Tag: PECR

ICO Takes Action Against “Robo Calls” 

The Information Commissioner’s Office (ICO) has warned the public to be on their guard against unlawful “robo calls” – automated marketing calls designed to sound as though the recipient is talking to a human.  

The warning comes after the ICO fined two energy companies a total of £550,000 for making such calls.  Home Improvement Marketing Ltd (HIM), based in Pembrokeshire, was fined £300,000 and issued with enforcement notice. Green Spark Energy Ltd (GSE), based in Durham, was fined £250,000 and also issued with an enforcement notice.  Both firms used avatar software, which gave the call recipients the impression they were talking to ‘Jo, Helen or Ian’ from the UK – but were in fact scripted lines recorded by voice actors and played by call agents abroad.  

The rules for making automated calls are set out in Privacy and Electronic Communications Regulations 2003 (PECR) and are stricter than for making live calls.  Automated marketing calls can only be made to people who have previously informed the caller that they consent to such communications being sent by or at the instigation of the caller. Consent must be freely given, specific and informed.  The caller should also identify to the recipient which organisation they are from.  The ICO has published Direct Marketing Guidance for organisations as well as advice to individuals about how to protect themselves and their loved ones from such calls.  

The maximum fine for a breach of PECR is currently £500,000. When the new Data (Use and Access) Act 2025 comes fully into force, this will increase to UK GDPR levels i.e. 4% of gross annual turnover or £17.5Million (whichever is higher).  

These and other developments will be covered in our forthcoming GDPR Update course.  

General Election: Political Parties’ Personal Data Processing

As the UK heads into a General Election, understanding how political parties collect and use personal data is crucial for voters. The UK GDPR provides protections, in the form of data subject rights, but it is up to voters to exercise their rights and stay vigilant. By doing so, they can ensure their privacy is respected and contribute to a fair and transparent electoral process.

Both Labour and the Conservatives have recently been accused of breaching the UK GDPR. Last month we wrote about The Good Law Project’s challenge to the Tory’s “data harvesting” from its online tax calculator and a data breach exposed by Rachel Cunliffe, Associate Political Editor of the New Statesman. We also reported on a case where the Labour party has been accused of failing to comply with a Subject Access Request from a Palestinian activist who was ejected by police from a fund raising event.

Data Collection Methods

Political parties utilise multiple methods to gather personal data about voters.
These include:

  1. Electoral Registers: The most straightforward source of voter data is the electoral register, which provides names and addresses of registered voters. Political parties have legal access to the full electoral register, unlike commercial entities that can only access the edited version.
  2. Canvassing and Surveys: Traditional door-to-door canvassing and telephone surveys remain essential tools. Party volunteers and staff collect information directly from voters about their political preferences and concerns.
  3. Social Media and Online Platforms: Political parties increasingly rely on social media to gather data. Platforms like Facebook and Twitter provide rich data on user preferences, interactions, and behaviours. Parties use cookies and tracking pixels on their websites to collect additional data on visitors.
  4. Data Brokers: Political parties also purchase data from commercial brokers. These brokers aggregate data from various sources, providing detailed voter profiles that include demographic and behavioural information.

Data Processing and Usage

Once collected, this data is processed to create detailed voter profiles. The aim is to tailor political messages to specific segments of the electorate, enhancing the effectiveness of campaigns. Key techniques include:

  1. Profiling: Using algorithms and machine learning, parties analyse data to identify patterns and predict voting behaviour. This helps in segmenting the electorate into various categories based on age, gender, location, interests, and past voting patterns.
  2. Micro-targeting: With profiling, parties engage in micro-targeting, delivering highly personalised messages to small groups of voters. This could mean targeted social media ads, personalised emails, or direct mail tailored to specific concerns and preferences.
  3. Campaign Strategy: Data-driven insights influence overall campaign strategy, helping parties decide where to focus their resources. For example, identifying swing voters or areas with low voter turnout allows for more efficient campaign planning.

ICO Guidance

The ICO has long been concerned about how political parties use personal data.
In July 2018 it published a report, Democracy Disrupted, which highlighted significant concerns about transparency around how people’s data was being used in political campaigning. The report revealed a complex ecosystem of digital campaigning with many actors. In 2019, the ICO issued assessment notices to seven political parties.

