Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue.  For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.

1. £1.35 million fine for using purchase history to target customers

In its monetary penalty notice, the ICO held that because Easylife did not inform its customers that such profiling would occur this constituted “unlawful and invisible” processing of special category data in contravention of Article 5(1)(a) of the General Data Protection Regulation 2016 (“GDPR”).  In reaching this conclusion, the ICO also cited a recent judgment from the Court of Justice of the European Union in OT v Vyriausioji tarnybines etikos komisija (Case C-184/20, 1 August 2022), which confirmed that the processing of any personal data “liable indirectly to reveal sensitive information concerning a natural person” constitutes the processing of special category data (see our blog post for more information).

In calculating the fine, the ICO noted that it was not possible to quantify the level of damage caused due to the “invisible” nature of the processing, but that the harassment and targeting of potentially vulnerable individuals – most of whom were older people with long-term health conditions – could be wide-ranging.  The ICO also took into account the fact that Easylife had failed to implement measures – such as a data protection impact assessment – that could have prevented the contravention, and its poor track record of regulatory compliance.

2. £130,000 fine for unsolicited direct marketing calls

Following a separate investigation, the ICO fined Easylife £130,000 for making over 1.3 million direct marketing calls between August 2019 and August 2020 to customers who had registered with the Telephone Preference Service (“TPS”), in contravention of regulation 21 the Privacy and Electronic Communications Regulations (“PECR”).  Regulation 21 of the PECR prohibits a person from making unsolicited direct marketing calls to anyone who has registered their numbers on the TPS, unless they have notified the person that they are willing to receive such calls.

While the ICO did not consider Easylife’s contravention of the PECR to be deliberate, it did consider it to be “negligence of the highest order” as Easylife knew or ought reasonably to have known of its obligations under PECR and failed to take reasonable steps to prevent the contravention.

In its monetary penalty notice, the ICO set out the aggravating and mitigating factors it considered when imposing the fine:

  • As aggravating factors, it highlighted that Easylife’s marketing was “aggressive”, and that Easylife attended a compliance meeting with the ICO in June 2019, following which it would have been reasonable for Easylife to seek advice on compliance with the PECR.
  • As mitigating factors, it took into account the significant penalty proposed in the concurrent investigation into GDPR violations described above, and the remedial measures Easylife had introduced, e.g., TPS screening, appointment of a new telemarketing partner, and introduction of a new data management system.

Easylife has indicated that it intends to appeal the ICO’s decisions, both with respect to liability and the penalty amounts. Any such appeal will need to be filed with the First-Tier Tribunal by 1 November 2022. The Covington team continues to monitor the ICO’s enforcement activity.  Please reach out to a member of the team if you have any questions.

Update: Easylife filed its appeal with the First-Tier Tribunal on 31 October 2022.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Stacy Young Stacy Young

Stacy Young is an associate in the London office. She advises technology and life sciences companies across a range of privacy and regulatory issues spanning AI, clinical trials, data protection and cybersecurity.

Photo of Alex Carn Alex Carn

Alex Carn is an associate in Covington’s international disputes practice group. Alex primarily advises clients on international commercial and investor-state disputes across a range of industries including the technology, life-sciences, and energy sectors. He has conducted arbitrations under major institutional rules including the…

Alex Carn is an associate in Covington’s international disputes practice group. Alex primarily advises clients on international commercial and investor-state disputes across a range of industries including the technology, life-sciences, and energy sectors. He has conducted arbitrations under major institutional rules including the ICC and SIAC rules, as well as ad hoc proceedings under the UNCITRAL rules.