The ICO issues reprimands, fines and updated guidance

What happened

• In November 2022, the ICO announced that it had completed its investigation into the sharing of personal data stored on the Learning Records Service (LRS) database, for which the Department for Education (DfE) is the data controller.
• The LRS contains 28 million records covering personal and special category data, some of these relating to children.
• The DfE failed to protect against the unauthorised processing by third parties of the data held on the LRS database for reasons other than the provision of educational services.
• Data subjects were unaware of the processing and could not object to or withdraw from this processing.
• The DfE failed to ensure the confidentiality of the personal data held on the LRS database and did not exercise appropriate oversight to protect against its unauthorised processing.

Why it matters

• There is an opportunity for other organisations to learn from such cases.
• In the light of Article 5(1)(a), the DfE failed to process personal data fairly, lawfully and transparently as the personal data was shared with third parties and further processed without an appropriate lawful basis and without the data subject being aware.
• In the light of Article 5(1)(f), which requires personal data to be processed in a manner that ensures appropriate security, the DfE did not implement adequate measures to prevent unauthorised or unlawful access to the LRS data.
• Accordingly, the ICO considered issuing a fine of over £10 million, which would have been considered effective, proportionate, and dissuasive in the circumstances. However, a reprimand was issued instead in line with the ICO’s revised approach to the public sector and its heightened focus on the impact and outcomes.
• In arriving at its decision, the ICO took into consideration the steps already taken by the DfE to implement more stringent checks and controls during the investigation and in response to an audit.
• Full details of the reprimand are available here.

What happened

• Ryan Hill Partners was fined £70,000 and Monetise Media Limited was fined £125,000 for sending texts and emails to individuals who had not subscribed to their services.
• Between 28 July 2020 and 28 July 2021, Monetise Media Limited engaged in the transmission of a total of 3,506,157 direct marketing emails and text messages. These subscribers had not provided valid consent, contrary to regulation 22 of PECR.
• Between 1 September 2019 and 30 November 2020, Ryan Hill Partners sent 463,360 SMS messages, of which 409,468 were delivered. These were unsolicited direct marketing messages sent to subscribers who had not consented to receive them, contrary to regulations 22 of PECR.
• Furthermore, Ryan Hill Partners contravened regulation 23 PECR because they attempted to conceal their identity and were not identified in the SMS communications sent to subscribers.
• Hundreds of complaints were received about both companies, prompting regulatory action.

Why it matters

• To ensure a level playing field, the ICO is determined to take appropriate enforcement action and will not tolerate organisations that do not abide by the rules.
• These cases underline the following points:
  • For consent to be valid, it needs to be freely given. If consent to marketing is a condition of subscribing to a service, the organisation must demonstrate how the consent can be said to have been given freely.
  • Consent is also required to be specific regarding the type of marketing communication to be received and the organisation, or specific type of organisation, that will be sending it.
  • Consent will not be deemed “informed” if individuals do not understand what they are consenting to. Organisations should always ensure that the language is clear, easy to understand, and not hidden in a privacy policy or small print.
  • Consent will not be considered valid if individuals are asked to agree to receive marketing from “similar organisations”, “partners”, “selected third parties”, or other similar generic descriptions.
• Full details of these enforcement actions are available here.

What happened

• Following on from its draft code of practice on direct marketing, the ICO published its updated guidance on direct marketing as provided for in the Privacy and Electronic Communications Regulations 2003 (as amended) (“PECR”).
• PECR sits alongside the UK GDPR and Data Protection Act 2018 and sets out restrictions on the electronic marketing activities that businesses can carry out.

Why it matters

• Direct marketing is vital in helping many organisations achieve their objectives. It can add value to the customer experience, making people aware of new products and services that they may benefit from and giving them opportunities to participate in events or learn about important causes.
• When conducted responsibly, direct marketing can also increase trust and confidence in the brand or organisation.
• However, when organisations do not get things right, direct marketing can cause nuisance, anxiety, or other harm.
• The benefits for organisations in following the guidance include:
  • greater trust in the organisation by the public and customers in how it uses people’s information for direct marketing purposes;
  • greater confidence within the organisation that they are engaging in direct marketing responsibly and in a way that complies with the law;
  • economic benefits from effective, responsible direct marketing; and
  • better protection for people from unwanted or nuisance marketing.
• It is essential to get direct marketing right to achieve these benefits. Bombarding customers with direct marketing messages they do not want can alienate them, damage relationships, and harm them.
• Organisations that do not follow this guidance may find it more challenging to prove that their direct marketing complies with data protection law and PECR.
• The ICO can take action against organisations that send direct marketing or use personal information in a way that infringes the UK GDPR, DPA 2018 or PECR
• It is worth noting that over 90% of fines imposed by the ICO in recent times have been for breaches of PECR.
• The complete guidance is available here.

What happened

• The European Commission published a draft adequacy decision to enhance and replace its 2016 adequacy decision for the EU-US Privacy Shield framework which was invalidated by the Schrems II decision of the Court of Justice of the European Union (CJEU).
• The Commission has submitted the draft decision to the European Data Protection Board (EDPB) for its opinion. In parallel, the European Parliament has a right of scrutiny and comment.
• EU and US officials are confident that the new draft addresses the CJEU’s concerns raised in the Schrems II case, particularly concerning the necessity and proportionality of US surveillance activities.
• The next step would be the approval by a committee composed of EU Member State representatives.  If it passes the hurdles, the draft is due for adoption by July 2023.

Why it matters

• Once the new adequacy decision has been adopted, the DPF would replace the Privacy Shield and aim to guarantee a level of protection equivalent to that in the EU.
• US entities that sign up to processing personal data under the DPF would no longer need to sign Standard Contractual Clauses or conduct Transfer Impact Assessments on a case-by-case basis for personal data transfers from the EU to the US.
• However, potential challenges of the proposed EU-US Data Privacy Framework (DPF) should not be excluded.
• The full draft adequacy decision is available here.