The Data Protection Act 2018 is the UK's implementation of the EU's General Data Protection Regulations, which came into force on 25th May 2018. The DPA 2018 sits alongside the UK GDPR, which came into effect after the UK officially left the European Union, on 1st January 2021. As things stands, there are no major differences between the GDPR and the UK GDPR. The UK's data protection framework is likely to see further changes — a Data Protection and Digital Information Bill was introduced in the House of Commons in July 2022 and is still making its way through parliament (the original bill was withdrawn and a similar bill was introduced in March 2023). However, the new bill is unlikely to be a major overhaul.

The GDPR itself wasn't a major overhaul either, at least as far as processing personal data for "direct marketing" purposes goes. In 2012, it looked like the GDPR would pretty much ban unsolicited, personally addressed advertising mail but by 2014 it had become clear that wasn't going to happen. In the end, the GDPR is just a little more sensible than the Data Protection Directive it superceded. It also introduced a new battle ground; there is now much more awareness of the trade in personal data by list brokers such as Experian.

If you don't want to read about all the intricacies, the most relevant change is that it is now much easier to ask an organisation to stop (or not begin) processing your personal data for "direct marketing" purposes. You no longer have to write a formal data protection Notice; simply telling an organisation to stop is sufficient. However, organisations are still not required to acknowledge receipt of your request and confirm they have complied with your request. In practice, you therefore still need to make your request in writing, so that you can enforce your rights should the junk mailer fail to comply.

Another bonus is that organisations are no longer allowed to demand a fee when you send them a subject access request. That means it is no longer prohibitively expensive to ask junk mailers what information they have gathered about you, where they got the information from and who they have shared it with. This is particularly useful when it comes to list brokers. There are some example letters you can use in the guide to stamping out junk mail.

The consent basis

The GDPR defines six lawful bases for processing personal data. For marketers, two of them are relevant: consent and legitimate interest.

The "consent" basis effectively sets the rules for solicited marketing. This is the type of advertising nobody objects to. If you buy a product or donate money to a charity and you actively opt in to receiving advertisements from the organisation then everybody is happy (and if you are regret your decision then you can of course always withdraw your consent).

As you would expect, the consent bar is quite high. This is how Article 4(11) of the GDPR describes "consent":

'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

If a junk mailer uses consent as the legal basis for processing your personal data then they need to be able to demonstrate exactly how and when you gave your consent — the burden of proof is on them. The usual tricks, such as using marketing opt-out boxes or pre-ticked opt-in boxes, are not allowed. Similarly, junk mailers can still sell your personal details to third parties when using consent as the lawful basis but they have to be upfront about this. Simply stating that your personal details may be shared with "carefully selected third parties" won't cut it. They have to specify exactly who the third parties are.

The legitimate interest basis

Junk mailers and list brokers typically rely on the legitimate interest basis. This is a bit of a catch-all basis. Article 6(1)(f) defines "legitimate interest" as follows:

Processing shall be lawful only if and to the extent that at least one of the following applies:

…

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

There are lots of reasons why an organisation might use legitimate interest as the basis for processing personal data. Banks, for instance, process personal data to detect and prevent fraud. That clearly is a "legitimate interest" and it wouldn't make sense for a bank to ask its customers whether or not it is okay to process their personal details as part of its fraud prevention activities. Most customers would expect their bank to try to prevent fraud, and the data processing doesn't interfere with any fundamental rights and freedoms.

The important thing to note, though, is that the "legitimate interest" can be pretty much anything — including "direct marketing". The ICO guidance states that legitimate interest could in principle apply to any type of processing for any reasonable purpose.

It is up to the data controller to decide whether or not its interests are balanced by the fundamental rights and freedoms of the data subject. They can't just say: "yeah, that should be fine" — they need to undertake a so-called legitimate interest assessment. Often, this involves compromises. The above-linked ICO guidance has an interesting example: traingate. In 2016, Jeremy Corbyn claimed he had to sit on the floor on a "ram-packed" train and used footage of him sitting on the floor to make the case for the nationalisation of train companies. The train operator subsequently released CCTV footage of Corbyn walking past empty seats on the train. Releasing the footage is a legitimate interest but the train operator also has to respect the privacy of the passengers that were filmed. To do so, they blurred the faces of other passengers. In other words, there is a balance to be struck when using the legitimate interest basis.

The balance

There is a similar balance when it comes to junk marketing. The general consensus is that sending junk mail is a legitimate interest. If you give a company your personal details when you buy a product or service then you can reasonably expect the company wants to use those details to send you ads, and when you donate money to a charity you can bet your life they will send you begging letters asking for more money. Personally I think that is wrong — as far as I am concerned all postal advertising should be solicited — but the vast majority of the populace has accepted unsolicited marketing as a legitimate economic activity.

At the same time there is a general understanding that there are people like me (and hopefully you), who don't want organisations to use their personal data for unsolicited marketing. Some people simply want to buy things and/or donate money without being prompted by marketers. Striking a balance between these two competing interests seems easy enough. As long as the data subject has an easy and effective way to prevent their personal data is used for "direct marketing" there shouldn't be too much of a problem. And, the GDPR has somewhat improved things. Hiding marketing opt-out boxes, for instance is no longer allowed.

This seems reasonable. However, this isn't quite the balance that was struck. If the same company or charity you dealt with wants to sell your personal data to a list broker then that is perfectly fine as well. They do need to give you an option to opt out but don't have to be upfront about how your personal data will be traded; that information may be hidden in a privacy policy. In other words, the general consensus appears to be that you can reasonably expect that a company will sell your personal data to third parties.

