At the beginning of August 2018, the UK Information Commissioner (ICO) issued a fine of £ 140.000 To “Lifecycle Marketing (Mother and Baby) ” Ltd or “LCMB”, also known as “Emma´s Diary” for the illegal collection and sale of personal data of more that 1 million people to a marketing company hired by a political party to provide support with its electoral campaign.
The case:
Emma´s Diary is an online community and blog addressed to mums-to-be and new mums that provides expert advice on pregnancy and childcare. In May 2017 the company managing the website, LCMB, provided personal data of about 1.070.000 people to a marketing company called “Experian Marketing Services” or “Experian”. This last company was itself a data processor for the Labour Party that eventually used the personal data to perform a direct marketing mail campaign targeting the followers of Emma´s Diary before the general elections held in June 2017. The same personal data were deleted from the database of Experian at the end of June 2017. The personal data were transferred by LCMB to Experian under a data transfer agreement that mentioned the Labour Party among the clients of Experian. The purpose of the data transfer under the contract was “use for postal information and insight”. The personal data involved in this agreement included name and contact details of the parent, information about the existence of children under 5 years old in the household and date of birth of the children. LCMB obtained the personal data from the registration of the followers on the website of Emma´s Diary upon consent and under publication of a privacy policy which was not transparent on the transfer of personal data to the data subjects.
The ICO identified a breach of the Data Protection Act in the processing activity described above for different reasons. First of all, the disclosure of the personal data was unfair due to the fact that the privacy policy of the website where the data subjects provided their personal data, did not include all the information according to the transparency principle. Indeed political parties were not mentioned in the list of the data recipients included in the policy. Secondly, because of the above-mentioned reason, the data subjects could not provide consent for the disclosure of their personal data to marketing agencies for the purposes of political marketing, since they were not informed of this activity. Finally, the above-mentioned processing operation could not be legally based on the legitimate interest of the data controller (LCMB) since there was no adequate justification for LCMB to share those data with Experian and because the transferring of such personal data infringed on the legitimate expectations of the data subjects with regard to the protection of their data. Let´s review the reasons for the fine in detail.
Breach of the fairness and transparency principles:
According to the fairness and transparency principles, the data controller is required to provide a set of information to the data subjects when they collect personal data. Such details include the purposes for which the data are been collected. The privacy policy of Emma´s Diary, although pretty comprehensive, did not mention that personal data collected would been shared with third parties with the purpose to facilitate marketing campaigns performed by political parties. LCMB failed to comply with those principles not only because of the lack of information provided, but also because such use of the data could not be identified as a use of data that the data subject would reasonably expect.. Furthermore, LCMB did not have any relevant justification to perform the disclosure of such data since its only interest was the monetary income (which of course does not override the personal data protection rights of the individuals).
Consent? Not checked! Legitimate interest? Neither…
As already remarked, Emma´s Diary website provided indeed a privacy policy informing the followers of the community, among other things, of the use of their personal data. Such information included the disclosure of the data to external companies for marketing purposes, and it actually provided a statement of “implied consent” through which data subjects would accept the use of their data as per the above-mentioned information. Nevertheless, as noted by the ICO, the purpose of political marketing was not listed in the policy, therefore, the consent could not be legally gathered being in this case neither informed nor specific. Beside the consent, a condition on which the disclosure of the personal data could have been legally founded is legitimate interest of the data controller. In specific circumstances, the processing of personal data is founded on a legitimate interest of the data controller provided, as mentioned above, that some conditions are met. In its Opinion 06/2014 on the notion of legitimate interests of the data controller The Art 29 Working Party (WP) provided guidance in order to assess if the interest pursued by the data controller justifies the processing of personal data for a specific purpose. The guidelines of the Art 29 WP provide clarifications on several aspects of this kind of assessment, starting from the concept of “interest” and specifying how the interest can be defined as legitimate. The same document provides guidance on how to carry out a balance test to verify if the processing activity can be founded on the legitimate interest legal ground. Such balancing test takes into consideration the interest of the controller, the impact on the data subjects and any additional safeguards applied by the controller to prevent any undue consequence on the data subjects. In this specific situation, the ICO determined that the balance test was not favourable to the data controller for a number of reasons, among which: the lack of any additional measure such as information to the data subjects that their data would be shared for political purposes; the fact that the interest of the controller would not prevail upon the interest of the data subject rights (of their personal data to be protected) because there was no benefit for the data subjects generated from the processing activity; the fact that the activity contravened the reasonable expectations of the data subjects; and finally, the fact that the activity may have caused a certain level of distress since it involved the political belonging sphere. Other than that, there was another important considerations: personal data of children were also disclosed. As a result, the disclosure of personal data obtained from the followers of Emma´s Diary by LCMB was not founded on consent, nor on legitimate interest and was therefore illegal.
