Tories spanked by ICO after Boris fails to keep PECR up

borisThe Information Commissioner’s Office might be under the cosh over its perceived lack of GDPR action but few could argue the regulator is not enforcing the law on electronic marketing, with the Conservative Party the latest organisation to be fined for unlawful emails.

The ruling follows an ICO investigation relating to emails sent by the Tories in the name of Boris Johnson during the eight days in July 2019 after he was elected Prime Minister.

The emails were addressed to the people they were sent to by name and promoted the party’s political priorities, with the last sentence including a link directing them to a website for joining the Conservatives.

However, the regulator found the party had failed to retain clear records of the basis upon which people had consented to receive marketing emails, as required by the Privacy & Electronic Communications Regulations (PECR).

Between July 24 and July 31 2019, the party sent out a total of 1,190,280 marketing emails, that much the ICO did know. But while some of the emails were sent with permission the regulator admits it has not been able to determine what that proportion is.

Even so, the ICO concluded the party did not have the necessary valid consent for just 51 marketing emails received by the complainants and had failed to ensure records of those who had unsubscribed from its marketing emails were properly transferred when it changed email provider.

While the ICO was still investigating, the party engaged in an industrial-scale marketing email exercise during the December 2019 General Election campaign, sending nearly 23 million emails. This generated a further 95 complaints, which are likely to have resulted from the party’s failure to address the original compliance issues identified in July 2019.

The ICO had also identified these issues as part of a wider audit of the Conservative Party’s processing of personal data during summer 2019.

The regulator has slapped the Tories with a £10,000 fine; believed to be the first time a party which is in government has been fined for breaching data protection law.

ICO director of investigations Stephen Eckersley said: “The public have rights when it comes to how their personal data is used for marketing. Getting messages to potential voters is important in a healthy democracy but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law.

“All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data. Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply.

“The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.

“It’s really concerning that such large scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations.”

Related stories
Political parties warned to improve data transparency
Political parties urged to come clean on data sources
Data firms face scrutiny as parties gear up for election
ICO data analytics probe ‘the biggest ever undertaken’
Data firms under cosh as ICO ramps up political probe