ICO (UK) - ICO- Conservative Party Case

From GDPRhub
ICO (UK) - ICO- Conservative Party Case
LogoUK.png
Authority: ICO (UK)
Jurisdiction: United Kingdom
Relevant Law:
Privacy and Electronic Communications (EC Directive) Regulations 2003
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 03.06.2021
Fine: 10000 GBP
Parties: n/a
National Case Number/Name: ICO- Conservative Party Case
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: ICO (in EN)
Initial Contributor: Basil10

The UK DPA fined the Conservative Party £10,000 in relation to 1,190,281 direct marketing emails sent as a part of its Brexit campaign. In particular, the DPA held that the Conservative Party had not collected valid consent for the 51 emails sent to the complainants in violation of the PECR, which implements the e-Privacy Directive in the UK.

English Summary[edit | edit source]

Facts[edit | edit source]

The UK DPA (ICO) conducted an investigation regarding the marketing emails sent to people by the Conservative Party that promoted the party's political priorities in the context of Brexit. Although, 1,190,281 marketing emails were sent, ICO launched an investigation on the basis of complaints lodged by 51 people who didn't wish to receive the same. The Conservative Party was unable to prove the basis for sending the direct marketing mails under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) during the course of the investigation.

Dispute[edit | edit source]

Did the Conservative party violate Regulation 22 of the PECR by sending direct marketing emails to data subjects without their consent?

Holding[edit | edit source]

The ICO held the Conservative Party was liable for contravening Regulation 22 of the PECR since valid consent from the data subjects was not obtained for sending direct marketing emails. The ICO stated that the Conservative Party was unable to produce specific records of basis upon which the individuals had consented for receiving the marketing emails, as required by the PECR. It concluded that not all emails out of the 1,190,281 violated the PECR, however, the investigation showed that the party failed to obtain valid consent for sending the 51 emails received by the complainants.

Hence, the ICO imposed a fine of 10,000 GBP upon the Conservative Party for violating Regulation 22 of the PECR

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the English original. Please refer to the English original for more details.


        

    
        
            
    
        
                
                        About the ICO/
                
                
                        News and events/
                
                
                        News and blogs/
                
                
                        
                            Conservative Party fined £10,000 for sending unlawful emails
                        
                
        
    
                Conservative Party fined £10,000 for sending unlawful emails
            
            
                Share(Opens Share panel)
            
        

    Share this page
    
            Share via Reddit
            Share via LinkedIn
            Share via email
    



    
        
        
            
                        Date
                            03 June 2021
                        Type
                            News
            
        
    

    
        
            

        

                
            The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them.
It follows an ICO investigation relating to emails sent from the Conservative Party in the name of Rt Hon Boris Johnson MP during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservative Party.
Stephen Eckersley, ICO Director of Investigations, said:

“The public have rights when it comes to how their personal data is used for marketing. Getting messages to potential voters is important in a healthy democracy but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law.  
“All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data. Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply.
“The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.”

The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law. Between 24 July and 31 July 2019, the party sent out a total of 1,190,280 marketing emails but the ICO has found that not all emails were in breach of PECR as it accepts it is likely that some of the emails will have been validly sent, but that it is not possible to identify what that proportion is.
The ICO concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants. The party failed to ensure records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider.
While the ICO was still investigating, the party engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails. This generated a further 95 complaints, which are likely to have resulted from the party’s failure to address the original compliance issues identified in July 2019. The ICO had also identified these issues as part of a wider audit of the Conservative Party’s processing of personal data during summer 2019.
Mr Eckersley said:

“It’s really concerning that such large scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations.”

ICO guidance clearly sets out the law around direct marketing emails. Direct marketing is defined as any communication of advertising or marketing material directed at particular individuals.
It is against the law to send marketing emails to people unless consent has been freely given. This is contained in Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).
Members of the public who believe they have been the victim of marketing emails, nuisance calls and texts are encouraged to report them to the ICO, get in touch via live chat or call the helpline on 0303 123 1113.
Notes to Editors

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on:

marketing calls, emails, texts and faxes;
cookies (and similar technologies);
keeping communications services secure; and
customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.




The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000.
Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

        

        
    

    
    
        
            
    
        
                
                        About the ICO/
                
                
                        News and events/
                
                
                        News and blogs/
                
                
                        
                            Conservative Party fined £10,000 for sending unlawful emails
                        
                
        
    
                Conservative Party fined £10,000 for sending unlawful emails
            
            
                Share(Opens Share panel)
            
        

    Share this page
    
            Share via Reddit
            Share via LinkedIn
            Share via email
    



    
        
        
            
                        Date
                            03 June 2021
                        Type
                            News
            
        
    

    
        
            

        

                
            The Information Commissioner’s Office (ICO) has fined the Conservative Party £10,000 for sending 51 marketing emails to people who did not want to receive them.
It follows an ICO investigation relating to emails sent from the Conservative Party in the name of Rt Hon Boris Johnson MP during the eight days in July 2019 after he was elected Prime Minister. The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservative Party.
Stephen Eckersley, ICO Director of Investigations, said:

“The public have rights when it comes to how their personal data is used for marketing. Getting messages to potential voters is important in a healthy democracy but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law.  
“All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data. Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply.
“The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.”

The ICO found the Conservative Party failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by law. Between 24 July and 31 July 2019, the party sent out a total of 1,190,280 marketing emails but the ICO has found that not all emails were in breach of PECR as it accepts it is likely that some of the emails will have been validly sent, but that it is not possible to identify what that proportion is.
The ICO concluded the party did not have the necessary valid consent for the 51 marketing emails received by the complainants. The party failed to ensure records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider.
While the ICO was still investigating, the party engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails. This generated a further 95 complaints, which are likely to have resulted from the party’s failure to address the original compliance issues identified in July 2019. The ICO had also identified these issues as part of a wider audit of the Conservative Party’s processing of personal data during summer 2019.
Mr Eckersley said:

“It’s really concerning that such large scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations.”

ICO guidance clearly sets out the law around direct marketing emails. Direct marketing is defined as any communication of advertising or marketing material directed at particular individuals.
It is against the law to send marketing emails to people unless consent has been freely given. This is contained in Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR).
Members of the public who believe they have been the victim of marketing emails, nuisance calls and texts are encouraged to report them to the ICO, get in touch via live chat or call the helpline on 0303 123 1113.
Notes to Editors

The Information Commissioner’s Office (ICO) upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO has specific responsibilities set out in the Data Protection Act 2018, the UK General Data Protection Regulation (GDPR), the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on:

marketing calls, emails, texts and faxes;
cookies (and similar technologies);
keeping communications services secure; and
customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.




The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000.
Civil Monetary Penalties (CMPs) are subject to a right of appeal to the (First-tier Tribunal) General Regulatory Chamber against the imposition of the monetary penalty and/or the amount of the penalty specified in the monetary penalty notice.
Any monetary penalty is paid into the Treasury’s Consolidated Fund and is not kept by the Information Commissioner’s Office (ICO).
To report a concern to the ICO telephone our helpline 0303 123 1113 or go to ico.org.uk/concerns.

        

        
    
EnglishCymraegEnglishCymraeg