There has been a lot of ICO enforcement action to catch up on. Most of this action has been under the previous Data Protection Act 1998 (as it relates to data processing activities prior to the application of the GDPR). See article number 1 in my series in relation to GDPR enforcement action.
A few topical penalties for my maternity leave:
Emma’s Diary, which provides information to support pregnancy, birth and early motherhood, was issued with a monetary penalty of £140,000 in August 2018 for unlawfully collecting and selling personal data of over one million people. Emma’s Diary sold information for use in political campaigning, enabling the Labour party to profile and send marketing communications to mums in the run up to the 2017 UK General Election. The ICO considered that Emma’s Diary was not sufficiently transparent, nor did it gain consent or satisfy another fair processing condition (now known as the legal basis for processing), and its actions exposed data subjects to potential distress.
Mumsnet, the online network for parents, posted on its website about a data breach in February 2019, where user account information may have been switched. Mumsnet reported that 4,000 user accounts were logged into during the relevant period, although not every account was affected.
Bounty, the pregnancy and parenting support club, was issued with a monetary penalty of £400,000 in April 2019 for unlawfully sharing personal data of over 14 million individuals to organisations such as credit reference and marketing agencies. The ICO considered that Bounty was not sufficiently transparent in relation to these activities, nor did it obtain valid consent or satisfy another fair processing condition (now known as the legal basis for processing), and its actions were likely to cause substantial distress to some data subjects.
I also have to mention the Facebook monetary penalty in October 2018 of £500k; this was the maximum penalty the ICO could impose under the previous data protection law. It related to the use of data analytics for political purposes. Facebook’s breaches included allowing application developers to access personal data without clear and informed consent, and failing to keep personal data secure. Data relating to up to 87 million people worldwide was harvested without their knowledge, some of which was shared for political campaigning purposes. Facebook then did not do enough to ensure remedial action was taken once the misuse of data was discovered. At least one million UK users were put at risk of further data misuse.
Olivia Whitcroft, principal of OBEP, 6 June 2019
This article provides general information on the subject matter and is not intended to be relied upon as legal advice. If you would like to discuss this topic, please contact Olivia Whitcroft using the contact details set out here: Contact Details