Analysis News

Labour – and Starmer/Evans – face £17.5 million fines for data breach

Huge numbers affected make a heavy fine likely if party found culpable

The Labour party – and both party leader Keir Starmer and David Evans as its general secretary – could easily face fines of up to £17.5 million fines under ‘GDPR’ data protection laws after Labour’s massive data breach this week, in which the ‘sensitive’ information of hundreds of thousands of members was leaked and seized by criminals, if the party is held responsible for the leak.

The fines would be even more likely to be high because many of the members affected had left the party, some as long as years ago, so Labour would have to justify why it was still holding their information when under GDPR it should have been promptly erased from the party’s systems.

Even worse, some of those affected say that after they left the party they specifically asked for assurance that their data had been removed in accordance with the law – and were told that it had been done, yet they were still victims of the data breach and the party still had their email addresses on file to contact them after the breach came to light:

The party should have retained no information at all, yet still had data that was leaked and the means to contact the affected former members.

Worse still, some recipients of Labour’s email about the data breach say the messages were sent to work email addresses that had never been disclosed to the party, raising serious questions about how the party came to have that information.

Some have said that the party was subject to a firm limit on how long data should be retained, but the GDPR rules do not set a hard deadline. However, it would be hard pressed to explain why it had kept the information of members who, in many cases, had resigned their membership years ago:

Labour has lost as many as 200,000 members compared to its peak since Keir Starmer became party leader, so the number of people affected whose data Labour should not have had is enormous. Add to that some 300,000 current members whose privacy has also been breached and there could easily be half a million victims of the party’s decision to outsource data to a private contractor.

If the Information Commissioner’s Office (ICO) decides that Labour did not fulfil its obligations in terms of data deletion and due diligence on outsourcing, the party faces a fine of up to £17.5 million, as GDPR laws stipulate a maximum of whichever is the greater of £17.5m or 4% of turnover. So far, the biggest fines issued under GDPR laws include:

  • Amazon — €746 million ($877 million)
  • Google – €50 million ($56.6 million)
  • H&M — €35 million ($41 million)
  • TIM – €27.8 million ($31.5 million)
  • British Airways – €22 million ($26 million)

Little is currently available on why Amazon faced such a huge fine, but Google was fined simply for not being sufficiently transparent and obtaining sufficient consent in how personal data was processed for advertising purposes. The scale of a potential fine for knowingly holding onto data it should not have had and then losing it to criminals could hardly be less severe in relative terms, so a fine at or near the maximum would be likely – a sum well beyond the ability of a party to pay that is already near bankruptcy. GDPR rules mean that:

Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred… can increase the penalties.

And that leaves Labour’s general secretary David Evans – along with members of the party’s national executive – in the firing line, because under law they are personally liable for any debts the party is unable to pay.

In 2008 under then-leader Gordon Brown, financier David Pitt-Watson declined the position of Labour general secretary specifically because his lawyers advised him that his wealth was at risk if he accepted the position – and Labour was facing a financial crisis:

The conclusion of lawyers was also clear that Gordon Brown – as Labour’s leader at the time – could also be held personally liable, meaning that Keir Starmer would be in the same position now.

It would be ironic if the Labour right’s massive gerrymandering in the run-up to September’s annual conference to secure Evans’s confirmation puts him in line for the brunt of punishment arising from the Labour right’s arrogance or incompetence in its treatment of members and their privacy.

More ironic still if Keir Starmer’s tactics to avoid revealing the wealthy backers who contributed to his leadership campaign until after the contest concluded put him in the same position – and if his and Evans’s war on the left driving members out of the party increased the scale and scope of the breach and the resulting fine.

Labour needs to come clean immediately about exactly what has been leaked, exactly which company had been given members’ data and exactly how many members are affected.

The breach also has huge relevance for the party’s practices of using members’ social media history and private group comments against them, which has involved admitted data trawling and the use of the party’s member management systems to find anything that could be used to suspend or expel members the party’s current regime considers undesirable, but analysis of that will be published in a subsequent article.

SKWAWKBOX needs your help. The site is provided free of charge but depends on the support of its readers to be viable. If you can afford to without hardship, please click here to arrange a one-off or modest monthly donation via PayPal or here to set up a monthly donation via GoCardless (SKWAWKBOX will contact you to confirm the GoCardless amount). Thanks for your solidarity so SKWAWKBOX can keep bringing you information the Establishment would prefer you not to know about.

If you wish to republish this post for non-commercial use, you are welcome to do so – see here for more.

33 comments

  1. > The breach also has huge relevance for the party’s practices of using members’ social
    > media history …

    Well EXACTLY!!!!

    and who is responsible for the trawling of the media to obtain “evidence” concerning
    breeches of Party Rules enacted years after some ancient social media post ..
    ? ?

    Our genuine Israeli spy that’s who ..

    All I can say is – when Karma strikes she does so in a very interesting way ..

  2. “The breach also has huge relevance for the party’s practices of using members’ social media history and private group comments against them, which has involved admitted data trawling and the use of the party’s member management systems to find anything that could be used to suspend or expel members the party’s current regime considers undesirable”
    Of course. I jokingly claimed they’d kept the data to ‘ghost’ as numbers of a rapidly decreasing membership. The truth is much worse. We’re marked for life. Blacklisted?
    Evil bastards.

  3. So now we also know or can reasonably conclude that the recent request sent out to CLPs concerning details of properties held, had a sinister purpose.

  4. And to add to uncosher practices, before this years May elections LP offered to help people complete voters registration as well as getting people to register for postal vote (early votes). I raised my concerns and surprise at this in an email with the Chair, because getting people registered to vote was a campaign councils up and down the country did in September/October 2019. And I should know as I pounded the streets in Halifax with the purpose of getting people registered to vote. (one way of leagally earning a little pocket money).
    My concern was and is that this campaign to sign people up for early votes (postal votes) might also been a convenient means to harvest additional personal data.

