ICO (UK) - ICO- Conservative Party Case
ICO (UK) - ICO- Conservative Party Case | |
---|---|
Authority: | ICO (UK) |
Jurisdiction: | United Kingdom |
Relevant Law: | Privacy and Electronic Communications (EC Directive) Regulations 2003 |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 03.06.2021 |
Fine: | 10000 GBP |
Parties: | n/a |
National Case Number/Name: | ICO- Conservative Party Case |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | ICO (in EN) |
Initial Contributor: | Basil10 |
The ICO fined the UK Conservative Party £10,000 regarding 1,190,281 direct marketing emails sent in the context of its Brexit campaign. In particular, the ICO held that the Conservative Party had not collected valid consent for the 51 emails sent to the complainants in the case in violation of the PECR, which implements the e-Privacy Directive in the UK.
English Summary
Facts
The ICO conducted an investigation regarding the marketing emails sent to people by the Conservative Party that promoted party's political priorities in the context of Brexit. Although, 1,190,281 marketing emails were sent, ICO launched an investigation on the basis of complaints lodged by 51 people who didn't wish to receive the same. The Conservative Party was unable to prove the basis for sending the direct marketing mails under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) during the course of the investigation.
Dispute
Did the Conservative party violate Regulation 22 of the PECR by sending direct marketing emails to data subjects without their consent?
Holding
The ICO held the Conservative Party liable for contravening Regulation 22 of the PECR since valid consent from the data subjects were not obtained for sending direct emails. The ICO stated that the Conservative Party was unable to produce specific records of basis upon which the people had consented for receiving the marketing emails, which is mandated by the law itself. It was concluded that not all emails out of the 1,190,281 violated the PECR, however, the investigation showed that the party did not obtain valid consent in the 51 emails received by the complainants.
Hence, a fine of 10,000 GBP was imposed upon the Conservative Party for violating Regulation 22 of the PECR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
About the ICO/ News and events/ News and blogs/ Conservative Party fined £10,000 for sending unlawful emails Conservative Party fined £10,000 for sending unlawful emails Share(Opens Share panel) Share this page Share via Reddit Share via LinkedIn Share via email Date 03 June 2021 Type News The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them. It follows an ICO investigation relating to emails sent from the Conservative Party in the name of Rt Hon Boris Johnson MP during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservative Party. Stephen Eckersley, ICO Director of Investigations, said: “The public have rights when it comes to how their personal data is used for marketing. Getting messages to potential voters is important in a healthy democracy but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law. “All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data. Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply. “The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.” The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law. Between 24 July and 31 July 2019, the party sent out a total of 1,190,280 marketing emails but the ICO has found that not all emails were in breach of PECR as it accepts it is likely that some of the emails will have been validly sent, but that it is not possible to identify what that proportion is. The ICO concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants. The party failed to ensure records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider. While the ICO was still investigating, the party engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails. This generated a further 95 complaints, which are likely to have resulted from the party’s failure to address the original compliance issues identified in July 2019. The ICO had also identified these issues as part of a wider audit of the Conservative Party’s processing of personal data during summer 2019. Mr Eckersley said: “It’s really concerning that such large scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations.” ICO guidance clearly sets out the law around direct marketing emails. Direct marketing is defined as any communication of advertising or marketing material directed at particular individuals. It is against the law to send marketing emails to people unless consent has been freely given. This is contained in Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Members of the public who believe they have been the victim of marketing emails, nuisance calls and texts are encouraged to report them to the ICO, get in touch via live chat or call the helpline on 0303 123 1113. Notes to Editors The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on: marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings. The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO). To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns. About the ICO/ News and events/ News and blogs/ Conservative Party fined £10,000 for sending unlawful emails Conservative Party fined £10,000 for sending unlawful emails Share(Opens Share panel) Share this page Share via Reddit Share via LinkedIn Share via email Date 03 June 2021 Type News The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them. It follows an ICO investigation relating to emails sent from the Conservative Party in the name of Rt Hon Boris Johnson MP during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservative Party. Stephen Eckersley, ICO Director of Investigations, said: “The public have rights when it comes to how their personal data is used for marketing. Getting messages to potential voters is important in a healthy democracy but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law. “All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data. Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply. “The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.” The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law. Between 24 July and 31 July 2019, the party sent out a total of 1,190,280 marketing emails but the ICO has found that not all emails were in breach of PECR as it accepts it is likely that some of the emails will have been validly sent, but that it is not possible to identify what that proportion is. The ICO concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants. The party failed to ensure records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider. While the ICO was still investigating, the party engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails. This generated a further 95 complaints, which are likely to have resulted from the party’s failure to address the original compliance issues identified in July 2019. The ICO had also identified these issues as part of a wider audit of the Conservative Party’s processing of personal data during summer 2019. Mr Eckersley said: “It’s really concerning that such large scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations.” ICO guidance clearly sets out the law around direct marketing emails. Direct marketing is defined as any communication of advertising or marketing material directed at particular individuals. It is against the law to send marketing emails to people unless consent has been freely given. This is contained in Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR). Members of the public who believe they have been the victim of marketing emails, nuisance calls and texts are encouraged to report them to the ICO, get in touch via live chat or call the helpline on 0303 123 1113. Notes to Editors The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003. The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on: marketing calls, emails, texts and faxes; cookies (and similar technologies); keeping communications services secure; and customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings. The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000. Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice. Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO). To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns. EnglishCymraegEnglishCymraeg