The Information Commissioner’s Office (ICO) has issued fines to Leave.EU and Eldon Insurance, a business run by Leave.EU backer Arron Banks for breaches regulation 22 of the Privacy and Electronic Communications (EU Directive) Regulations 2003
The fines follow an audit and preliminary enforcement notice issued in November 2018 as part of its investigation into data analytics for political purposes. That investigation found that Leave.EU and Eldon Insurance were closely linked and that systems for segregating the personal data of insurance customers’ from that of political subscribers’ were ineffective.
The background and reasoning behind the fines are set out in three monetary penalty notices.
Incident 1 involved using Leave.EU subscriber data to send out over 1m email between February and July 2017 (long after the Referendum) promoting the Eldon Insurance GoSkippy brand. The notice says no complaints were received by Eldon, indeed some recipients welcomed the discounts, and notes that Leave.EU did not think the emails were unsolicited as subscribers consented to receive information about other organisations’ products and services.
The Information Commissioner disagreed and also found that the soft-opt in exception available under regulation 22(3) did not apply either partly because the goods and services being marketed were not similar to those of Leave.EU. However, they did decide that the contravention was not deliberate but that Leave.EU had failed to take reasonable steps to prevent the contraventions. In setting a fine of £45,000 the Commissioner took account of the fact that there had been no complaints.
Incident 2 related to over 300,00 emails sent by Leave.EU in September 2015 (before the Referendum) to Eldon Insurance customers. The reasoning for the decision and for the fines, set at £15,000 are broadly similar to incident 1, though the soft opt in exception was even more distant as subscribers had had no prior engagement with Leave.EU
A separate monetary penalty notice against Eldon Insurance has also been published by the ICO
Alongside the fines, the ICO audit team will now investigate data protection practices at the operations covering how personal data is processed, what policies and procedures are in place and the training made available for staff. They will also be interview key employees including the directors, staff and their data protection officers.