The fine form the DPA:
For the above reasons-and not only for those- the UK DPA decided to impose a monetary penalty on the data controller as multiple factors contributed to the determination that the contravention was particularly serious. The DPA remarked indeed that: the disclosure of the data involved a high number of individuals, part of those being children and it was not contemplated under the description of data transfers within the privacy policy provided by Emma´s Diary. Furthermore, the context in which the personal data were used could create distress to many data subjects, not only for the perceived loss of control of their personal data, but also because this involved a very private sphere (political views) liable to affect the people´s sense of identity and personal affiliations. Beside the above reasons, an aggravating action was remarked during the investigations, that is: the privacy policy on the registration forms of Emma´s Diary website was changed in January 2018 by including the mention “political party” to the list of the personal data recipients. This change reflected the clear consciousness from the company LCMB of the duties that were falling on it as a data controller and the failure to comply with those duties. The total amount of the fine was calculated by the ICO taking into consideration the charges to the company and mitigation features, such as the limitation of the scope (the disclosure happened only one time) and the deletion of the personal data by Experian.
Conclusions:
Lifecycle Marketing (Mother and Baby) Ltd (LCMB), a marketing company managing a famous website addressed to mothers and future mothers, was fined by the UK DPA for the selling of personal data of more than 1 Million individuals without informing those that it might do so. The personal data were sold by LCMB to a marketing company that created a database to be shared with the Labour Party. The Labour Party used that database to send political marketing information to the data subjects before the UK general elections in 2017.
In order to implement the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data (the Directive), the UK Data Protection Act was applied. Both the Directive and the Act are now repealed but they were into force when the breach was committed.
During the above mentioned processing activity, the company LCMB contravened the first principle of data protection stated in Schedule A of the (UK) Data Protection Act 1998, that provides that personal data shall be processed fairly and lawfully, specifically, under one of the conditions under Schedule 2. The conditions mentioned in Schedule 2 could be summarized as follows:
- The consent from the data subject is obtained;
- The processing of the personal data is necessary to perform a contract or a legal obligation (in both cases involving the data subject);
- The processing of the personal data is necessary to protect a vital interest of the data subject;
- The processing of the personal data is necessary for the pursue of a legitimate interest by the data controller.
Interpretative provisions in Part II of Schedule 1 provide that, when assessing if a processing activity is fair and lawful, the following aspects should be considered: if when providing the personal data, any person was misled or deceived regarding the purpose of processing of those personal data and if, in case the data subject provided the data, all the information regarding (among the other things) the purpose for which the data are to be processed were provided by the data controller.
With regard to consent, furthermore, Art 2 (h) of the Directive specifies that consent shall: “mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
Monetary penalties are regulated by Section A of the Data Protection Act, which grants the ICO the power of imposing fines to data controller if: a breach of Section 4 (4) of the Data Protection Act is identified (contravention to the data protection principles); the breach was likely to cause substantial damage or distress; the contravention was deliberate and, in this case, if the data controller knew (or ought to know) that there was a risk of contravention (and it failed to take any step to prevent it).
The potential conditions identified by ICO related to the disclosure of personal data by LCMB were: consent of data subject or legitimate interest of the data controller, nevertheless according to the Commissioner, none of those two was considered valid since: the consent was not legitimately collected due to the fact that data subjects were not informed about the processing of their personal data and a legitimate interest of the controller would not be applicable (due to the failure of the balance test). Having seen the violations of the Act and having considered that the violation might cause damage or substantial distress, the decision of the ICO was to impose a monetary penalty in proportion with the contravention and the circumstances.