Making Their Lives Harder: Easy Life ICO Enforcement
Easy Life Limited is a catalogue retailer, boasting ‘secure systems’ and being a ‘trusted’ retailer. However, the UK Information Commissioner (‘ICO’) has fined the retailer £1.48 million for breaching both data protection and electronic marketing laws. This monetary penalty takes into account both breaches, with the majority of the fine (£1.35 million) a consequence under GDPR for the using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent. The additional £130,000 comes in relation to making 1,345,732 predatory direct marketing calls.
The ICO investigation found that when a customer purchased a product from Easy Life’s Health Club catalogue, the company would make assumptions about their medical condition and then market health-related products to them without their consent. For example, if a person bought a jar opener or a dinner tray, Easy Life would use that purchase data to assume that person has arthritis and then call the individual to market glucosamine joint patches.
The ICO found that significant profiling of customers and ‘invisible’ processing of health data took place. It is ‘invisible’ because people were unaware the company was collecting and using their personal data for that purpose. This is against data protection law, and undermines the principle of transparency (article 5 (1a) lawfulness, fairness and transparency).
In processing the ‘invisible’ health data Easy Life are inadvertently collecting special categories of personal data which can be anything from data on health, ethnicity and beliefs. When collecting any data under UK GDPR, you must be able to justify its collection and why it is being used. It would seem here that in profiling customers, it is not clear that this data is being collected, let alone for a viable reason under GDPR (breaching article 9 of UK GDPR).
Additionally, the fact that this data is invisible would suggest that Easy Life have failed to be transparent when collecting data on their customers – defeating the purpose of GDPR.
Organisations should be clear when marketing their products and services. They should also be transparent on the type of data that they are processing and for what purpose. This will help ensure that customers are not being profiled by the company as well as minimise the nuisance calls.
This is a prime example of where the difference between GDPR and PECR is highlighted by 2 separate monetary penalties to the same company. The ICO enforcement here highlights that they are not afraid to impose fines to demonstrate that the behavior of organisations such as Easy Life is not being condoned, in fact cracked down on.