Category Archives: political parties

June 6, 2025 · 9:58 am

Good Law Project v Reform

In the run-up to last year’s General Election, the campaigning group The Good Law Project (GLP) actively encouraged people to make subject access requests (under Article 15 of the UK GDPR) to political parties, and they say that they enabled 13,000 people to do so.

The GLP says that the Reform Party “replied to hardly anyone”, and as a result it is bringing the first ever case in the UK under Article 80(1) of the UK GDPR, whereby a data subject (or subjects) mandates an representative organisation to bring an Article 79 claim on their behalf.

Helpfully, the GLP has published both its own particulars of claim, and, now, Reform’s defence to the claim. The latter is particularly interesting, as its initial approach is to threaten to apply to strike out the claim on the grounds that the GLP does not meet the criteria for a representative body, as laid out in section 187 of the Data Protection Act 2018.

Given the nature of the two parties (one a bullish campaign group, the other a bullish political party) it seems quite likely that this will proceed to trial. If so, we should get some helpful clarification on how Article 80(1) should operate.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Article 80, Data Protection Act 2018, political parties, UK GDPR

Tagged as ,

August 11, 2024 · 10:06 am

Soft opt in marketing for non-profits

Why can’t charities send speculative promotional emails and text messages to customers and enquirers, in circumstances where commercial organisations can? And should the law be changed?

Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) deals with circumstances under which a person can send an unsolicited direct marketing communication by email, or text message.

In simple and general terms, a person cannot send an unsolicited direct marketing email or text message to an individual’s private email account, unless the individual has consented to receive it. “Consent”, here, has the stringent requirements imposed by Article 4(11) and Article 7 of the UK GDPR.

(The actual law is more complex – it talks of an “individual subscriber”. This is the person who is a party to a contract with a provider of public electronic communications (for which, read “email” and “text message”) services for the supply of such services. So, if you have signed up for, say, a gmail account, you have a contract with Google, and you are – if you are an individual – an individual subscriber.)

The exception to the requirement to have the recipient’s consent is at regulation 22(3) of PECR, which says that the sender of the marketing communication does not need the prior consent of the recipient where the sender: obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient; the direct marketing is in respect of the sender’s similar products and services only; and the recipient has been given a simple means of refusing the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and at the time of each subsequent communication.

This exception to the general “consent required” rule has long (and probably unhelpfully) been known as the “soft opt in”.

The notable requirement for the soft opt in is, though, that the recipient’s contact details must have been collected in the course of the sale or negotiations for the sale of a product or service.

There are various types of non-profit organisation which may well correspond with, and wish to send promotional emails and text messages to individuals, but which don’t as a rule sell products or services. Perhaps the most obvious of these are charities, but political parties also fall into the type.

The Information Commissioner’s Office (ICO) has long held that promotional communications sent by such non-profits do constitute “marketing” (and the Information Tribunal upheld this approach as far back as in 2006, when the SNP appealed enforcement action by the ICO). (I happen to think that there’s still an interesting argument to be had about what “marketing” means in the PECR and data protection scheme, and at one end of that argument would be a submission that it implies a commercial relationship between the parties. However, no one has yet taken the issue – as far as I’m aware – to an appellate court.)

But the combined effect of regulation 22(3) and the interpretation of “marketing” as covering promotional emails and text messages by charities, means that those charities (and political parties etc.) can’t send soft opt in communications.

The Data Protection and Digital Information Bill, which tripped and fell yards from the finishing line, when Mr Sunak, in a strategic master stroke, called the general election early, proposed, in clause 115, to extend the soft opt in where the direct marketing was “solely for the purpose of furthering a charitable, political or other non-commercial objective” of the sender.

Will the new Labour administration’s proposed Digital Information and Smart Data Bill revive the clause? The government’s background paper on the legislative agenda in the King’s Speech doesn’t refer to it, but that may be because it’s seen as a relatively minor issue. But, in fact, for many charities, the issue carries very significant implications for their operations and their ability effectively to fundraise.

