Any business that holds even the most minimal amount of personal data will surely by now have heard the words “€20,000,000 or 4% of worldwide annual turnover, whichever is higher”, being the maximum fine possible under the General Data Protection Regulation (“GDPR”). However, since the GDPR came into force on 25 May 2018, we are yet to see the Information Commissioner’s Office (“ICO”) truly flex its muscle and exercise its powers under the GDPR.
The ICO this week issued a timely reminder that failure to comply with data protection legislation can have serious consequences. Whilst it does not fall under the GDPR, by virtue of the offences occurring prior to 25 May 2018, the ICO’s decision to fine Bounty (UK) Limited (“Bounty”) £400,000 because of a serious contravention of the Data Protection Act 1998 (“DPA 1998”) should be a warning shot to any business who believes they can ignore data protection legislation.
Bounty’s main service is the provision of “Bounty Packs” (sample packs for the different stages of pregnancy and after birth) which are distributed to new parents. Bounty also provides a mobile app with a number of functions which include enabling expectant mothers to track their pregnancies. In operating this service, Bounty collected a large amount of personal data, some of which would be deemed “sensitive personal data” under the DPA 1998.
Separate to its primary function, Bounty also operated a data broking service, providing hosted marketing on behalf of third parties and, until 30 April 2018, it supplied data to third parties for the purpose of electronic marketing. This function resulted in Bounty sharing approximately 34.4 million records relating to over 14 million individuals with a number of organisations, including credit reference and marketing agencies between June 2017 and April 2018.
Basis for processing
Bounty believed that it could rely on having obtained the consent of data subjects to share their personal data with third parties, such as Acxiom, Equifax, Indicia and Sky, for the purposes of direct electronic marketing. However, as we will see below, the ICO found a number of issues with the consent obtained by Bounty.
69% of Bounty’s customer database had signed up to Bounty’s service using offline “claim cards”. These claim cards did not have a specific “opt in” to marketing option, instead saying that “While you are a member, we may share your information with a selected group of companies who also have services, free samples, offers and product information that may be of interest to you”. If an individual wished to sign up to Bounty’s service, they had no choice but to accept this marketing.
Consent – properly obtained?
Consent was not defined under the DPA 2018, but it has been interpreted by the courts by reference to the Data Protection Directive (95/46/EC) to mean “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
Under the GDPR, consent has been defined, and for consent to be properly given under GDPR, in addition to what was required under the DPA 2018, it must also be “unambiguous” and include “a statement or by a clear affirmative action”. Therefore the threshold for consent to have been correctly obtained has been increased by the GDPR.
The ICO found that the consents obtained by Bounty were not “specific” or “informed”, as required, given that the data subjects were not told that their data would be shared with Acxiom, Equifax, Indicia and Sky. In the case of the consents collected offline through the claim cards, the ICO concluded that these were not “freely given”, seeing as the data subjects had no choice but to give consent if they wished to use the service.
In the ICO’s written reasons, they suggested that the only other potentially applicable ground that Bounty could have relied on for processing the personal data could have been “legitimate interests”. However, Bounty did not seek to rely on this ground, and the ICO concluded that even if it had, it would have failed on this ground as well.
Given that Bounty’s transfer of personal data to third parties was found to be both unfair, and not on the basis of an applicable ground for processing, the ICO considered that a monetary penalty would be appropriate. Under the DPA 1998 the ICO had the power to issue monetary penalties up to a maximum of £500,000.
This ICO deemed the infringement by Bounty to be of a kind likely to cause “substantial damage or substantial distress”, as those involved would not wish for information about their pregnancy status or children being shared without their explicit consent. Additionally, the number of individuals affected by the actions taken by Bounty resulted in the cumulative impact clearly passing the threshold of “substantial” under the DPA 1998.
Having considered the above, the ICO took the decision to levy a fine on Bounty of £400,000, representing 80% of the maximum potential fine.
What does this mean?
Ironically, Bounty confirmed to the ICO at the beginning of its investigation that it had planned to change its marketing practices prior to the GDPR coming into force, as it was aware that its data sharing practices would not be compliant under GDPR. In the ICO’s judgment they note that, had Bounty considered its marketing practices earlier, it would have been aware that they contravened the DPA as well.
However, it is just as well that Bounty committed the offences under the DPA 1998 as opposed to the current regime, as the potential fines could be much greater if a similar offence was committed today given the increase in the maximum fines available.
With the standard for obtaining a valid consent being more onerous under the GDPR, this decision serves as a timely reminder that data protection legislation can bear teeth. Therefore, it is important for businesses to regularly consider which ground for processing they are relying on, and ensure that they have adequate policies and procedures in place for the purposes of demonstrating data protection compliance.
If this article raises any questions for you or your business, or you have any other data protection queries, please speak to our data protection experts by calling 01603 610911 or emailing email@example.com. For further information about the team please see here.
Note: The content of this article is for general information only and does not constitute legal advice. Specific legal advice should be taken in any specific circumstance.