It’s becoming increasingly clear that one of the key battlegrounds in the 2015 General Election will be online. The BBC’s Ross Hawkins reports that the Conservatives are spending large amounts each month on Facebook advertising, and Labour and UKIP, while not having the means to spend as much, are ramping up their online campaigning. But, as Hawkins says
the aim is not to persuade people to nod thoughtfully while they stare at a screen. They want consumers of their online media to make donations or, even better, to get their friends’ support or to knock on doors in marginal constituencies…[but] for all the novelties of online marketing, email remains king. Those Tory Facebook invoices show that most of the money was spent encouraging Conservative supporters to hand over their email addresses. Labour and the Conservatives send emails to supporters, and journalists, that appear to come from their front benchers, pleading for donations
To be honest, I thought Pam would receive more than this number of unsolicited emails (but I’m probably more cynical than her). But the point is that each of these emails was sent in breach of the parties’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) which demands that recipients of electronic direct marketing communications must have given explicit consent prior to the sending. By extension, therefore, the parties are also in breach of the Data Protection Act 1998 (DPA), which, when requiring “fair” processing of personal data, makes clear that a valid privacy notice must be given in order to achieve this.
The ICO makes clear that promotion by a political party can constitute direct marketing, and has previously taken enforcement action to try to ensure compliance. It has even produced guidance for parties about their PECR and DPA obligations. This says
In recent years we have investigated complaints about political parties and referendum campaigners using direct marketing, and on occasion we have used our enforcement powers to prevent them doing the same thing again. Failure to comply with an enforcement notice is a criminal offence.
But by “recent” I think they are referring at least six years back.
A data controller’s compliance, or lack thereof, with data protection laws in one area is likely to be indicative of its attitude to compliance elsewhere. Surely the time has come for the ICO at least to remind politicians that online privacy rights are not to be treated with contempt?
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.