The working party has opinions

As said, when the first drafts of the GDPR were first published, in 2012, it looked like the rules around junk marketing would be tightened, to the point where it was unclear whether or not marketers could use any basis other then consent. Within the junk mail industry there was real concern that unsolicited marketing would be banned. For instance, in January 2012 the DMA published an article with the title How the EU Data Protection Regulation could affect you and your business that presented its members with this horror scenario:

The new Regulation doesn't go as far as heralding a comprehensive opt-in only regime for direct marketing — but it comes close. The current proposal demands that companies would have to obtain explicit consent from consumers by 'clear statement or affirmative action' to use their data for marketing purposes. While companies wouldn't necessarily have to get consumers to tick an opt-in box, they won't be able to take for granted that consumers consent to receiving marketing information — even if they have had previous interaction with them.

Just imagine a world in which junk mailers wouldn't be able to take for granted that consumers consent to receiving marketing information!

The junk mail industry, including list brokers such as Experian and Equifax, fiercely lobbied for "direct marketing" to be recognised as a legitimate interest, and they won. By 2014 the dust had largely settled. For instance, an opinion on the notion of legitimate interests by the EU Data Protection Working Party included "conventional direct marketing" and "unsolicited non-commercial messages" in a list with common examples of legitimate interest. They also explained where they drew the line:

To illustrate: controllers may have a legitimate interest in getting to know their customers' preferences so as to enable them to better personalise their offers, and ultimately, offer products and services that better meet the needs and desires of the customers. In light of this, Article 7(f) may be an appropriate legal ground to be used for some types of marketing activities, on-line and off-line, provided that appropriate safeguards are in place (including, among others, a workable mechanism to allow objecting to such a processing […]).

However, this does not mean that controllers would be able to rely on Article 7(f) to unduly monitor the on-line or off-line activities of their customers, combine vast amounts of data about them from different sources that were initially collected in other contexts and for different purposes, and create — and, for example, with the intermediary of data brokers, also trade in — complex profiles of the customers' personalities and preferences without their knowledge, a workable mechanism to object, let alone informed consent. Such a profiling activity is likely to present a significant intrusion into the privacy of the customer, and when this is so, the controller's interest would be overridden by the interests and rights of the data subject.

The last paragraph talks specifically about list brokers such as Experian and Equifax, and it suggests such companies would no longer be allowed to collect personal data about millions of people from various sources with the aim of selling the data to advertisers. It does leave some wiggle room, as it is not clear what is meant by "without their knowledge" and "a workable mechanism to object". Specifically, does a person have "knowledge" and "a workable mechanism to object" if a company gives the person the option to tick an opt-out box and provide a link to a privacy policy that explains that personal data is used for profiling?

In 2014, the working party stated that free, specific, informed and unambiguous 'opt-in' consent should be required for tracking and profiling for purposes of direct marketing, behavioural advertisement, data-brokering, location-based advertising or tracking-based digital market research.. However, by 2018 its opinion had somewhat shifted. The party's opinion on automated decision-making and profiling acknowledged that profiling is allowed if it is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, provided they carry out a balancing exercise to assess whether their interests are overridden by the data subject's interests or fundamental rights and freedoms. In other words, profiling is fine as long as a legitimate interest assessment has been done and people have the option to opt out.

This opinion was accepted. The final version of the GDPR states that legitimate interest can be used as the legal basis for both unsolicited marketing and profiling by list brokers. The ICO's guidance for organisations states that marketers need to be careful when it comes to for instance profiling data on children and reminds companies that people have a right to opt out, but other than that there are no restrictions. In fact, my friends at the DMA must be delighted with the assurance they give to marketers:

The UK GDPR isn’t designed to stop you from running your business or promoting your products and services.

The new frontier

In the last few decades the trade in personal data has exploded. Social media companies collect enormous amount of data about its users; list brokers build gigantic profiling databases and nobody even frowns when a website tells you it wants to share your data with hundreds of "partners". We have become used to blindly accepting privacy policies and accept surveillance cameras with facial recognition technology in public spaces as a fact of life. Privacy seems a thing of the past — almost. Because there are of course still plenty of people who don't want to share their whole life with marketers.

Over the same time-period, data protection legislation has somewhat helped those people who still value privacy. Unfortunately, legislators have been reluctant to restrict the freedom of large data brokers. As we have seen, they almost did it but in the end they gave in to the marketing industry's lobby. They can still do pretty much do whatever they want, as long as they can argue that it is in their "legitimate interest".

It seems fairly likely that data brokers will face further scrutiny. The Data Protection and Digital Information Bill won't restrict the industry in any meaningful way — if anything it will go in the opposite direction, as the government seems to think exploiting personal data is good for the economy. However, pendulums do still swing. There is still a strong case against allowing data brokers to rely on the legitimate interest principle. The very fact that most people have no idea what personal information is being traded is deeply problematic.

The sheer volume of personal data marketers hold is equally troubling. Data breaches — another thing we have become accustomed to — are increasingly common. And, when a Chinese company holds lots of personal data politicians suddenly tend to become rather nervous (think TikTok), without being able to explain why similar concerns shouldn't apply to for instance Meta (the owner of Facebook, Instagram and Whatsapp, among others). Can we trust any company that holds so much data to do the right thing?

In other words, data privacy is still very much a hot topic. The GDPR has settled the debate for now, and the pursuit of economic growth is likely to benefit data brokers, at least in the short term. But, it is an issue that is bound to return on the political agenda — and when it does the legitimate interest basis used by list brokers will be debated again.