UK data watchdog fines 'pandemic partner' biz £8k: It sent 84,000 marketing emails to people who'd given info for track and trace The UK's data watchdog has fined a company £8,000 for sending 84,000 direct marketing emails without consent to people who had provided their personal data for contact tracing purposes. The Reg readership will have no problem in calculating this in their heads but for anyone feeling a bit slow today, that's just over 9.5 pence …
At least such a hefty fine will act as a strong deterrent to others ...
I see what you're doing. =^P
Seriously now:
It is quite evident that the only way to get this sort of behaviour to stop is to take draconian measures, of the sort these outfits will not be able to recover from.
Because, yes, they still have the databases and will be selling them on.
The UK's data watchdog should heavily fine the company responsible for this scam as well as the outfit/s on whose behalf they were made ie: the end beneficiaries of said scam.
And don't just fine the company/ies: fine all the members of the board at the companies involved, from CEO down.
Any other action by the autorities is, as has long ago been demonstrated, utterly useless.
O.
Yes. Fining a fly-by-night company a trivial amount of cash that they probably won't even bother to pay is pretty much the definition of ineffectual.
There has to be a sanction on the end users of dodgy data acquisitions, removing their impunity, and on the individuals responsible for doing the acquiring for an ICO to have any effect.
Lock them in a room. Subject them to Vogon poetry for the next two weeks without pause. Hose the quivering blobs of exploded flesh down the drain. Punishment done. =-D
I first considered forcing them to listen to me play the bagpipes to be the punishment, but then I remembered it's on My Skippy's List. Damn that list. =-J
They can't fine the Board members, there is no personal liability under PECR if its a Company sending the messages.
While the current IC is a waste of space you can't blame her for the failings of central government and the fine regime they put in place for a particular piece of legislation
It appears ICO operates now a stunningly effective '2-strike policy': a gentle pat that's worth 8K, but maybe, just maybe, gets paid, and a large slap, which folds the company (which promptly re-unfolds itself in no time), in which case, no money at all, as no real tools to effectively extract this money. I wonder if they they learnt from the Middle East context (re. Israeli 'roof tapping')?
p.s. I'd love to see a simple chart: ICO total yearly - expenses, on one side, v. ICO total yearly - fines RECEIVED.
It would appear that it faced no difficulty in hoovering up email addresses and then deciding to "inform" said people of a "special opportunity".
Don't come crying that you don't know how to handle someone who registers twice and only consents once. You should have a procedure on how to handle that, it's nothing technical.
I think the ICO was rather lenient on this matter. It seems obvious to me that TML's intent was to get consent using a purposefully vague definition of marketing "materials", which consent it could then use as it pleased to "accidentally" email 80K+ people.
You don't accidentally email tens of thousands of people based on a misunderstanding.
This was the plan, and it will happen again.
So, who still thinks that the NHS sharing patient data with 3rd parties is a good thing ? Outside of NHS management, obviously.
Whilst I dont disagree with your point I came here full of the same piss and vinegar only to discover reading between the lines that these guys had effectively set themselves up as a MITM generating QR codes to be passed along to the NHS.
So this was essentially a MITMA *on* NHS Track and Trace not *by* Track and Trace. I leave it to the reader to decide if the enabling of a MITM is a deliberate action by the Govt to enable some arms length Pork Barrelling.
They tick all the boxes; First they're trying to "monetize" data they've collected under a false excuse, then they simply "misunderstand requests from people to no longer receive marketing comms", (ie they simply ignore those requests). This was clearly an operation to create a nice fresh marketing database, and those £8000 are just operational costs.
That's why I don't ever give my data anymore, even if I'm promised it will save baby seals or cure cancer: I've been around long enough to know it only will serve to spam me silly.
Try getting your ID card in germany for a laugh.
Not only are the poor people on the other side ofthe counter obliged to hand you a glossy paper, glorifying anything "online" about that NFC chip in your ID card, they also have to make you sign that you received the marketing paper.
On top of that, the marketing paper that encourages you to imprint your fingerprint into the chip and to "enable online functionality" not only threatens you with additional fees, should you choose not to "enable" your ID card immediately but decide to do that later, they also tell you that throwing your ID data through anything internetty* ensures that you know who has access to your most personal information and credentials.
At least that point is right, as the answer is :"everyone and his dog".
So its not only shady "consent" scammers, the german state also operates likewise.
*(If you decide to invest around 120 Euros to buy a state approved ID card reader AND manage to find any state institution that not only has a working online platform but also allows you to do anything useful with your "enabled ID", you will still have to wait several days to whatever long time it takes until the official papers have been sent back to you via the appropriately named snail mail...)
The ICO ought to be able to recognise a disingenuous, cynical abuse of members of the public's information. They're not children.
They ought to be aware that people signing in to a venue do not routinely ask to be sent marketing information and so realise that any marketing consent that is incidental to or included with the purpose of a specific consent is a breach unless there is clear evidence otherwise, e.g. a separate agreement with words to the effect "I also wish this organisation to send me their marketing".
It's not unreasonable. Some restaurants, for example, will ask you to sign up for "Information and special offers". It's up front, it's clear and it's specific -- rather than a general agreement that they can send you any kind of crap from any source they choose to be involved with.
> The ICO ought
So true, a pity I can only upvote you once.
Since the only logical explanation (the ICO is staffed by terminally ingenuous people of below average intelligence) doesn't really stand, what's happening here? Corruption? Lack of interest? Impotence? Despondency? My money is on the latter: They know they're fighting a forest fire with just a glass of water and a handkerchief, so they just go through the motions.
(Icon about what they'd really need.)
"The commissioner asked this complainant to provide further details of any complaint that they had made to TML directly."
This is the most infuriating thing about the way the ICO works. An organisation has misused your data; why on earth should it be up you to follow-up with the dodgy organisation (potentially risking further data misuse in the process, now that you have put your head above the parapet, and at the very least probably continuing to receive spam while you wait for them to get around to replying), that's what the watchdog is supposed to be for, for it to take action on your behalf, with the full force of the law and the state behind it.
This whole sleazy affair shows exactly why "spam me harder" should always be opt-in consent, and never opt-out, and that sleazy "implied consent through existing relationship" loophole (a relationship which does not previously exist before you fill in the form, stretching the truth beyond breaking point) should never ever have been allowed.
The establishment doesn't care. That's been obvious for at least a decade now.
Anyone who still believes in the integrity of our governance needs to have a closer look at how the world has changed for the worse.
Expecting a government, who's individual members, live large on their portfolio incomes, to do something about curtailing the profits of those portfolios, is asking a little too much.
Better that the government is made up of lottery losers - Every four years, 646 names get picked out from the entire population, and they are forced to run the nation on our behalf.
"to take action on your behalf"
Ultimately it is supposed to, but only after you've given the other party an opportunity to redress the wrong first. I'm not a lawyer but that would appear to be a basic principle of tort law.
However this report from NOYB about a supervisory authority's response to complaints (admittedly in the EU) is rather troubling. I've experienced something that seemed rather similar on occasion here in the UK.
£8K is a joke.
By now every business should understand and be able to implement the basics of data protection, no excuse.
I mean, our community caffi has been using paper T&T forms (several thousand to date) and after 3 weeks they come to me to be incinerated (without adding email addresses to a spreadsheet).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
