Confirmation of the fine comes a month after the ICO issued a notice of intent to take regulatory action against the data broking company, which provides advice on pregnancy and childcare, in an update about the ICO’s investigation into how personal information is used in modern political campaigns. The Emma’s Diary case formed part of that investigation, which began in March 2017.
In the same update, the ICO also revealed that it had found Facebook guilty of two contraventions of the UK Data Protection Act 1998, and that the social networking firm could be liable for a monetary penalty of up to £500,000 – the maximum allowed under that law.
The ICO update published in July set out how the ICO aims to stop personal data being used incorrectly in campaigns during future elections. The ICO also expressed concerns about what it called “invisible processing” referring to “behind-the-scenes” algorithms, analysis, data matching and profiling that involves people’s personal information.
Publication of the update was aimed at meeting the ICO’s commitment to provide Parliament’s Digital Culture Media and Sport (DCMS) Select Committee with a progress update on the investigation for the purposes of informing their work on “fake news”, which includes use of personal information in political campaigns.
In confirming the monetary penalty against Emma’s Diary, the ICO said the company had sold personal information to Experian Marketing Services, a branch of the credit reference agency, specifically for use by the Labour Party. Experian then created a database which the party used to profile the new mums in the run-up to the 2017 General Election.
The Labour Party was then able to send targeted direct mail to mothers living in areas with marginal seats about its intention to protect Sure Start Children’s centres, the ICO said.
The ICO investigation also found that Emma’s Diary’s privacy policy did not disclose that the personal information given would be used for political marketing or by political parties, which is a breach of the Data Protection Act 1998.
Data-sharing audits
Information commissioner Elizabeth Denham said the relationship between data brokers, political parties and campaigns is complex.
“Even though this company was not directly involved in political campaigning, the democratic process must be transparent. All organisations involved in political campaigning must use personal information in ways that are transparent, lawful and understood by the UK public,” she said.
The ICO has put the UK’s 11 main political parties on notice to have their data-sharing practices audited later this year. The ICO also has outstanding enquiries with a number of data brokers, including Experian
The ICO has put the UK’s 11 main political parties on notice to have their data-sharing practices audited later this year. The ICO also has outstanding enquiries with a number of data brokers, including Experian.
“The ICO is committed to monitoring data brokers, political parties and online platforms and using new audit and enforcement powers so that the public can have confidence that parties and political campaign groups are complying with the law,” said Denham.
The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.
However, Facebook has a chance to respond to the commissioner’s notice of intent to take action, after which a final decision will be made.
Facebook escaped a much greater fine because of the timing of the breaches, which meant the ICO was unable to levy the penalties under the EU’s General Data Protection Regulation (GDPR), which allows fines of up to €20m (£17m) or 4% of global turnover, which would have meant a potential fine of up to $1.6bn (£1.2bn) for the social media giant.
The ICO investigation, one of the largest of its kind by a data protection authority, remains ongoing. According to the Information Commissioner’s Office, the 40-strong investigation team is pursuing active lines of enquiry and reviewing a considerable amount of material retrieved from servers and equipment.
The next phase of the ICO’s work is expected to be concluded by the end of October 2018.
