Lib Dems continue to breach ePrivacy law, ICO still won’t take enforcement action.
It’s not difficult: the sending of unsolicited marketing emails to me is unlawful. Regulation 22 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and by extension, the first and second principles in Schedule One of the Data Protection Act 1998 (DPA) make it so. The Liberal Democrats have engaged in this unlawful practice – they know and the Information Commissioner’s Office (ICO) know it, because the latter recently told the former that they have, and told me in turn
I have reviewed your correspondence and the [Lib Dem’s] website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals
But the ICO has chosen not to take enforcement action, saying to me in an email of 24th April
enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us
Of course I’d never suggested they take action in every case – I’d requested (as is my right under regulation 32 of PECR) that they take action in this particular case. The ICO also asked for the email addresses I’d used; I gave these over assuming it was for the purposes of pursuing an investigation but no, when I later asked the ICO they said they’d passed them to the Lib Dems in order that they could be suppressed from the Lib Dem mailing list. I could have done that if I wanted to. It wasn’t the point and I actually think the ICO were out of order (and contravening the DPA themselves) in failing to tell me that was the purpose.
But I digress. Failure to comply with PECR and the DPA is rife across the political spectrum and I think it’s strongly arguable that lack of enforcement action by the ICO facilitates this. And to illustrate this, I visited the Lib Dems’ website recently, and saw the following message
Vacuous and vague, I suppose, but I don’t disagree, so I entered an email address registered to me (another one I reserve for situations where I fear future spamming) and clicked “I agree”. By return I got an email saying
Friend – Thank you for joining the Liberal Democrats…
Wait – hold on a cotton-picking minute – I haven’t joined the bloody Liberal Democrats – I put an email in a box! Is this how they got their recent, and rather-hard-to-explain-in-the-circumstances “surge” in membership? Am I (admittedly using a pseudonym) now registered with them as a member? If so, that raises serious concerns about DPA compliance – wrongly attributing membership of a political party to someone is processing of sensitive personal data without a legal basis.
It’s possible that I haven’t yet been registered as such, because the email went on to say
Click here to activate your account
When I saw this I actually thought the Lib Dems might have listened to the ICO – I assumed that if I didn’t (I didn’t) “click here” I would hear no more. Not entirely PECR compliant, but a step in the right direction. But no, I’ve since received an email from the lonely Alistair Carmichael asking me to support the Human Rights Act (which I do) but to support it by joining a Lib Dem campaign. This is direct marketing of a political party, I didn’t consent to it, and it’s sending was unlawful.
I’ll report it to the ICO, more in hope than expectation that they will do anything. But if they don’t, I think they have to accept that a continuing failure to take enforcement against casual abuse of privacy laws is going to lead to a proliferation of that abuse.
The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..