Out-Law News 2 min. read
03 Nov 2017, 3:37 pm
Data protection law specialist Rachel Forbes of Pinsent Masons, the law firm behind Out-Law.com, said stricter rules on consent for the sharing of personal data and on its use for marketing purposes under the GDPR will pose a challenge for data brokers. The GDPR will apply from 25 May 2018.
Forbes was commenting after the UK's Information Commissioner's Office (ICO) issued an £80,000 fine to Verso Group (20-page / 2.58MB PDF) over "serious contraventions" by the company of its duty to process personal data fairly and lawfully under the Data Protection Act.
Verso failed to provide "sufficiently specific information" to people whose data it had obtained and sold on about the "companies to whom their personal data would be provided for direct marketing purposes", the ICO said. The company therefore failed to obtain valid consent from those individuals to the onward sale and subsequent use of their data for direct marketing purposes, the watchdog said.
The ICO said: "As regards personal data obtained by Verso itself …, Verso failed to provide the data subjects with sufficiently clear information about the companies to whom Verso intended to disclose their personal data for direct marketing purposes. Neither Verso's telephone call scripts nor its website provided sufficient clear information in this respect."
The watchdog said that "inadequate due diligence" by Verso of "contractual arrangements" with its data suppliers meant that the same failings applied in respect of the personal data the company had sourced externally. It criticised "the inadequate terms and conditions and privacy notices used by those suppliers" as well as Verso's "failure to take any other adequate steps to satisfy itself that data subjects had been provided with sufficiently specific information".
The fine issued by the ICO follows a wider investigation by the ICO into the data broking industry.
James Dipple-Johnstone, deputy commissioner for operations at the ICO, said: "We have concerns about the impact of invisible data processing on UK citizens and are currently looking at the data broking industry including how businesses trade and use personal data behind the scenes."
Rachel Forbes of Pinsent Masons said that the ICO's focus on the data broking industry could spur further penalties for non-compliant companies in the coming months.
The risk of fines will be greater under the GDPR and the proposed new e-Privacy Regulation, where "accountability and transparency" by businesses is at the heart of the legislation, she said.
"Many businesses view data as a commodity, able to be traded, without considering the implications to the individual who is the true owner of the personal data and that is exactly the type of behaviour the current and new legislation is designed to protect against," Forbes said.
"Post-GDPR, with a stricter definition of consent, the use by businesses of data obtained through lead generation and database sale will only become riskier, as it is unlikely that any consents obtained for sharing and/or marketing will be 'specific' enough. It will therefore be interesting to see what the future holds for data brokers and sellers of databases, when this stricter meaning of consent is introduced into statute," she said.
The ICO said that two businesses that Vervo had sold personal data to had themselves received fines for breaching rules on direct marketing under the existing e-Privacy regime. In one of the cases, the ICO fined lead generation firm Prodial £350,000 in respect of over 46 million automated nuisance calls it was responsible for. The company, the ICO said at the time, did not have valid consent from the recipients of those calls to engage in such marketing.
Forbes said the fines for the data buyers show that it is important for businesses buying databases or using brokers to ensure that the information they receive and go on to use has been collected in the right way.
"The ICO will clearly enforce against all parties at fault," Forbes said. "The commercial value of the data is also diminished if the individual has not consented to the data being shared and used in the way in which the business then goes on to use it."