News Feed

Any business that holds even the most minimal amount of personal data will surely by now have heard the words “€20,000,000 or 4% of worldwide annual turnover, whichever is higher”, being the maximum fine possible under the General Data Protection Regulation (“GDPR”). However, since the GDPR came into force on 25 May 2018, we are yet to see the Information Commissioner’s Office (“ICO”) truly flex its muscle and exercise its powers under the GDPR.

The ICO this week issued a timely reminder that failure to comply with data protection legislation can have serious consequences. Whilst it does not fall under the GDPR, by virtue of the offences occurring prior to 25 May 2018, the ICO’s decision to fine Bounty (UK) Limited (“Bounty”) £400,000 because of a serious contravention of the Data Protection Act 1998 (“DPA 1998”) should be a warning shot to any business who believes they can ignore data protection legislation.

Key facts

Bounty’s main service is the provision of “Bounty Packs” (sample packs for the different stages of pregnancy and after birth) which are distributed to new parents. Bounty also provides a mobile app with a number of functions which include enabling expectant mothers to track their pregnancies. In operating this service, Bounty collected a large amount of personal data, some of which would be deemed “sensitive personal data” under the DPA 1998.

Separate to its primary function, Bounty also operated a data broking service, providing hosted marketing on behalf of third parties and, until 30 April 2018, it supplied data to third parties for the purpose of electronic marketing. This function resulted in Bounty sharing approximately 34.4 million records relating to over 14 million individuals with a number of organisations, including credit reference and marketing agencies between June 2017 and April 2018.

Basis for processing

Bounty believed that it could rely on having obtained the consent of data subjects to share their personal data with third parties, such as Acxiom, Equifax, Indicia and Sky, for the purposes of direct electronic marketing. However, as we will see below, the ICO found a number of issues with the consent obtained by Bounty.

69% of Bounty’s customer database had signed up to Bounty’s service using offline “claim cards”. These claim cards did not have a specific “opt in” to marketing option, instead saying that “While you are a member, we may share your information with a selected group of companies who also have services, free samples, offers and product information that may be of interest to you”. If an individual wished to sign up to Bounty’s service, they had no choice but to accept this marketing.

Furthermore, as the individuals who registered through the claim cards did so offline, they did not have access to Bounty’s privacy policy, available on its website, at the time they signed up. As such, the individuals were not informed about how their personal data may be used, which is a requirement under both the DPA 1998 and the GDPR.

Bounty’s argument was that it sent its Privacy Policy to the email address provided within “a very short period of registration”. The ICO rejected this point, however, saying that fair processing information should be provided at the point of collection, not afterwards (even where it is a short period afterwards).

In addition to being provided late, the ICO stated that Bounty’s Privacy Policy was deficient in that it did not share specific details of the organisations with whom personal data was to be shared (i.e. Acxiom, Equifax, Indicia and Sky).

In failing to provide an adequate Privacy Policy at the time the personal data was provided, the ICO considered that the “fairness” principle under the DPA 1998 had been breached. This principle also required an organisation to consider an individual’s reasonable expectations as to how their personal data might be used. In this situation, the ICO was quite clear that a pregnant mother who registered with a pregnancy club would not reasonably expect personal data to be shared with credit reference, marketing and profiling agencies.

Consent – properly obtained?

Consent was not defined under the DPA 2018, but it has been interpreted by the courts by reference to the Data Protection Directive (95/46/EC) to mean “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.

Under the GDPR, consent has been defined, and for consent to be properly given under GDPR, in addition to what was required under the DPA 2018, it must also be “unambiguous” and include “a statement or by a clear affirmative action”. Therefore the threshold for consent to have been correctly obtained has been increased by the GDPR.

The ICO found that the consents obtained by Bounty were not “specific” or “informed”, as required, given that the data subjects were not told that their data would be shared with Acxiom, Equifax, Indicia and Sky. In the case of the consents collected offline through the claim cards, the ICO concluded that these were not “freely given”, seeing as the data subjects had no choice but to give consent if they wished to use the service.

In the ICO’s written reasons, they suggested that the only other potentially applicable ground that Bounty could have relied on for processing the personal data could have been “legitimate interests”. However, Bounty did not seek to rely on this ground, and the ICO concluded that even if it had, it would have failed on this ground as well.

Penalty

Given that Bounty’s transfer of personal data to third parties was found to be both unfair, and not on the basis of an applicable ground for processing, the ICO considered that a monetary penalty would be appropriate. Under the DPA 1998 the ICO had the power to issue monetary penalties up to a maximum of £500,000.

This ICO deemed the infringement by Bounty to be of a kind likely to cause “substantial damage or substantial distress”, as those involved would not wish for information about their pregnancy status or children being shared without their explicit consent. Additionally, the number of individuals affected by the actions taken by Bounty resulted in the cumulative impact clearly passing the threshold of “substantial” under the DPA 1998.

Having considered the above, the ICO took the decision to levy a fine on Bounty of £400,000, representing 80% of the maximum potential fine.

What does this mean?

Ironically, Bounty confirmed to the ICO at the beginning of its investigation that it had planned to change its marketing practices prior to the GDPR coming into force, as it was aware that its data sharing practices would not be compliant under GDPR. In the ICO’s judgment they note that, had Bounty considered its marketing practices earlier, it would have been aware that they contravened the DPA as well.

However, it is just as well that Bounty committed the offences under the DPA 1998 as opposed to the current regime, as the potential fines could be much greater if a similar offence was committed today given the increase in the maximum fines available.

With the standard for obtaining a valid consent being more onerous under the GDPR, this decision serves as a timely reminder that data protection legislation can bear teeth. Therefore, it is important for businesses to regularly consider which ground for processing they are relying on, and ensure that they have adequate policies and procedures in place for the purposes of demonstrating data protection compliance.

If this article raises any questions for you or your business, or you have any other data protection queries, please speak to our data protection experts by calling 01603 610911 or emailing info@leathesprior.co.uk. For further information about the team please see here.

Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.