The Information Commissioner’s Office (ICO) has fined Leave.EU and Eldon Insurance a total of £120,000 after concluding that Leave.EU used personal data of Eldon Insurance customers to send up to 300,000 political marketing messages.
An investigation launched by the ICO last year has resulted in the conclusion that both Leave.EU and Eldon Insurance used personal data of each other's subscribers to send hundreds of thousands of direct marketing and political marketing messages without obtaining sufficient consent from targeted subscribers.
Customer data used for direct marketing messages: ICO
On these counts, the ICO fined Leave.EU £45,000 an Eldon Insurance £60,000, stating that the systems for segregating the personal data of insurance customers’ from that of political subscribers’ were ineffective. It also announced that an audit team will soon analyse the data protection practices of both firms and its findings will be made public at the conclusion of its work. Leave.EU was separately fined £15,000 for sending almost 300,000 political marketing messages to Eldon Insurance subscribers.
These fines were issued under the Privacy and Electronic Communications Regulations 2003 which authorises the ICO to issue fines of up to £500,000. As the said violation took place prior to the arrival of GDPR, both firms may have escaped much larger fines for accessing personal data of citizens unlawfully.
"It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes; and vice versa. It should never have happened. We have been told both organisations have made improvements and learned from these events. But the ICO will now audit the organisations to determine how they are using customers’ personal information," said Information Commissioner Elizabeth Denham.
Brexit campaigners regularly violating data privacy laws
Last year, the ICO had also issued an enforcement notice to a data analytics firm named AggregateIQ for harvesting personal data of UK citizens for political campaigning purposes "without due legal or ethical consideration of the impacts to our democratic system".
The ICO noted that AggregateIQ processed data of UK citizens on behalf of political organisations such as Vote Leave, BeLeave, Veterans for Britain, and the DUP Vote to Leave and that it used personal data obtained from these political organisations to target individuals with political advertising messages on social media.
According to BBC, AggregateIQ "was paid nearly £2.7m ($3.6m) by Vote Leave to target ads at prospective voters during the Brexit referendum campaign". It also received funding from Northern Ireland's Democratic Unionist Party and Veterans for Britain, receiving £3.5m in total.
Because of such conduct, the ICO ruled that AggregateIQ has failed to comply with the relevant provisions of GDPR as it processed personal data of UK citizens in a way that data subjects were not aware of, for purposes which they would not have expected, and without a lawful basis for that processing.