Data Cleanse: Can you breach a Data Protection Law to comply with another?
The Information Commissioner’s Office (ICO) has issued fines to Flybe and Honda Motor Europe Limited for breaching Regulation 22 of the Privacy and Electronic Communications Regulations 2003 (PECR), regarding data cleansing by the companies. These recent decisions establish that emails asking for consent for marketing communications are unsolicited communications for the purpose of PECR and must not be sent without consent.
Honda sent a number of emails with the aim of clarifying the marketing preferences of individuals. They argued that the emails were not for marketing purposes, but were service emails allowing them to maintain compliance with the principles regarding retention of data under the Data Protection Act 1998 (DPA). Prior to this, Flybe issued emails seeking to amend details of numerous individuals who had opted out of email communications from the company.
The ICO decided that the practices of both companies were in breach of PECR. It is interesting that the argument by Honda that the emails were to aid their compliance with data protection laws was not enough to avoid a breach or very least a fine. The ICO stated that even sending emails asking for consent for future marketing are still unsolicited electronic marketing communications for the purposes of PECR and therefore require consent from the individual.
Organisations must ensure that they remain compliant with current data protection laws when carrying out a data cleanse. Steve Eckersley, ICO’s Head of Enforcement, stated that in respect of the Flybe and Honda decisions that “Businesses must understand that they can’t break one law to get ready for another.”
If you have any queries about the above and the effect it will have on your organisation, please contact a member of the Media and Technology or your usual Shepherd and Wedderburn contact.