Elizabeth Denham, the Information Commissioner, was in the headlines last week after announcing her intention to impose a record fine of £½million on Facebook and launching her report on “Democracy Disrupted? Personal Information and Political Influence”, a wide ranging and detailed investigation into the complex world of gathering and using personal data for political campaigning. If nothing else the investigation, the report and the resulting actions show that these days the ICO not only has the resources and skills to conduct major investigations but it is also not afraid to challenge established practices and take on major players where it believes individual privacy is being compromised. It is also noteworthy that the ICO’s conclusions were based largely on the law under the old EU Data Protection Directive and that therefore the proposed fine for Facebook is the maximum allowed under the law at the time.
Most businesses are not in the same league as Facebook either when it comes to the extent of personal data that they control or to the public profile that they enjoy. Nor are they involved in political campaigning. So what lessons can they learn beyond a realisation that UK data protection law is now not only backed up by potentially high penalties under the GDPR but also by a regulator with the willingness, resources and powers to step in decisively, however difficult the going might be, when she and the public see that data privacy is at significant risk?
The main lesson must be around the importance of transparency, particularly given the enhanced privacy notice requirements under the GDPR. As the ICO’s report says, “One of the most crucial findings …..was a significant shortfall in transparency and provision of fair processing information.” In particular the business trading as Emma’s Diary, which had no direct involvement in political campaigning itself, is in line for a fine of £140k because it was found to have sold the personal data of one million individuals to the Labour Party for use in its election campaigning without informing those individuals that it might do so. This is despite Emma’s Diary having a privacy notice in place that referred to it making individuals’ personal details available to third parties and to the range of business sectors with which Emma’s Diary worked. There is clearly an expectation now from the ICO that businesses must spell out in no uncertain terms to whom and for what purposes they might be passing individuals’ personal information on to others. There must be no surprises for the customer and simply referring to “marketing” or “partner organisations” is unlikely to be good enough. There is also an implication that those who pass on personal data through data brokers or aggregators or, in the online world, pass on data through ad serving networks, must take active steps to ensure that any use of the data that they have passed on remains in line with the uses described in their privacy policies at the time the data were gathered.
There are also some further lessons which confirm the ICO’s approach in this area:
- Inferred information about an individual is nevertheless likely to be considered personal data about that individual even if it might not be true. “…..the ICO’s view is that as this information is based on assumptions about individuals’ interests and preferences and can be attributed to specific individuals, then it is personal information and the requirements of data protection law apply to it.”
- Collection and use of publicly available information from sources such as the Electoral Register is not excluded from data protection transparency requirements just because the information is publicly available. “Even where a party got the personal information from publicly available sources, they must still provide a privacy notice to individuals.”
- When buying in personal data for marketing, generally it won’t be good enough to simply rely on assurances from the data supplier as to how the information was obtained and what it can be used for. “….if political parties obtain personal information from data brokers, they must carry out full due diligence to satisfy themselves the data has been obtained lawfully, and that individuals are aware of how their data will be used and to which organisations it will be passed”. The ICO goes on to say that, “The decision and due diligence must be fully audited”, although perhaps here they really mean “auditable” rather than necessarily audited.
- Data Protection Impact Assessments (DPIAs), even if not legally required, are important in minimising privacy risks and ensuring that any remaining risks are justified. “…..you should undertake a DPIA in order to consider the broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage.”
- Transparency and choice, although sometimes challenging to achieve in a complex ecosystem, are no less important in the context of online tracking and profiling than in the context of other marketing methods. “The ICO will work…..to ensure that online platforms comply with the GDPR, that users understand how personal information is processed in the targeted advertising model and that effective controls are available. This includes greater transparency in relation to the privacy settings, and the design and prominence of privacy notices.”
Interestingly, but perhaps not surprisingly given its focus on the political process, the report also mentions ethics and calls for an “ethical pause” to allow key players to reflect on their responsibilities in respect of their use of personal information in the era of big data before there is a greater expansion in the use of new technologies. Ethical questions around truthfulness, fairness, respect, bias and maintenance of public trust that go beyond mere compliance with the law are clearly gaining traction in the context of personal data processing, especially when big data and analytics are involved. It is therefore notable that Elizabeth Denham makes clear that, in her view, any debate on the subject is as relevant in the commercial sector as it is elsewhere.
The focus of her report might be on political and democratic processes but there is much here that will be of interest to anyone working in behavioural marketing, ad serving, micro targeting, data aggregation and broking, data analytics or similar fields.