school ico

Why schools should take note of ICO “EE” fine.

ICO Fines EE £100,000 for combining service messages with marketing

The practice of including marketing and fundraising messages within other essential school communications, such as a school newsletter, has just become a lot riskier.

On 24th June, the ICO fined “EE” £100,000 for sending over 2.5 million direct marketing messages to existing customers, without consent. The messages encouraged customers to use the ‘My EE’ app but, also to upgrade their phone. Read details here.

EE argued that the communications were “service messages” and not direct marketing. The ICO disagreed and said this:

“These were marketing messages which promoted the company’s products and services. The direct marketing guidance is clear: if a message that contains customer service information also includes promotional material to buy extra products for services, it is no longer a service message and electronic marketing rules apply.

“Companies should be aware that texts and emails providing service information which also include a marketing or promotional element must comply with the relevant legislation or could face a fine up to £500,000.”

EE was not fined under the GDPR but under the Privacy and Electronic Communications (EC) Regulations 2003 (PECR). PECR, regulates the sending of unsolicited direct marketing messages by email, text, phone and fax. The term “marketing” is interpreted broadly to include fundraising messages. In general terms, PECR provides that sending unsolicited marketing via electronic means, usually requires an individual to specifically consent.

Why is this case important for schools?

Under the GDPR, sending individuals essential school communications, via email, can usually be legitimised on the ground that it is necessary for the school’s legitimate interests. Consent is usually not required. However, where those messages include unsolicited direct marketing, PECR will also be engaged. The concept of “legitimate interests” has no relevance under PECR because consent is required in any event.

Those schools which have “held off” from insisting on consent for electronic marketing or “tag on” marketing and fundraising messages to other school communications such as newsletters, must now reassess the risks.

The ISBA Data Protection Health Check Service not only measures your school’s compliance with the GDPR, but also PECR. For more information see here.

privacy shield

Standard Contract Clauses and Privacy Shield in Jeopardy

Landmark European Court of Justice ruling could “take out” Standard Contract Clauses and Privacy Shield

If, like most organisations you transfer personal data outside the EEA, (think about your Facebook page, Twitter account, Dropbox, Apple, Mailchimp etc.) a legal case with a familiar backstory could end Privacy Shield and the EU Standard Contract Clauses. (SCCs). Privacy Shield and SCC’s are the two most popular GDPR safeguards used as a legal basis to transfer personal data to countries outside the EEA. And, the chances are, that many organisations will be relying on one or both of these mechanisms in order to tick the GDPR rule that restricts transfers of personal data outside the EEA.

On 9th July, the CJEU heard a claim that SCCs are invalid because they fail to prevent U.S security bodies from accessing personal data transferred to the U.S. (A similar argument led to Safe Harbor being disgraced and replaced with Privacy Shield. Remember?)

In evaluating the clauses, the CJEU will no doubt be scrutinising Privacy Shield too.

The fact that SCCs apply to most international transfers, and not just to the U.S, is a point which has not eluded us all. If successful, the claim will spell massive disruption (again) to the transfer of personal data worldwide. A ruling is expected in 2020.

We will be keeping a close eye as the judgement will affect many businesses.

Paula Williamson, Solicitor at The Information Law Practice


iLP contribute to a major new publication on FOI

iLP contribute to a major new publication “Freedom of Information in the UK” (FOI) by Sue Cullen. Published by Sweet and Maxwell

iLP is proud to be associated with the new title “Freedom of Information in the UK” by Sue Cullen of Amberhawk.  Paula Williamson, a solicitor with iLP, has written the chapter on dealing with vexatious and repeated requests under FOI law.

At 1350 pages long, this is a definitive reference book for all practitioners and solicitors in England, Wales, Scotland and Northern Ireland that deal with freedom of information and access to environmental information law.

Full details available at:-

See our Freedom of Information training page here.