Data Controllers Beware

December 23, 2015

On 14 October 2015, the Information Commissioner issued a £130,000 monetary penalty notice to an online business that failed to provide customers with clear information about, or opt-out from, third-party data sharing. This was the first time the ICO has issued a monetary penalty for breach of the first data protection principle of the Data Protection Act, sending a clear message to data controllers that such information and/or opt-outs should not be buried deep within terms and conditions and/or privacy policies. 

It also appears businesses in breach may face the risk of substantial group litigation.

The Background

Pharmacy2U, an NHS approved online pharmacy, was offering delivered prescription services and online medical consultations with GPs. The registration form for the website collected basic patient information: name, sex, date of birth, postal address, phone number and email. There was also a checkbox to un-tick if you did not want to receive marketing emails from Pharmacy2U, and the statement ‘by clicking continue you agree to our terms and conditions’. This would seem to be a run-of-the mill registration form. 

The terms and conditions in turn referred to the company’s privacy policy, which stated: 

‘Occasionally we make details available to companies whose products or services we think may interest our customers. If you do not wish to receive such offers please login to your account and change the setting to indicate ‘No’ for ‘Selected company data sharing.’ 

The company’s data list of nearly 113,000 customers was advertised by Pharmacy2U to third parties, along with a list of customers’ common ailments and conditions. Selections could be made on several criteria, including: donor status, age, sex and how recently they made an order. Subsets of data (altogether relating to 21,500 customers) were sold to three organisations: a supplement company, an Australian lottery company and a charity that managed communities for people with disabilities. All of these sales were approved by Pharmacy2U’s senior management. To make matters worse: 

·        the supplement company had been issued an adjudication by the Advertising Standards Authority (ASA) for misleading advertising and unauthorised health claims (although Pharmacy2U may not have had knowledge of this);

·        the lottery company advert selectively targeted people over the age of 70, alleging the customer had been ‘specially selected’ to ‘win millions of dollars’, in exchange for personal details and payments (and was, perhaps unsurprisingly, the subject of fraud and money laundering investigations, unbeknown to Pharmacy2U); and

·        the charity was requesting donations from those listed as ‘active donors’. 

It is not unreasonable to describe the types of communication generated by these organisations as spam, made all the worse by this being facilitated (through sale of customer data) by a company that describes itself as ‘discreet and confidential’ and that is registered with the General Pharmaceutical Council and Care Quality Commission. However, the Commissioner’s reasoning should make all businesses with similarly ‘hidden’ terms think twice about the way they present information and/or opt-outs when collecting data.

The basis for action by the ICO 

In order to issue a monetary penalty, the Commissioner must, under the Data Protection Act 1998, s 55A, find that: 

·        there was a serious contravention of s 4(4) of the DPA by the data controller;

·        the contravention was of a kind likely to cause substantial damage or distress; and

·        either:

o   the contravention was deliberate, or

o   the data controller knew or ought to have known that there was a risk of contravention and that the same would be of a kind likely to cause substantial damage or distress, but failed to take reason steps to prevent the contravention. 

These conditions may seem like high hurdles for the Commissioner to jump, but he did so with surprising ease.

Unfair Processing 

The Commissioner found that the Pharmacy2U customer data was processed unfairly (the first data protection principle) under s 4(4)

Customers could not be deemed to have given consent to processing for provision to third parties because of: 

1.    the lack of clarity on the customer registration form and privacy policy of the intent to sell data to third parties; and

2.    the trouble a customer had to go to in order to opt-out (logging in to the Pharmacy2U website, browsing to the relevant page and changing the relevant settings). 

This is by no means an uncommon practice, and should be sounding alarm bells for the many online businesses who do the same or similar.

Seriousness 

This was established based on the facts, the number of customers affected (21,500) and the particularly serious nature of the purposes for which the data was used. 

Of note here is the significance of the number affected. Whilst it is unsurprising that the facts were considered serious, the number of records involved is relatively modest compared to databases held by other online giants.

Contraventions Likely to Cause Substantial Damage or Substantial Distress 

The nature of Pharmacy2U’s business, the references to health conditions (even in general terms) and the highly targeted nature of the data subsets were all deemed relevant features in the Commissioner’s conclusion that the contravention was likely to cause substantial damage or substantial distress. 

Interestingly, the Commissioner took into account to whom the data was disclosed:  

·        the supplement company had been pursued by the ASA for misleading advertising and unauthorised health claims – after receiving communications from this business Pharmacy2U customers may have stopped taking prescription medication, substituting medication with unproven effectiveness; and

·        customers may have suffered financial loss if they had been induced to deal with the lottery company, an organisation under investigation for fraud and money laundering. 