Last month, the ICO published a blog on handling personal information during the election campaign to ensure expectations around compliance with the law are clear. The blog sets out answers to some of the common questions that the ICO is asked during elections and explains what voters can expect from the ICO during the
pre-election period. Last week, John Edwards, the Information Commissioner, also wrote to political parties reminding them of their data protection obligations.

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop. 

Screenshot 2024-04-12 at 10.44.26

A General Election! But what about the Data Protection Bill Mr Sunak?

So Rishi Sunak is finally calling a General Election!

We know what you’re thinking! What will happen to the the Data Protection and Digital Information Bill which was due to enter the Report stage in the House of Lords on 10th June? 

We must admit we had to Google that one! To quote the Institute for Government:

“There are normally several days between an election being called and parliament being dissolved. During this period, parliament will continue until it is either dissolved or prorogued (and then dissolved) – whichever comes first. This period is known as ‘wash-up’.

Any parliamentary business not completed by the end of ‘wash-up’ will fall. This means any bills that have not already received Royal Assent will not enter into law and cannot be continued into the next parliament. This leads to a rush to rapidly pass legislation through parliament to get it onto the statute book, normally requiring cooperation between parties to agree which bills they will support through this expedited legislative process.

The length of ‘wash-up’ is decided by the prime minister and can vary. Since 1992, the longest wash-up period was in 2017, when parliament sat for a further seven days after the election was called.”

So, it could be that the Bill is passed during “wash-up” if the political parties agree; although they may have other Bills to pass as a priority.

If it does not pass during wash up, the next government could pick up the Bill (or a likely a new version), although it would have to start the full Parliamentary process again. Given the Labour Party did not propose substantial amendments to the current Bill, this is a possibility (assuming they win of course); though when this will happen is uncertain. DPOs will look forward to reading the parties’ General Election manifestos! 

At the moment it seems that readers who have purchased the Act Now UK GDPR Handbook, will not need to buy a new version!

DP Bill Set to be Passed by 23rd July 2024

The Data Protection and Digital Information Bill, which makes changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”), will enter the Report stage in the House of Lords on 10th June (scheduled for two days). Whilst amendments can still be made, none have been tabled so far.

The Bill as amended by the Grand Committee can be read here. The Keeling Schedules, showing changes to the UK GDPR, might be more useful, though they were published in March before the Grand Committee stage.

The Bill still needs to go through the Third Reading stage in the House of Lords but it now seems very likely that it will receive Royal Assent before the Parliamentary Summer Recess begins on 23rd July 2024. Some of the provisions of the Bill will come into force as soon as it is passed. Most others will require regulations to be bring them into force which could also include a transition phase.

Next week Robert Bateman will be delivering our workshop: Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms.

DP Bill Moves Closer to Royal Assent

The Data Protection and Digital Information Bill has now completed the Grand Committee stage in the House of Lords. It will now enter Report stage in the House of Lords. Whilst amendments can still be made, the Bill as amended by the Grand Committee can be read here.

The Bill will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). The Keeling Schedules, showing changes to the UK GDPR, might be more useful, though they were published in March before the Grand Committee stage.

Subject to an early General Election being called, the Bill will receive Royal Assent before the Parliamentary Summer Recess begins on 23rd July 2024.

Learn more about the updated bill with our Data Protection and Digital Information Bill: Preparing for GDPR and PECR Reforms workshop.

Conservative Party Challenged Over “Data Harvesting” 

In the run up to the General Election this year, political parties in the UK will face the challenge of effectively communicating their message to voters whilst at the same time respecting voters’ privacy. In the past few years, all parties have been accused of riding roughshod over data protection laws in their attempts to convince voters that they ‘have a plan’ or that ‘the country needs change’.  

In May 2017, the Information Commissioner’s Office (ICO) announced that it was launching a formal investigation into the use of data analytics for political purposes after allegations were made about the ‘invisible processing’ of people’s personal data and the micro-targeting of political adverts during the EU Referendum.
This culminated in a report to Parliament and enforcement action against Facebook, Emma’s Diary and some of the companies involved in the Vote Leave Campaign.  

