The governing party of the U.K. has been fined £10,000 by the national data protection watchdog for sending spam.
The Information Commissioner’s Office (ICO) has sanctioned the Conservative Party following an investigation triggered by complaints from 51 recipients of unwanted marketing emails sent in the name of the prime minister, Boris Johnson.
The emails in question were sent during eight days in July 2019 after Johnson had been elected as Party leader (and also therefore became U.K. PM) — urging the recipients to click on a link that directed them to a website for joining the Conservative Party.
Direct marketing is regulated in the U.K. by PECR (the Privacy and Electronic Communications Regulations) — which requires senders to obtain individual consent to distribute digital marketing missives.
But the ICO’s investigation found that the Conservative Party lacked written policies addressing PECR and appeared to be operating under the misguided assumption that their “legitimate interests” overrode the legal requirements related to sending this type of direct marketing.
The Party had also switched bulk email provider — during which unsubscribe records were apparently lost. But ofc that’s not an excuse for breaking the law. (Indeed, record-keeping is a core requirement of U.K. data protection law, especially since the EU General Data Protection Regulation was transposed into national law back in 2018.) And the ICO found the Tories were unable to adequately explain what had gone wrong.
In another damning twist, the Conservative Party had been subject to what the ICO calls “detailed engagement” at the time it was spamming people.
This was a result of wider action by the regulator, looking into the ecosystem and ethics around online political ads in the wake of the Cambridge Analytica scandal — and the Party had already been warned of inadequate standards in its compliance with data protection and privacy law. But it went ahead and spammed people anyway.
So while “only” 51 complaints were received by the ICO from individual recipients of Boris Johnson’s spam, the ICO found the Tories could not fully demonstrate they had the proper consents for over a million (1,190,280) direct marketing emails sent between July 24 and 31 2019. (The ICO takes the view that at least 549,030 of those, which were sent to non-Party members, were “inherently likely” to have the same compliance issues as were identified with the emails sent to the 51 complainants.)
Moreover, the Party continued to have scant regard for the law as it spun up its spam engines ahead of the 2019 General Election — which saw Johnson gain a landslide majority of 80 seats in a winter ballot.
“During the course of the Commissioner’s investigation, the Party proceeded to engage in an industrial-scale direct marketing email exercise during the 2019 General Election campaign, sending nearly 23M emails,” the ICO notes. “This generated a further 95 complaints to the Commissioner, which are likely to have resulted from the Party’s failure to address the compliance issues identified in the Commissioner’s investigation into the July 2019 email campaign and the wider audit of the Party’s processing of personal data.”
Its report also chronicles “extensive delays” by the Conservative Party in responding to its requests for information and clarification — so while it was not found to have obstructed the investigation the regulator does write that its conduct “cannot be characterised as a mitigating factor”.
While the ICO penalty is an embarrassing slap for Boris Johnson’s Tories, a data audit of all the main U.K. political parties it put out last year spared no blushes — with all parties found wanting in how they handle and safeguard voter information.
However it’s only the Conservatives’ fast and loose attitude toward people’s data and privacy online that could have contributed to them being able to consolidate power at the last election.