On 16 March 2023, the UK Information Commissioner (ICO) announced that it had agreed with Easylife Ltd (Easylife) to reduce the amount of the monetary penalty notice imposed upon Easylife a few months ago, from £1.35 million to £250,000, following an appeal.
In October 2022, the ICO fined Easylife, a catalogue retailer, for using the personal data of over 145,000 individuals to make predictions concerning their health and to target them in connection with health-related products without their agreement in breach of the Data Protection Act 2018 (DPA).
When individuals bought certain products from Easylife's Health Club catalogue, Easylife would draw inferences about the relevant customers' medical conditions and then send them health-related product marketing based on such profiling without obtaining their consent.
The ICO concluded that Easylife engaged in "invisible" processing and extensive profiling of such individuals for these purposes, which the relevant customers were unaware of, in breach of applicable data protection requirements. Such invasive profiling, which involved the processing of special category data, together with the lack of both transparency and an appropriate lawful basis for processing the relevant data, was considered to be a significant breach of the rights of the data subjects in question.
Easylife was also fined £130,000 in connection with a separate investigation for making 1,345,732 unsolicited marketing calls to individuals who were registered with the Telephone Preference Service in breach of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended), (PECR).
Easylife ceased the relevant processing of special category data and appealed against the monetary penalty notice, ultimately accepting the ICO's factual findings. The ICO and Easylife agreed that the monetary penalty should be reduced (although the separate £130,000 penalty regarding the unsolicited direct marketing calls in breach of PECR was not appealed or reduced).
John Edwards, the UK Information Commissioner, noted that Easylife had ceased the unlawful processing and agreed that a reduction in the amount of the penalty in this case was appropriate. Mr. Edwards observed that “As a pragmatic and proportionate regulator, my role is to ensure that we protect the public and ensure businesses abide by the law.” This may be an example of the ICO's recent approach to enforcement action, which tends to be more outcomes-based with a greater focus on changing data protection-related practices and behaviours, rather than the level of fines imposed.
Having said that, the ICO has made it clear that monetary penalties remain an important weapon in its regulatory armoury and will be deployed in cases where they are clearly required when breaches cause the most actual or potential harm to people, or where a business has benefitted financially from its failure to comply with applicable data protection requirements.
Regarding direct marketing practices, there have been a number of recent examples of organisations who have been issued with monetary penalty notices by the ICO for breaches of certain rules. For example, the ICO issued over £2 million in fines in respect of organisations making nuisance calls in 2022. Organisations engaging in direct marketing should, therefore, continue to consider data protection and other related requirements and ensure that any personal data processed for these purposes is handled in a compliant way.
“Easylife has confirmed that it has stopped the unlawful processing which formed the basis of the ICO’s concerns. Having considered the amount of the penalty again during the course of the litigation, in light of the issues raised by Easylife, I considered that a reduction was appropriate.”