In July 2018 the ICO published a report, Democracy Disrupted, which highlighted significant concerns about transparency around how people’s data was being used in political campaigning. The report revealed a complex ecosystem of digital campaigning with many actors. In 2019, the ICO issued assessment notices to seven political parties. It concluded: 

“The audits found some considerable areas for improvement in both transparency and lawfulness and we recommended several specific actions to bring the parties’ 

processing in compliance with data protection laws. In addition, we recommended that the parties implemented several appropriate technical and organisational measures to meet the requirements of accountability. Overall there was a limited level of assurance that processes and procedures were in place and were delivering data protection compliance.” 

In June 2021, the Conservative Party was fined £10,000 for sending marketing emails to 51 people who did not want to receive them. The messages were sent in the name of Boris Johnson in the eight days after he became Prime Minister in breach of the Privacy and Electronic Communications Regulations 2003 (PECR).  

The Tax Calculator 

The Good Law Project (GLP), a not for profit campaign organisation, is now challenging one aspect of the Conservative Party’s data collection practices. The party’s website contains an online tool which allows an individual to calculate the effect on them of recent changes to National Insurance contributions. However GLP claims this tool is “a simple data-harvesting exercise” which breaches UK data protection laws in a number of ways. It says that a visit to the website automatically leads to the placement of non-essential cookies (related to marketing, analysis and browser tracking), on the visitor’s machine without consent. This is a breach of Regulation 6 of PECR.
GLP also challenges the gathering and use of website visitors’ personal data on the site claiming that (amongst other things) it is neither fair, lawful nor transparent and thus a breach of the UK GDPR 

Director of GLP, Jo Maugham, has taken the first formal step in legal proceedings against the Conservative Party. The full proposed claim is set out in the GLP’s Letter Before Action. The Conservative Party has issued a response arguing that they have acted lawfully and that: 

  • They did obtain consent for the placement of cookies. (GLP disagrees and has now made a 15-page complaint to the ICO.) 
  • They have agreed to change their privacy notice. (GLP is considering whether to ask the court to make a declaration of illegality, claiming that the Tories “have stated publicly that it was lawful while tacitly admitting in private that it is not.”) 
  • They have agreed to the request by GLP to stop processing Jo Maugham’s personal data where that processing reveals his political opinions.  

Following a subject access request, Mr Maugham received 1,384 pages of personal data held about him. GLP claim he is being profiled and believe that such profiling is unlawful. They have instructed barristers with a view to taking legal action.

George Galloway

This is one to watch. If the legal action goes ahead, the result will have implications for other political parties. In any event, in election year, we are already seeing that all political parties data handling practices are going to be under the spotlight.

George Galloway’s landslide win in the Rochdale by-election last week has lead to scrutiny of his party’s processing of Muslim voters’ data. In his blog post , Jon Baines, discusses whether the Workers Party of Britain (led by Mr Galloway) has been processing Special Category Data in breach of the UK GDPR. In the run up to the
by-election, the party had sent different letters to constituents based, it seems, on their religion (or perhaps inferring their religion based on the their name). If this is what it did then, even if the inference is wrong, the party has been processing Special Category Data which requires a lawful basis under Article 9 of the UK GDPR.
In 2022, the ICO issued a fine in the sum of £1,350,000 to Easylife Ltd. The catalogue retailer was found to have been using 145,400 customers personal data to predict their medical condition and then, without their consent, targeting them with health-related products. Following the lodging of an appeal by Easylife, the ICO later reduced the fine to £250,000 but the legal basis of the decision still stands. Will the ICO investigate George Galloway?

The DP Bill

The Data Protection and Digital Information (No.2) Bill is currently in the Committee stage of the House of Lords. It will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”). Some of the changes will make it easier for political parties to use the personal data of voters and potential voters without the usual GDPR safeguards.
For example political parties could, in the future, rely on “legitimate interests” (as an Article 6 lawful basis) to process process personal data without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These include personal data being processed for the purpose of “democratic engagement”.  The Bill will also amend PECR so that political parties will be able to rely on the “soft opt-in” for direct marketing purposes, if they have obtained contact details from an individual expressing interest.

As the General Election approaches, and with trust in politics and politicians at a low, all parties need to ensure that they are open, transparent and accountable about how they use voters’ data.  

Our workshop, How to do Marketing in Compliance with GDPR and PECR, is suitable for those advising political parties and any organisation which uses personal data to reach out to potential customers and service users. We have also just launched our new workshop, Understanding GDPR Accountability and Conducting Data Protection Audits.

