The Information Commissioner’s Office plans to slap fines totalling £135,000 on Leave.EU and Brexiteer Arron Banks’ insurance biz Eldon for “serious” breaches of direct marketing laws.
Brit privacy watchdog reports on political data harvests: We've read the lot so you don't have toREAD MORE
According to the ICO, which has today published an update to its long-running political data investigation, both Leave.EU and Eldon Insurance’s parent firm GoSkippy played fast and loose with customer and subscriber email databases.
The news comes as Banks is facing a separate investigation by the National Crime Agency, after the Electoral Commission said there were "reasonable grounds" to believe that Banks was not the "true source" of the £8m funding given to Leave.EU.
In its latest report, the ICO noted that Leave.EU and Eldon share three directors, with a lot of crossover between employees – and evidence that some Eldon customers' data was accessed by Leave.EU staffers.
Indeed, in September 2015, a Leave.EU newsletter was sent to more than 319,000 email addresses on the Eldon database. Eldon claimed this was due to an error in the email distribution system and that it had been reported, but the ICO said it had no record of any such report and said it plans to fine Leave.EU £15,000 for the breach.
Meanwhile, the UK's data watchdog said it had found that more than a million emails promoting GoSkippy were sent to Leave.EU subscribers – who will have signed up to support the Brexit campaign – without their consent.
In August 2016, almost 50,000 Leave.EU supporters were sent an email with a GoSkippy sponsorship deal, while 1,069,852 emails were sent between February and July 2017 with GoSkippy banners that offered a discount for Leave.EU supporters.
Both firms have been told they are facing £60,000 fines for what were described as “serious breaches” of the law governing direct electronic marketing, under Privacy and Electronic Communications Regulations (PECR).
However, the figures released by the ICO today represent not fines, but notices of intent to fine; this mean the organisations have a chance to issue representations, which could lead to the fines being clipped.
The ICO came in for criticism for publicising a notice of intent to fine in the summer, when it released the interim report on political data manipulation and announced plans to whack a £500,000 fine on Facebook. In the end, Facebook was indeed served with the full amount.
Elsewhere in the report, the ICO said it investigated allegations that Leave.EU had been provided with data analytics services with Cambridge Analytica – the firm at the heart of the data-harvesting scandal that broke in April.
It found that there had only been preliminary discussions between the pair, with the relationship stalling after Leave.EU wasn't designated the official Leave campaign.
Leave.EU did consider creating a new organisation, called Big Data Dolphins, with the aim of collecting and analysing masses of data for political purposes – possibly with the University of Mississippi – but the ICO said there was no evidence the firm actually functioned.
The watchdog said it was still investigating the Remain campaign and how it handled personal data, including its use of the electoral roll, but didn’t hand out any fines.
However, it is probing reports that the Liberal Democrats had sold the personal data of its party members to Britain Stronger in Europe for £10,000.
The ICO reported the Lib Dems as saying it had worked with a third party group, which took subsets of the electoral register – which the party is entitled to access – and then “carried out a simple enhancement service”, which might mean adding available phone numbers.
“Both the Liberal Democrats and Open Britain denied that party members’ personal data had been sold. Instead, both confirmed that the In Campaign bought Electoral Register information from the Liberal Democrats,” the ICO said.
The watchdog said it was continuing to investigate the collection and sharing of personal data, and at “possibly inadequate third party consents and the fair processing statements” used to collect data.
As for Cambridge Analytica and its parent company, SCL Group, the ICO said that if they weren’t in administration, it would have issued a “substantial fine for very serious breaches” of data protection laws.
The information commissioner Elizabeth Denham is giving evidence to the Digital, Culture, Media and Sport Committee this morning.
Commissioner Elizabeth Denham said in the initial part of the hearing there was a failure to keep the data held by the two firms separate, and that as well as the fines, the ICO was launching an audit to "look deeply into the policies and disregard to the separation of data". ®