particularly in the aftermath of the Cambridge Analytica scandal. The intention of the ICO for the proposed fines is, therefore, to act “as a general encouragement towards compliance with the law, or at least as a deterrent against non-compliance.”

It is also worth noting that in determining the amount of the potential fines the ICO intends to impose on Leave.EU and Eldon Insurance, the ICO took into account the fact that they have received no complaints about the contraventions.

Understanding the importance of PECR

The notices of intent to fine issued by the ICO highlight the need for firms to ensure that they are not only complying with data protection legislation but are also well aware of and compliant with their obligations under PECR.

The privacy rights under PECR enhance and sit alongside data protection legislation. It is not enough for firms, when using electronic communications, particularly electronic marketing communications, to only ensure compliance with the Data Protection Act and GDPR. PECR is of paramount importance when it comes to electronic marketing communications.

Firms must take steps to ensure compliance with PECR as well as data protection legislation when carrying out direct marketing by electronic means. Reasonable steps must be taken by firms to prevent contraventions of PECR when conducting electronic direct marketing. The breaches of PECR by Leave.EU and Eldon Insurance highlight the cost of non-compliance even when it is not done deliberately and with the absence of any complaints from customers about contraventions. Businesses can very easily get blindsided by PECR breaches. Having robust processes for compliance with PECR alongside GDPR and Data Protection is essential for ensuring customer trust and protecting a company’s hard-earned reputation.

Authored by Alexander Edwards