The Information Commissioner’s Office (ICO) has confirmed a monetary penalty of £140,000 for Lifecycle Marketing (Mother and Baby) Ltd, also known as Emma’s Diary, for illegally collecting and selling personal information belonging to more than one million people.
Confirmation of the fine comes a month after the ICO issued a notice of intent to take regulatory action against the data broking company, which provides advice on pregnancy and childcare, in an update about the ICO’s investigation into how personal information is used in modern political campaigns. The Emma’s Diary case formed part of that investigation, which began in March 2017.
In the same update, the ICO also revealed that it had found Facebook guilty of two contraventions of the UK Data Protection Act 1998, and that the social networking firm could be liable for a monetary penalty of up to £500,000 – the maximum allowed under that law.
The ICO update published in July set out how the ICO aims to stop personal data being used incorrectly in campaigns during future elections. The ICO also expressed concerns about what it called “invisible processing” referring to “behind-the-scenes” algorithms, analysis, data matching and profiling that involves people’s personal information.
Publication of the update was aimed at meeting the ICO’s commitment to provide Parliament’s Digital Culture Media and Sport (DCMS) Select Committee with a progress update on the investigation for the purposes of informing their work on “fake news”, which includes use of personal information in political campaigns.
In confirming the monetary penalty against Emma’s Diary, the ICO said the company had sold personal information to Experian Marketing Services, a branch of the credit reference agency, specifically for use by the Labour Party. Experian then created a database which the party used to profile the new mums in the run-up to the 2017 General Election.
The Labour Party was then able to send targeted direct mail to mothers living in areas with marginal seats about its intention to protect Sure Start Children’s centres, the ICO said.
Information commissioner Elizabeth Denham said the relationship between data brokers, political parties and campaigns is complex.
“Even though this company was not directly involved in political campaigning, the democratic process must be transparent. All organisations involved in political campaigning must use personal information in ways that are transparent, lawful and understood by the UK public,” she said.
The ICO has put the UK’s 11 main political parties on notice to have their data-sharing practices audited later this year. The ICO also has outstanding enquiries with a number of data brokers, including Experian.
“The ICO is committed to monitoring data brokers, political parties and online platforms and using new audit and enforcement powers so that the public can have confidence that parties and political campaign groups are complying with the law,” said Denham.
The July update revealed that Facebook and Cambridge Analytica have been the focus of the investigation since evidence emerged that an app had been used to harvest the data of millions of Facebook users around the world.
The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.
However, Facebook has a chance to respond to the commissioner’s notice of intent to take action, after which a final decision will be made.
Facebook escaped a much greater fine because of the timing of the breaches, which meant the ICO was unable to levy the penalties under the EU’s General Data Protection Regulation (GDPR), which allows fines of up to €20m (£17m) or 4% of global turnover, which would have meant a potential fine of up to $1.6bn (£1.2bn) for the social media giant.
The ICO investigation, one of the largest of its kind by a data protection authority, remains ongoing. According to the Information Commissioner’s Office, the 40-strong investigation team is pursuing active lines of enquiry and reviewing a considerable amount of material retrieved from servers and equipment.
The next phase of the ICO’s work is expected to be concluded by the end of October 2018.