buchachon - stock.adobe.com

Tories fined over email data protection breaches

The Conservative Party broke the law by failing to properly keep records of who had unsubscribed from its mailing list

The Information Commissioner’s Office (ICO) has issued a £10,000 fine to the Conservative Party for sending unsolicited marketing emails to 51 individuals who had unsubscribed from its mailing list, a section 22 breach of the Privacy and Electronic Communications Regulations (PECR) of 2003.

The emails were sent in the name of Boris Johnson shortly after he became prime minister in July 2019. They were addressed by name and laid out the party’s political agenda including a link to join the party.

However, the ICO found that the party did not have the necessary valid consent for the emails received by the complainants, and had failed to ensure records of those who had unsubscribed from its marketing emails were correctly transferred when it changed email provider.

“The public have rights when it comes to how their personal data is used for marketing,” said the ICO’s director of investigations, Stephen Eckersley.

“Getting messages to potential voters is important in a healthy democracy but political parties must follow the law when doing so. The Conservative Party ought to have known this, but failed to comply with the law.

“All organisations – be they political parties, businesses or others – should give people clear information and choices about what is being done with their personal data,” he said. “Direct marketing laws are clear and it is the responsibility of all organisations to ensure they comply.

“The sending of nuisance marketing emails is a real concern to the public and the ICO will continue to take action where we find behaviour that puts people’s information rights at risk.”

Read more about the ICO’s work

The ICO said the Conservatives failed to retain clear records of the basis on which people had consented to receive its emails, as laid down in law. It added that the party sent out 1,190,280 marketing emails during eight days at the end of July 2019, but it had found that not all of these were in breach of the PECR as it accepts some of them were valid, although it has not been possible to identify what proportion was valid.

The Conservative’s law-breaking was compounded by an “industrial-scale” marketing email exercise conducted during the investigation as part of the 2019 General Election campaign, during which it sent nearly 23 million emails and generated 95 additional complains. The ICO said it believed these complaints resulted from the Conservative’s failure to address the original compliance issues, which it had previously identified during an audit of how it processed personal data.

“It’s really concerning that such large scale processing occurred during the ICO’s ongoing investigation and before the Conservative Party had taken all the steps necessary to ensure that its processing, and database of people who would receive emails, was fully compliant with the data protection and electronic marketing regulations,” said Eckersley.

The ICO said its guidance clearly set out the law around direct marketing emails, defined as the communication of advertising or marketing material directed at particular individuals, and stressed it remains illegal to send such emails if consent has not been freely given. People who have received unsolicited marketing emails, or nuisance calls or texts, can report them online, or via telephone on 0303 123 1113.

Read more on Privacy and data protection