Online Recruitment Firm Receives £130,000 PECR Fine

On 10th April 2023, the Information Commissioner’s Office (ICO) fined Join The Triboo Limited £130,000 for sending 107 million spam emails targeting jobseekers. The an online recruitment firm was found to have breached the Privacy and Electronic Communications Regulations (PECR) by sending unsolicited emails to individuals without their consent.

The PECR is a set of regulations, which amongst other things, govern the use of electronic communications (e.g. email, text message, and automated calling systems) for direct marketing purposes. In some cases, the regulations require that individuals must give their consent before receiving marketing messages, including job vacancies. When it comes to e mails, businesses cannot send unsolicited emails to individuals unless they have obtained their explicit consent to do so.

The UK General Data Protection Regulation (GDPR), which also applies to electronic communications involving personal data, defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

This means that businesses must provide individuals with clear and concise information about what data they are collecting, how they will use it, and who they will share it with. Individuals must then be given the option to give their consent, and this consent must be freely given and specific to the intended processing activity. Businesses must also provide individuals with the option to withdraw their consent at any time.

Join the Triboo Limited was found to have breached PECR by sending unsolicited emails to individuals without their consent. The emails were sent in bulk to individuals who had not signed up to receive job alerts from the firm, and the content of the emails did not provide individuals with clear and concise information about the firm’s processing activities.

Andy Curry, ICO Head of Investigations, said:

“It’s an issue many of us face – opening up our email inboxes and it being filled with emails we did not ask for or consent to. This shouldn’t just be considered a fact of life – it is against the law.

We provide advice and support to legitimate companies that want to comply with the law. Last year, we released updated direct marketing guidance to help those very businesses.

That is, however, not what was happening in this case. This company did not properly seek permission from the people it chose to bombard with spam emails. The company used job seeking websites as a key component in its unlawful campaign.

In taking this action, we say to the public that we will continue to be on your side and protect you, and we say to any other organisation operating outside of the law that we will pursue every case like this brought to us to the fullest extent.”

The ICO’s decision to fine this online recruitment firm serves as a reminder of the importance of complying with data protection laws. This will enable businesses to build trust with their customers and create a safer, more secure online environment for everyone.

Our forthcoming PECR and Marketing workshop will consider this and other developments in detail. 

Spring Offer: Get 10% off on all day courses and special discounts on GDPR certificates. Limited time. Terms and Conditions apply. Book Now!

Please call re ICO conference.

Working around the UK us Act Now speakers sometimes get messages or emails from the office staff.  If we can we pick these up and follow them up at lunchtime, coffee breaks etc.

Last week I received once such message and it looked promising. (See title of post). The ICO want to talk to me about his conference…    is it the invitation I’ve been waiting for to address 500 colleagues on the Data Protection joke book from A to B?  Is it an opportunity to run a workshop or maybe they want us to advise them on something.

My flying fingers could scarcely contain a feverish frisson of excitement as I dialed the digits.

It wasn’t the ICO. It was a company who to be truthful did identify themselves but did it so quickly that I missed it (but I have their number). Some gentle introductory questions about why we attended blah blah blah then they got to the main course. Who do we speak to in your company about encryption solutions? Head of Procurement? IT director?

I asked the obvious question and was told that they obtained my name and corporate details from the documentation given out at the recent DPO conference in Manchester. And to the obvious follow up question – yes they were ringing delegates to offer them Encryption solutions.

I ended the call using a well know technique and started wondering.  I wasn’t happy but had they breached any laws or regulations? DPA? Was it personal data? If it’s not personal then all the principle 6 rights disappear. Was it marketing?  A section 11 issue? That again specifies personal data.

Aha. They used the telephone. Isn’t that covered by PECR? And PECR is about subscribers not individuals. If we were registered with corporate TPS they’d be committing an offence wouldn’t they? Wouldn’t they?

What about the ICO? Should they have issued a list of delegates to all delegates? Was it not personal data but became personal data once it was worked on by another data controller? What schedule 2 condition applies to data collected at a conference and manipulated by the user to be used for marketing and selling.

I remember in the days when I spoke at conferences and the organisers would invite me to speak and they also invite me to email their flyer to all my colleagues in the sector. In those days it was routine to list email addresses of delegates in the conference documentation. Things have changed but dodgy practice still exists.

Did anyone else get this call? Were any offences committed?