It should be revived, and it should be enacted.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

2 Comments

Filed under charities, Data Protection Bill, Information Commissioner, marketing, PECR, political parties

Tagged as , ,

July 19, 2024 · 8:18 pm

Yes, Minister for Data Protection

This is important news for data protection lawyers and practitioners. And indeed for data subjects. The government has created a role of Minister of State for Data Protection and Telecomms, and has appointed Sir Chris Bryant as the first post-holder.

He will have responsibility for Digital infrastructure and telecoms, Building Digital UK (BDUK), Data protection, including the “Data Bill” (does this mean the Digital Information and Smart Data (DISM) Bill, or something else to come down the line?), the Information Commissioner’s Office (ICO), Digital inclusion, and
Space sector growth and UK Space Agency (UKSA).

In debates on the Data Protection and Digital Information Bill Bryant, then the Shadow Culture secretary, supported the proposed reforms to the ICO and provisions on digital verification and smart data (which have been revived now in the DISM Bill), but opposed what Labour saw as attempts by the then government to water down subject access rights, and opposed extending the PECR soft opt-in to political party marketing. He also expressed notable concerns about the proposal to confer wide powers on DWP to get information from financial service providers.

In those debates, Bryant said that Labour wanted a law which “would unlock the new potential for data that improves public services, protects workers from data power imbalances and delivers cutting-edge scientific research, while also building trust for consumers and citizens”.

Perhaps a bit platitudinous (would anyone disagree with that desire?) but also perhaps an indication of the tone he will want to set in this new role.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, political parties

Tagged as

July 1, 2024 · 10:57 am

Can you stop election candidates sending you post?

During every recent general election campaign I can remember, there have been social media posts where people complain that they’ve received campaign material sent to them, by name, in the post. Electoral law (whether one likes it or not) permits a candidate to send, free of charge, one such item of post regardless of whether the recipient has objected to postal marketing, in general or specific terms. This right is contained in section 91 of The Representation of the People Act 1983. So, if you don’t like it, lobby your new MP in a few weeks’ time to get it changed.

Given that it’s always a topic of contention, I welcome the Information Commissioner’s Office’s publishing of guidance (including on the “one item of post” point) for the public on “The General Election and my personal data – what should I expect?

What the guidance does not address, however, is a conflict of laws point. Article 21(2-3) of the UK GDPR create an absolute right to object to direct marketing and a consequent absolute obligation on a person not to process personal data for direct marketing purposes upon receipt of an objection. So how does this talk with the right given to electoral candidates to send one such communication?

Tim Turner has written on this point, in his “DPO Daily”, and says “I don’t think the Representation of the People Act trumps the DP opt-out right”, but – on this rare occasion – I think I disagree with him. This is because section 3(1) of the Retained EU Law (Revocation and Reform) Act 2023 provides that retained direct EU legislation – such as the UK GDPR – must be read and given effect in a way which is compatible with all domestic enactments, and, insofar as it is incompatible with them, those domestic enactments prevail.

So, the short answer to the title of this blog is “no” (although they can only send you just one personally addressed item).

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, elections, Information Commissioner, marketing, political parties, UK GDPR

Tagged as , , ,

March 1, 2024 · 6:48 am

How did George Galloway come to send different canvassing info to different electors?

As electors went to the polls in the Rochdale by-election on 29 February, a few posts were made on social media showing the disparity between letters sent to different electors by candidate George Galloway. An example is here

On the face of it, Galloway appears to have hoped to persuade Muslim voters to vote for him based on his views on a topic or topics he felt would appeal to them, and others to vote for him based on his views on different topics.

It should be stressed that there is nothing at all wrong that in principle.

What interests me is how Galloway identified which elector to send which letter to.

It is quite possible that a candidate might identify specific roads which were likely to contain properties with Muslim residents. And that, also would not be wrong.

But an alternative possibility is that a candidate with access to the full electoral register, might seek to identify individual electors, and infer their ethnicity and religion from their name. A candidate who did this would be processing special categories of personal data, and (to the extent any form of automated processing was involved) profiling them on that basis.