This was despite the fact that Pharmacy2U could not have known at the time about the ASA action or the criminal investigations. 

Clearly then, if businesses do tread a fine line and continue supplying data to third parties without providing clear information and/or opt-outs to their customers (which is not advised), the Commissioner will hold them responsible for any additional damage caused by the nature of the recipient parties’ businesses, regardless of knowledge, reasonable or otherwise. 

Perhaps the most important point to note is that the Commissioner considered the impact of the contravention in cumulative terms; even if the distress suffered by each individual was less than substantial, considered together, they could bring the contravention across the substantial threshold. In any case, it was suggested that given the number of individuals involved, at least a small proportion would likely suffer substantial damage or distress individually.

Deliberate or Negligent Contraventions 

The Commissioner came to the conclusion that, whilst the action of selling the data was deliberate, contravention of the DPA was not.

However, he did find that Pharmacy2U had been negligent, on the following basis: 

1.    They ought to have known that the customers of a pharmacy had a reasonable expectation of confidentiality, and had acknowledged in correspondence that the lottery advert was potentially ‘spammy’. They therefore ought reasonably to have known that there was a risk of contravention.

2.    Given the nature of their business and the amount of data held, they ought reasonably to have known that such a breach would be likely to cause substantial damage or substantial distress.

3.    Reasonable steps were not taken to prevent contravention. The Commissioner expressly stated such steps would have included a prominent notice of processing for these purposes with a simple opt-out.

Comment

Proper Consent 

The Commissioner’s conclusions in relation to both unfair processing and reasonable steps that should have been taken to prevent contravention point to an approach in line with that seen in the recently published proposed text for the European Data Protection Regulation (‘DPR’), which is likely to come into force in 2018. Recital 25 of the current text, assuming it is adopted, states: 

Consent should be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to personal data relating to him or her being processed, such as by a written, including electronic, or oral statement […] Silence, pre-ticked boxes or inactivity should therefore not constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be granted for all of the processing purposes. 

Therefore, it should serve as a wake-up call for online businesses that covert practices are approaching the end of their shelf lives. Regardless of the outcome of any appeal, data controllers would be well advised to start implementing explicit consent procedures, particularly when sharing data with third parties. 

Financial Consequences

Level of Fine

Currently, the Commissioner may only issue a monetary penalty notice up to the value of £500,000. However, Article 79(3), (3a) and (3aa) of the proposed text for the DPR envisage significantly increasing the maximum fine for data processing contraventions, to, depending on the article breached: 

·        €10,000,000 or €20,000,000 for non-businesses; or

·        2% or 4% of annual worldwide turnover for ‘undertakings’ (regardless of legal form), unless the above is higher.

Individual Claims for Compensation

The Commissioner’s decision provides a strong basis for individual actions by Pharmacy2U’s affected data subjects under s 13 of the DPA.  Following the Court of Appeal’s decision in Google Inc v Vidal-Hall , data subjects can claim compensation for distress alone (ie without any corresponding financial damage), greatly increasing Pharmacy2U’s exposure. 

Even where the Commissioner would find it difficult to satisfy the s. 55A requirements for a monetary penalty notice, individuals only need to show breach. Whilst a penalty notice may make an individual’s claim much easier to establish, an individual may bring a s 13 claim for compensation without one.  

Misuse of Private Information

The Commissioner’s reasoning with regards to the nature of the businesses to which data was sold is indicative of a duty of care approach. The language used in the decision suggests that not only are data controllers responsible for ensuring compliance with the black letter law of the DPA, they also owe their customers a duty  not to provide data to ‘shady’ businesses. 

Therefore, even if consent to third-party sharing had been properly obtained, the question remains whether customers could bring a claim under the ‘new’ tort of misuse of private information, for what essentially amounts to ‘irresponsible’ data sharing. 

This is of course speculative; the Commissioner carries no judicial authority, and there would be limited case law to support such a position. However, with increasing judicial activism in the realms of data protection, it is not difficult to imagine a judicial decision in such terms.

Group Litigation

With an increasing propensity for group litigation in the wake of Vidal-Hall, whether under the DPA or the tort of misuse of private information, this is an unwelcome further development for data controllers to have to consider.  

Reports in the media at the end of October suggest that some 2,000 Morrisons employees are planning to bring a claim against their employer for a data breach involving payroll details. The breach itself occurred back in 2013. This development serves as aa stark reminder of the risks. After compensation, legal costs, damage to share prices and PR is taken into account, a group action has the potential to dwarf any associated monetary penalty notice. 

Chris Bridges is a trainee solicitor at Thomas Eggar, a trading style of Irwin Mitchell LLP.  Chris is part of the firm’s technology sector which comprises lawyers working with technology-led businesses as well as IT law specialists.