Leave.EU fined over violations of data protection and digital marketing laws
The Information Commissioner’s Office (ICO) has fined Leave.EU and an insurance company for “serious breaches” of digital marketing laws and will be reviewing them both to ensure that they comply with data protection laws.
Leave.EU was an unofficial group campaigning to leave the EU as part of the national Brexit discussion. The group was established and largely funded by UKIP donor Arron Banks. The Electoral Commission opened an investigation into the group in April 2017 and fined the group £70,000 for breaking electoral spending laws and later referred Banks and Leave.EU CEO Liz Bilney to the National Crime Agency over the source of money used to fund Leave.EU.
In April 2018, it emerged that the ICO was investigating whether Eldon Insurance (a company owned by Banks) shared data with Leave.EU, accusations that Banks has denied. In November, the ICO announced an audit and issued a preliminary enforcement and three notices of intent to fine Leave.EU and Eldon Insurance. The ICO has now announced that it will keep two of the three fines unchanged and alter one fine.
The ICO investigation found that Leave.EU and Eldon Insurance were closely linked, with “ineffective” systems for keeping separate the personal data of Eldon customers and political subscribers, resulting in Leave.EU illegally using the data of Eldon Insurance customers to send almost 300,000 political marketing messages. Leave.EU is being fined £15,000 for this breach.
Meanwhile, a £45,000 fine for Leave.EU and a £60,000 fine for Eldon will be applied for two illegal direct marketing campaigns involving more than one million emails advertising Eldon Insurance sent to Leave.EU subscribers without consent, both before and after the referendum. Eldon has also been issued with an enforcement notice to ensure it complies with digital marketing laws.
“It is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes and vice versa. It should never have happened,” said Elizabeth Denham, the Information Commissioner. “We have been told both organisations have made improvements and learned from these events, but the ICO will now audit the organisations to determine how they are using customers’ personal information.”
The ICO will be allowed access to Leave.EU and Eldon’s shared offices, staff and documentation to ensure that they are complying with data protection laws; it is a criminal offence to obstruct an ICO audit. The findings of the ICO audit will be made public after the audit is complete.
Over the past two years, the ICO has been focused on investigating the improper use of personal data for use in political campaigns, notably in the Brexit campaign.