Campaigners threaten UK parties with legal action over data processing

Carole Cadwalladr
Photograph: Sophia Evans/for the Observer

A data rights group has threatened legal action against the Conservatives, Labour and the Liberal Democrats over the parties’ use of personal data ahead of Thursday’s election.

A pre-action letter has been sent by Open Rights Group on behalf of three individuals who had requested their data from the parties and were dissatisfied with their responses. It includes an “urgent notice” for all three parties to stop processing their data immediately.

The letter cites breaches under the Data Protection Act 2018, saying the “imminence of the election” and “heightened processing activities” necessitated all parties to stop processing immediately. It gave the parties a deadline of 6pm on Friday 6 December to comply. When contacted by the Guardian, none of the parties gave any indication that they intended to do so.

Why are there now such huge fines?


In May 2018 powers of the  Information Commissioner’s Office (ICO), along with its counterparts across Europe, were bolstered significantly with the introduction of the General Data Protection Regulation (GDPR). The much tougher EU-wide regulation surrounding the use consumer data came with greatly enhanced powers to levy fines.


How much can the ICO fine a company?


To ensure companies take the new data protection rules seriously, GDPR gives data regulators the power to fine up to €20m (£18m), or 4% of annual global turnover, whichever is greater. The sum depends on the severity of the GDPR breach, and factors including the level of cooperation of the company involved. For example, British Airways, which cooperated with the ICO investigation, was fined 1.5% of global turnover.


Where does the money go?


Fines received by the ICO go back to the Treasury. However, the ICO is “exploring options” including ring-fencing some of the fine income to cover potential litigation costs to defend its decisions.


Can companies fight the ICO?


The ICO is using its first two investigations under GDPR to make an example of British Airways and Marriott, providing a cautionary tale for others. Companies are allowed to appeal against the scale of the fines – British Airways and Marriott have said they will put up a “vigorous” defence.


So how much tougher are the fines under the new GDPR legislation?


A lot tougher. Last year Facebook was fined £500,000 by the ICO over the Cambridge Analytica scandal, which involved the data of up to 87 million users improperly shared with third-party developers without sufficient consent. At the time the ICO lamented the fact that this was the maximum fine it was allowed to impose under the old data protection legislation - it could have handed down a fine of up to £1.26bn (4% of revenue) had the case had been eligible under GDPR.

Mark Sweney


Pascal Crowe, Open Rights Group’s data and democracy project officer, said abuse of personal data was a “systemic” issue in UK politics and there were serious concerns about the legality of the parties’ practices.

Data subject access requests to the Labour party had returned “unintelligible” data. The Conservatives appeared to have been using personal names and address to guess the age of one of the individuals, and the Liberal Democrats had failed to provide the sources of third-party data, he said.

“We are concerned about the lawfulness of these activities and have put these concerns to the parties.” He added that the information that three individuals had obtained from the parties was “baffling”.

“We often don’t recognise our profiles. They are not even profiling accurately.”

Ravi Naik, a data rights lawyer who previously acted for American David Carroll, who sued Cambridge Analytica for data abuse, and is acting for the three individuals on behalf of the Open Rights Group, said there were issues with all three parties.

“None of the parties have provided any information about how those profiles are being used. We know they’re working with outside companies but they’ve listed no political consultancies. In this day and age, we know how important data is to political parties, but they’ve provided almost no information or insight into what they are doing with this personal material.

“People need to know what data these parties have, where they are getting it from, and what they are doing to it. This is their legal right. But we are days away from this pivotal election and we have no idea.”

Naik said that the Open Rights Group was considering “all options”. This included the possibility of a high court injunction to prevent further data processing.

The Conservatives said: “We comply full with all obligations. Where individuals make requests to us regarding their data, we will always action these.”

A spokesman for Labour said: “[We] fully comply with the law and regulations for digital campaigning.”

A spokesman for the Liberal Democrats said: “[We] received a request yesterday from a firm of lawyers acting for three individuals making a request in regards to the processing of their data and related questions. The Liberal Democrats take all such requests very seriously. As with other such requests, we will answer these, as required by law.”