Hardly an Easylife: Key lessons from the ICO’s latest GDPR enforcement action

In early October 2022, UK catalogue retailer Easylife was issued separate financial penalties by the ICO under the PECR (£130,000) and GDPR (£1.35 million) regimes. Easylife has since stated that it is committed to appealing both fines. We reflect on the themes arising from Easylife’s GDPR penalty notice below.

Inferred information can amount to special category data

Over the course of a year from August 2019, Easylife classed 80 of its 122 products as ‘trigger products’ which, when purchased, would allow Easylife to infer that the customer was likely to suffer from certain health conditions and prompt a direct marketing telephone call for corresponding health supplement products.

Easylife therefore used transactional data to make inferences about customers’ health conditions, which, regardless of Easylife’s statistical confidence in them, influenced decisions as to which products to market to which profiled customers. Crucially, the ICO decided that this constituted processing of special category data (SCD).

In addition to its own guidance on SCD, the ICO cited a CJEU case that extended protection of SCD to “data revealing health data indirectly, following an intellectual operation involving deduction and cross-referencing”. This is a useful reminder of the continuing influence of EU jurisprudence on the practical application of the UK GDPR (even post-Brexit).

As with the ICO’s enforcement actions against Tavistock Portman NHS Trust and HIV Scotland, this more expansive view of SCD underscores the ICO’s continual commitment to tackling high-risk processing and data-enabled predatory marketing.

The significance of transparency and ‘invisible’ processing

Easylife failed to provide its data subjects with a privacy notice that adequately informed them of either the purpose or the legal basis of the processing.

None of the 145,500 individuals that Easylife profiled had been informed that their personal data might be used for health profiling, so they could not have reasonably expected it to occur. This amounted to ‘invisible’ processing, which the ICO was clear was against data protection law, echoing its findings against Experian and Clearview.

Easylife’s omission to collect explicit consent from the data subjects to process their SCD meant that it had no legal basis for that processing. Although Easylife sought to rely (albeit inadequately) in its privacy policy on the ‘legitimate interest’ legal basis, its legitimate interest assessment did not reflect customer profiling.

The context of the individuals’ health conditions also chimes with the ICO’s commitments in its new strategic plan (ICO25) to safeguard vulnerable groups who have “no choice but to share their information with organisations in order to access services and receive the support they crucially need”.

A trigger event can spark multi-stranded regulatory investigations

At the outset, the ICO’s investigation into Easylife concerned potential PECR contraventions following 25 complaints about unsolicited calls. That initial investigation raised GDPR concerns which the ICO then investigated in parallel, despite having received no GDPR-based complaints (as the processing was invisible).

This serves as a further reminder to organisations to ensure that their data protection and transparency practices are in order and up-to-date, in anticipation of the ICO having cause to ‘lift the bonnet’.  

Proactive compliance and privacy by design

The negligence underpinning the GDPR breach was deemed to be severe, partially due to Easylife’s poor track record with regulatory compliance. Though the ICO noted several remedial measures to stop the profiling, it criticised Easylife’s reactive (rather than proactive) approach to compliance.

Easylife’s use of unlawful processing to gain an advantage over rival businesses and sell products in a targeted manner was deemed an aggravating factor. Additionally, the ICO found that Easylife’s failure to conduct a Data Protection Impact Assessment constituted a failure to comply with Article 25 UK GDPR, once again highlighting the new Commissioner’s prioritisation of privacy by design.

This latest enforcement action should serve as a useful reminder (or possibly a wake-up call) for organisations to ensure that they consider seriously any compliance issues in their high-risk processing (including of SCD) and reflect this processing accurately and comprehensively in information provided to data subjects.