On 5th October, the Information Commissioner’s Office (ICO) issued a GDPR Monetary Penalty Notice in the sum of £1,350,000 to Easylife Ltd. The catalogue retailer was found to have been using 145,400 customers personal data to predict their medical condition and then, without their consent, targeting them with health-related products.
This latest ICO fine is interesting but not because of the amount involved. There have been much higher fines. In October 2020, British Airways was fined £20 million for a cyber security breach which saw the personal and financial details of more than 400,000 customers being accessed by hackers. This, like most of the other ICO fines, involved a breach of the security provisions of GDPR. In the Easylife fine, the ICO focussed on the more interesting GDPR provisions (from a practitioner’s perspective) relating to legal basis, profiling and transparency.
The background to the fine is that a telemarketing company was being investigated by the ICO for promoting funeral plans during the pandemic. This led to the investigation into Easylife because the company was conducting marketing calls for Easylife. The investigation initially concerned potential contraventions of the Privacy and Electronic Communications Regulations (PECR), and that investigation raised concerns of potential contraventions of GDPR, which the Commissioner then investigated separately.
The ICO investigation found that when a customer purchased a product from Easylife’s Health Club catalogue, the company would make assumptions about their medical condition and then market health-related products to them without their consent. For example, if a person bought a jar opener or a dinner tray, Easylife would use that purchase data to assume that person has arthritis and then call them to market glucosamine joint patches.
Special Category Data and Profiling
Article 4( 4) of the GDPR defines profiling:
“‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;”
Out of 122 products in Easylife’s Health Club catalogue, 80 were considered to be ‘trigger products’. Once these products were purchased by customers, Easlylife would target them with a health-related item. The ICO found that significant profiling of customers was taking place.
Easylife’s use of customer transactional data to infer that the customer probably had a particular health condition was Special Category Data. Article 6 and 9 of the GDPR provides that such data may not be processed unless a lawfulness condition can be found. The only relevant condition in the context of Easylife’s health campaign was explicit consent. Easylife did not collect consent to process Special Category Data, instead relying on legitimate interest (based on its privacy notice) under Article 6. As a result, it had no lawful basis to process the data in contravention of Article 6 and Article 9 of the GDPR.
John Edwards, UK Information Commissioner, said:
“Easylife was making assumptions about people’s medical condition based on their purchase history without their knowledge, and then peddled them a health product – that is not allowed.
The invisible use of people’s data meant that people could not understand how their data was being used and, ultimately, were not able to exercise their privacy and data protection rights. The lack of transparency, combined with the intrusive nature of the profiling, has resulted in a serious breach of people’s information rights.”
One other ICO monetary penalty notice has examined these issues in detail. In May 2022 Clearview AI was fined £7,552,800 following an investigation into its online database contains 20 billion images of people’s faces scraped from the internet.
GDPR was not the only cause of Easylife’s woes. It was also fined £130,000 under PECR for making 1,345,732 direct marketing calls to people registered with the Telephone Preference Service (TPS).
This case also shows the importance of organisations only using telephone marketing companies who understand and comply with GDPR and PECR. If not, the ICO enforcement spotlight will also fall on clients of such companies.
This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop.
Are you an experienced GDPR Practitioner wanting to take your skills to the next level? Our Advanced Certificate in GDPR Practice starts on 25th October.