Information Commissioner to fine Leave.EU and Arron Banks’ firm for misuse of customer data

Arron Banks - Image credit: Stefan Rousseau/PA Wire/PA Images

Leave.EU and controversial Brexiteer Arron Banks’ insurance company are to be fined a total of £135,000 by the Information Commissioner’s Office (ICO) for misusing customer data during the EU referendum.

Leave.EU and Eldon Insurance will each be fined £60,000 for “serious breaches” of the 2003 Privacy and Electronic Communications Regulations.

It comes just a week after it was announced that Arron Banks is being investigated by the police over the source of a £8m loan to the Leave.EU campaign.

The ICO found that more than a million emails with marketing for Bank’s firm, Eldon Insurance, which trades GoSkippy, were sent to Leave.EU subscribers without their permission.

Leave.EU will also be fined a further £15,000 for sending 300,000 emails to Eldon Insurance customers containing a Leave.EU newsletter.

Eldon has been issued with an enforcement letter by the ICO, which will follow it up with a further audit.

The ICO said: “We are investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU.

“We are still considering the evidence in relation to a breach of principle seven of the DPA1998 [Data Protection Act 1998] for the company’s overall handling of personal data.

“A final decision on this will be informed by the findings of our audit of the company.”

The details of the fines are included in a report on the use of personal data in political campaigns, which has been presented to MPs today.

In the report, the ICO said it was also looking at how the Remain campaign handled personal data and considering whether there had been any breaches that would require further action.

Information commissioner Elizabeth Denham said the ICO had had “little idea of what was to come” when it began its investigation into the use of data analytics for political purposes in May 2017.

The investigation had uncovered a “disturbing disregard for voters’ personal privacy” and “significant issues, negligence and contraventions of the law”, she said.

The report mentions concerns about political parties purchasing marketing lists and using profiling information and third-party analytics companies without checking that proper consents are in place.

It notes that warning letters requiring action have been sent to the 11 main political parties in the UK ahead of planned audits later this year.

Parties will be required to show they have carried out data protection impact assessments for all projects involving the use of personal data

Earlier this year, the ICO issued Facebook with the maximum penalty of £500,000 fine for breaking data protection law, and it is pursuing a criminal prosecution against Cambridge Analytica, which has gone into administration, for failing to respond to an enforcement notice.

Canadian company AggregateIQ, which was linked to the Facebook and Cambridge Analytica scandal, was issued with an enforcement notice in July requiring it to stop using UK personal data or risk a significant fine under EU GDPR rules.