Earlier this month, the UK Information Commissioner’s Office (“ICO”) announced a fine in a case that involved inferring health data and using this for marketing. The ICO found that catalogue retailer Easylife Limited (“Easylife”) had profiled 145,400 individuals for inferred health conditions without their consent, based on certain “trigger products” that they had purchased from Easylife’s Health Catalogue.  For example, if a customer bought a jar opener or a dinner tray, Easylife would infer that the customer might have arthritis, and then call them to market glucosamine joint patches. The ICO has fined Easylife £1.48 million: £1.35 million for using customers’ personal information to sell health-related products without their consent, and a further £130,000 for making unsolicited direct marketing calls.

1. £1.35 million fine for using purchase history to target customers

In its monetary penalty notice, the ICO held that because Easylife did not inform its customers that such profiling would occur this constituted “unlawful and invisible” processing of special category data in contravention of Article 5(1)(a) of the General Data Protection Regulation 2016 (“GDPR”).  In reaching this conclusion, the ICO also cited a recent judgment from the Court of Justice of the European Union in OT v Vyriausioji tarnybines etikos komisija (Case C-184/20, 1 August 2022), which confirmed that the processing of any personal data “liable indirectly to reveal sensitive information concerning a natural person” constitutes the processing of special category data (see our blog post for more information).

In calculating the fine, the ICO noted that it was not possible to quantify the level of damage caused due to the “invisible” nature of the processing, but that the harassment and targeting of potentially vulnerable individuals – most of whom were older people with long-term health conditions – could be wide-ranging.  The ICO also took into account the fact that Easylife had failed to implement measures – such as a data protection impact assessment – that could have prevented the contravention, and its poor track record of regulatory compliance.

2. £130,000 fine for unsolicited direct marketing calls

Following a separate investigation, the ICO fined Easylife £130,000 for making over 1.3 million direct marketing calls between August 2019 and August 2020 to customers who had registered with the Telephone Preference Service (“TPS”), in contravention of regulation 21 the Privacy and Electronic Communications Regulations (“PECR”).  Regulation 21 of the PECR prohibits a person from making unsolicited direct marketing calls to anyone who has registered their numbers on the TPS, unless they have notified the person that they are willing to receive such calls.

While the ICO did not consider Easylife’s contravention of the PECR to be deliberate, it did consider it to be “negligence of the highest order” as Easylife knew or ought reasonably to have known of its obligations under PECR and failed to take reasonable steps to prevent the contravention.

In its monetary penalty notice, the ICO set out the aggravating and mitigating factors it considered when imposing the fine:

  • As aggravating factors, it highlighted that Easylife’s marketing was “aggressive”, and that Easylife attended a compliance meeting with the ICO in June 2019, following which it would have been reasonable for Easylife to seek advice on compliance with the PECR.
  • As mitigating factors, it took into account the significant penalty proposed in the concurrent investigation into GDPR violations described above, and the remedial measures Easylife had introduced, e.g., TPS screening, appointment of a new telemarketing partner, and introduction of a new data management system.

Easylife has indicated that it intends to appeal the ICO’s decisions, both with respect to liability and the penalty amounts. Any such appeal will need to be filed with the First-Tier Tribunal by 1 November 2022. The Covington team continues to monitor the ICO’s enforcement activity.  Please reach out to a member of the team if you have any questions.

Update: Easylife filed its appeal with the First-Tier Tribunal on 31 October 2022.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Stacy Young Stacy Young

Stacy Young is an associate in the technology regulatory group in London. She advises clients on a broad range of issues, including privacy, cybersecurity and AI laws in the UK and the EU.