Article 9(1) of the UK GDPR introduces a general prohibition on the processing of special categories of personal data, which can only be set aside if one of the conditions in Article 9(2) is met. None of these immediately would seem available to a candidate who processes religious and/or ethnic origin data for the purposes of sending targeted electoral post. Article 9(2)(g) provides a condition for processing necessary for reasons of substantial public interest, and Schedule One to the Data Protection Act 2018 gives specific examples, but, again, none of these would seem to be available: paragraph 22 of the Schedule permits such processing by a candidate where it is of “personal data revealing political opinions”, but there is no similar condition dealing with religious or ethnic origin personal data.

If such processing took place in contravention of the prohibition in Article 9, it would be likely to be a serious infringement of a candidate’s obligations under the data protection law, potentially attracting regulatory enforcement from the Information Commissioner, and exposure to the risk of complaints or legal claims from electors.

To be clear, I am not saying that I know how Galloway came to send different letters to different electors, and I’m not accusing him of contravening data protection law. But it strikes me as an issue the Information Commissioner might want to look into.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

3 Comments

Filed under access to information, Data Protection, Data Protection Act 2018, data sharing, Information Commissioner, political parties, UK GDPR

Tagged as , , ,

July 4, 2023 · 5:56 am

Labour’s Grubby Data Grab

Nine years ago (I’ve been doing this a long time) I wrote about the Labour Party harvesting details by hosting a page inviting people to find out “what baby number” they were in relation to the NHS. At that time, no privacy notice information was given at all. Fast forward to today, and Labour is once again hosting a similar page. This time, there is a bit more explanatory information, but it’s far from reassuring.

As an aside, I note that, when a person inputs their date of birth, what the website does is simply calculate, by reference to broad census data, approximately how many babies would have been born since the NHS started and that birth date. So the idea that this gives a “baby number” is ridiculous from the outset.

In any event, the person is then required to give their first name, email address and postcode.

(There is also an odd option to “find out the baby number” of a relative, or friend, by giving that person’s date of birth. Here, the person completing the form is only required to give their own email address and postcode (not their own first name).)

The person completing the form then has the option to agree or not agree to be kept “updated via email on the latest campaigns, events and opportunities to get involved”. This initially seems acceptable when it comes to compliance with the emarketing rules in the Privacy and Electronic Communications (EC Directive) Regulations 2003, so perhaps an improvement on how things were nine years ago. However, in smaller print, the person is then told that “We may use the information you provide, such as name and postcode, to match the data provided to your electoral register record held on our electoral database, which could inform future communications you receive from us”. So it appears that, even if one declines to receive future emails, the party may still try to match one’s details with those on the electoral register and may still send “future communications” (although query how accurate – or even feasible – this will be: how many Johns, say, potentially live in postcode SK9 5AF?).

This suggests that some sort of profiling is going on, but it is all a bit unclear, and opaque, which are not words that really should be associated with the processing of personal data by a political party. But if one clicks the link to “know more about how we use your information” the first thing one encounters is a cookie banner with no option but to accept cookies (which will, it is said, help the party make its website better). Such a banner is, of course, not lawful, and – if the ICO is to be believed – puts the party at current risk of enforcement action. If, teeth gritted, one clicks through the banner, one is faced with a privacy notice which, dear readers, I think needs to be the subject of a further blog (maybe with a comparative analysis of other parties’ notices). Suffice to say that the Labour Party appears to be doing one heck of a lot of profiling, and “estimation” of political opinions, from a range of statutory and/or public information sources.

For now, the TL;DR of this post is that the “NHS Baby Number” schtick from the Labour Party seems to be as much of a (although maybe a different) grubby data grab as it was nine years ago when I last wrote about it. There’s a lot that the ICO could, and should, do about it, but nothing was done then, and – I fear – nothing will be done now.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under fairness, Information Commissioner, PECR, political parties, privacy notice, profiling

Tagged as , ,