Huge numbers affected make a heavy fine likely if party found culpable
The Labour party – and both party leader Keir Starmer and David Evans as its general secretary – could easily face fines of up to £17.5 million fines under ‘GDPR’ data protection laws after Labour’s massive data breach this week, in which the ‘sensitive’ information of hundreds of thousands of members was leaked and seized by criminals, if the party is held responsible for the leak.
The fines would be even more likely to be high because many of the members affected had left the party, some as long as years ago, so Labour would have to justify why it was still holding their information when under GDPR it should have been promptly erased from the party’s systems.
Even worse, some of those affected say that after they left the party they specifically asked for assurance that their data had been removed in accordance with the law – and were told that it had been done, yet they were still victims of the data breach and the party still had their email addresses on file to contact them after the breach came to light:
The party should have retained no information at all, yet still had data that was leaked and the means to contact the affected former members.
Worse still, some recipients of Labour’s email about the data breach say the messages were sent to work email addresses that had never been disclosed to the party, raising serious questions about how the party came to have that information.
Some have said that the party was subject to a firm limit on how long data should be retained, but the GDPR rules do not set a hard deadline. However, it would be hard pressed to explain why it had kept the information of members who, in many cases, had resigned their membership years ago:
Labour has lost as many as 200,000 members compared to its peak since Keir Starmer became party leader, so the number of people affected whose data Labour should not have had is enormous. Add to that some 300,000 current members whose privacy has also been breached and there could easily be half a million victims of the party’s decision to outsource data to a private contractor.
If the Information Commissioner’s Office (ICO) decides that Labour did not fulfil its obligations in terms of data deletion and due diligence on outsourcing, the party faces a fine of up to £17.5 million, as GDPR laws stipulate a maximum of whichever is the greater of £17.5m or 4% of turnover. So far, the biggest fines issued under GDPR laws include:
- Amazon — €746 million ($877 million)
- Google – €50 million ($56.6 million)
- H&M — €35 million ($41 million)
- TIM – €27.8 million ($31.5 million)
- British Airways – €22 million ($26 million)
Little is currently available on why Amazon faced such a huge fine, but Google was fined simply for not being sufficiently transparent and obtaining sufficient consent in how personal data was processed for advertising purposes. The scale of a potential fine for knowingly holding onto data it should not have had and then losing it to criminals could hardly be less severe in relative terms, so a fine at or near the maximum would be likely – a sum well beyond the ability of a party to pay that is already near bankruptcy. GDPR rules mean that:
Among other things, intentional infringement, a failure to take measures to mitigate the damage which occurred… can increase the penalties.
And that leaves Labour’s general secretary David Evans – along with members of the party’s national executive – in the firing line, because under law they are personally liable for any debts the party is unable to pay.
In 2008 under then-leader Gordon Brown, financier David Pitt-Watson declined the position of Labour general secretary specifically because his lawyers advised him that his wealth was at risk if he accepted the position – and Labour was facing a financial crisis:
The conclusion of lawyers was also clear that Gordon Brown – as Labour’s leader at the time – could also be held personally liable, meaning that Keir Starmer would be in the same position now.
It would be ironic if the Labour right’s massive gerrymandering in the run-up to September’s annual conference to secure Evans’s confirmation puts him in line for the brunt of punishment arising from the Labour right’s arrogance or incompetence in its treatment of members and their privacy.
More ironic still if Keir Starmer’s tactics to avoid revealing the wealthy backers who contributed to his leadership campaign until after the contest concluded put him in the same position – and if his and Evans’s war on the left driving members out of the party increased the scale and scope of the breach and the resulting fine.
Labour needs to come clean immediately about exactly what has been leaked, exactly which company had been given members’ data and exactly how many members are affected.
The breach also has huge relevance for the party’s practices of using members’ social media history and private group comments against them, which has involved admitted data trawling and the use of the party’s member management systems to find anything that could be used to suspend or expel members the party’s current regime considers undesirable, but analysis of that will be published in a subsequent article.
SKWAWKBOX needs your help. The site is provided free of charge but depends on the support of its readers to be viable. If you can afford to without hardship, please click here to arrange a one-off or modest monthly donation via PayPal or here to set up a monthly donation via GoCardless (SKWAWKBOX will contact you to confirm the GoCardless amount). Thanks for your solidarity so SKWAWKBOX can keep bringing you information the Establishment would prefer you not to know about.
If you wish to republish this post for non-commercial use, you are welcome to do so – see here for more.