Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue.  For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.

1. £1.35 million fine for using purchase history to target customers

In its monetary penalty notice, the ICO held that because Easylife did not inform its customers that such profiling would occur this constituted “unlawful and invisible” processing of special category data in contravention of Article 5(1)(a) of the General Data Protection Regulation 2016 (“GDPR”).  In reaching this conclusion, the ICO also cited a recent judgment from the Court of Justice of the European Union in OT v Vyriausioji tarnybines etikos komisija (Case C-184/20, 1 August 2022), which confirmed that the processing of any personal data “liable indirectly to reveal sensitive information concerning a natural person” constitutes the processing of special category data (see our blog post for more information).

In calculating the fine, the ICO noted that it was not possible to quantify the level of damage caused due to the “invisible” nature of the processing, but that the harassment and targeting of potentially vulnerable individuals – most of whom were older people with long-term health conditions – could be wide-ranging.  The ICO also took into account the fact that Easylife had failed to implement measures – such as a data protection impact assessment – that could have prevented the contravention, and its poor track record of regulatory compliance.

2. £130,000 fine for unsolicited direct marketing calls

Following a separate investigation, the ICO fined Easylife £130,000 for making over 1.3 million direct marketing calls between August 2019 and August 2020 to customers who had registered with the Telephone Preference Service (“TPS”), in contravention of regulation 21 the Privacy and Electronic Communications Regulations (“PECR”).  Regulation 21 of the PECR prohibits a person from making unsolicited direct marketing calls to anyone who has registered their numbers on the TPS, unless they have notified the person that they are willing to receive such calls.

While the ICO did not consider Easylife’s contravention of the PECR to be deliberate, it did consider it to be “negligence of the highest order” as Easylife knew or ought reasonably to have known of its obligations under PECR and failed to take reasonable steps to prevent the contravention.

In its monetary penalty notice, the ICO set out the aggravating and mitigating factors it considered when imposing the fine:

  • As aggravating factors, it highlighted that Easylife’s marketing was “aggressive”, and that Easylife attended a compliance meeting with the ICO in June 2019, following which it would have been reasonable for Easylife to seek advice on compliance with the PECR.
  • As mitigating factors, it took into account the significant penalty proposed in the concurrent investigation into GDPR violations described above, and the remedial measures Easylife had introduced, e.g., TPS screening, appointment of a new telemarketing partner, and introduction of a new data management system.

Easylife has indicated that it intends to appeal the ICO’s decisions, both with respect to liability and the penalty amounts. Any such appeal will need to be filed with the First-Tier Tribunal by 1 November 2022. The Covington team continues to monitor the ICO’s enforcement activity.  Please reach out to a member of the team if you have any questions.

Update: Easylife filed its appeal with the First-Tier Tribunal on 31 October 2022.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” has “great insight into the regulators;” and “is technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 20 years of experience, Mark specializes in:

Providing practical guidance and advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services.
Handling complex regulatory investigations and enforcement actions involving data privacy regulators in the UK, EU and globally, and advising on follow-on litigation risk.
Helping clients respond to cybersecurity incidents, including ransomware, supply chain incidents, state-sponsored attacks, insider threats, personal data breaches, and IP and trade secret theft.
Advising various clients on the EU NIS2 Directive, Cyber Resilience Act (CRA), and other emerging EU, UK, and global cybersecurity laws and regulations.
Advising life sciences companies on industry-specific data privacy issues, including clinical trials, pharmacovigilance, and digital health products and services.
Advising on data privacy compliance in relation to employees and international transfers of data in connection with white collar investigations.
Providing strategic advice and advocacy on a range of UK and EU technology law reform issues relating to data privacy, cybersecurity, eIDs, and software.
Representing clients in connection with references to the Court of Justice of the EU.

Read more about Mark YoungEmail
Show more Show less
Photo of Alex Carn Alex Carn

Alex Carn is an associate in Covington’s international disputes practice group. Alex primarily advises clients on international commercial and investor-state disputes across a range of industries including the technology, life-sciences, and energy sectors. He has conducted arbitrations under major institutional rules including the…

Alex Carn is an associate in Covington’s international disputes practice group. Alex primarily advises clients on international commercial and investor-state disputes across a range of industries including the technology, life-sciences, and energy sectors. He has conducted arbitrations under major institutional rules including the ICC and SIAC rules, as well as ad hoc proceedings under the UNCITRAL rules.

Read more about Alex CarnEmail
Show more Show less