  5. It’s worse. Not only were they offending against former members, they were holding the data / information of law-abiding members of the public, without permission, i.e. people like me, who’d never been members. How long had they held the data / information? How long were they going to hold it? For what purpose were they holding it? Did they know they were breaking the law in holding it?

    So the advice from the data experts whether you were a member or not is to lodge a Subject Access Request to discover whether they were holding it, and if so, to what extent.

    https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/preparing-and-submitting-your-subject-access-request/

    My own advice would be if you discover they were holding it and they admit to holding it, then mount a legal case against them for redress.

    You have nothing to lose and everything to gain. If thousands of us are to be recompensed, it could be an opportunity for you to play your part in sending these clowns into receivership.

    The only problem I see is that the UK establishment and media, along with the current government NEED Starmer and his party of clowns to exist and to keep losing elections in order to continue playing the two-party charade that keeps so many members of the public distracted and pre-occupied.

    The psychopaths at the top level would be likely to meddle and interfere in order to limit any damage.

    1. I was a victim of a data breach in 2017. I still receive emails from a monitoring company informing me if anything suspicious has happened to my private information. What was worse I didn’t even know who this other company was who’d got hold of my personal details.
      I now fear the same thing will happen again.

      Under new management and a safe pair of hands. Don’t make me laugh. This is sll the fault of the party outsourcing members details without their consent. No doubt as already pointed out to trawl members social media to find ‘incriminating’ evidence against them. What a shower of despicable people we have running the party.

      If fined by the ICO I wonder who’ll bail them out now. Be aware comrades don’t be surprised if the leadership have audacity to send those affected an email begging for contributions towards eff up.

    2. Surely if Labour are sending out emails saying our data has been breached then it’s proof?

  6. It strikes me as very odd that members/ex-members were contacted at works email address which had never been provided to the party. I am not into conspiracy theories but this very much indicates that ” Big Brother is watching you” – not so much Orwellian as Stalinist in this case. Therefore I am really looking forward to Skwawkbox’s promised article on the legality or otherwise of the Party trawling of members/ex members social media to obtain information about them – as far as I can see that is the only place Southside could have obtained the email addresses which it retained and stored along with who knows what other personal data – education, friendships , charities supported etc. Scary stuff.
    I am also very angry that without my knowledge or consent my bank account details were passed to a third party whose inadequate security was breached and as a result these details are now probably in the hands of criminals. I think that there is no doubt that in passing this information about me and hundreds of thousands of others in the way that it did the party acted illegally
    Finally I hope the Information Commissioner goes to town on the party for this – we all already knew that Starmer and Evans are a total disgrace. Now we know that they are completely incompetent as well

  7. Oh dear, disaster, although to save Labour it has to be destroyed in its present form.

    1. And there in a nutshell is the problem why the Labour party exists to do the damage to the working-class movement.Whos going to clean up the Labour party Holby fan for you and others.?..I will with others destroy the Labour party and will be using a bottom feeder to do it.which in my opinion is poetically justifiable and for the good of the former members they destroyed.

  8. This whole thing is all the more incredible given new Labour’s managerialist ethos and security obsession. They were so sure the public would warm to their suited/booted, we’re back in charge, highly competent career professional image that they expected to win elections by default of not being Corbyn.
    What an utter mess they’ve made.

    1. Thing is, the billionaires’ (‘free’) press isn’t going to tell the public that Starmer’s a dud. He’s serving the same agenda they do – de-naturing Labour and destroying its electability.

  9. We need advice as to suing these bar stewards! A Liverpool solicitor has already offered to make a claim on a no win no fee! We could all do with help as to what we do next! I’m very very worried about my data as well as my bank details phone numbers! I resigned after redacted report was published!

  10. It’s hard to know which is the greater, their corruption or their incompetence. Starmer says Johnson is leading his party through the sewer; he has taken up residence their. Rats. Time to set the baited traps. And as for Angela Rayner as potential leader – the Rayner who said if they needed to expel thousands of members, they would? she has neither principle nor astuteness but is full of the sense of her own importance. She can’t stop talking about herself and runs on like a busted tap. Put your faith in her and you’ll be disappointed. But your faith in the people, not go-getting leaders.

  11. Corrections: there not their/ She has neither/ Put your faith. Sorry, it’s early on Sunday morning.

  12. In a system in which the majority, if not all, of those in control are a bought and paid for front for corporate lobby interests corrupting both values and the demos fines will simply be paid for using some opaque slush fund to keep the wheels on the Laural and Hardy farce of a system that passes for democracy.

    Serious root and branch prison time is required right through the organisation.

    1. David, good one. Let’s see how they like private nicks and their food and rehabilitation.

    1. Sorry. 75% owned by Evans’s wife. He gave her ownership when he became GS. The party should have known better. Evan’s name is dirt in Croydon.

  13. Is there a group of disgruntled ex or current labour members who want compensation from the party for allowing third party organisations access to personal details that they have since had hacked? If so, could anyone give details. I heard that maybe a firm of lawyers in Liverpool might take up the case. Anyone else heard this? Please advise if there is any crowd funding that we can contribute to in order to take Labour party (under Starmer) to court?

  14. One of my offspring has just contacted me. According to many people on Twitter, apparently the email has disappeared from their inbox! They checked it, and sure enough, it had disappeared. FORTUNATELY they had forwarded a copy to me, and so their copy was in their “sent” folder, and of course, I have a copy, which will be kept in both computer and hard copy.

    I’d be interested to hear from others ………………

Leave a Reply

%d bloggers like this: