UKLFI: Supporting Israel with legal skills

Amnesty International stunt breached data protection regulations

Ahmed Masoud, a Palestinian playwright based in the UK, has been found to be in breach of data protection regulations following a stunt earlier this year.  He had advertised that a play called “Obliterated” would be performed at Amnesty International’s headquarters on 9 August 2019, starring the actress Maxine Peake, with free tickets through Eventbrite.

However, there never was a play, and the personal information of over 2,500 people who had registered to see the play was misused to send out propaganda on behalf of Masoud and Peake, complaining about a theatre in Gaza that had been bombed by Israel earlier that year. According to Israel, the building was used by Hamas’s interior security unit.

Some of those who had booked tickets through Eventbrite were concerned that Masoud and Amnesty International now had their persona data. UKLFI advised them to complain to the Information Commissioner’s Office (ICO) about the misuse of their personal data in flagrant breach of the Data Protection legislation. Ambrosine Chetrit followed this up and the ICO has now found that Mr Masoud failed to comply with his data protection obligations.

Article 5 of the General Data Protection Regulation sets out key principles regarding the processing of personal data, which mean that data controllers must be clear with individuals about how their personal data will be used and then ensure that they do not then process it in ways those individuals would not reasonably expect.

In addition, the Privacy and Electronic Communications Regulations set out specific requirements regarding electronic direct marketing, including by email. Consent is normally required to send direct marketing to an individual.

The ICO noted that people had provided their personal data, including their email addresses, in order to obtain tickets to the play. This personal data was then used for a different purpose, in that direct marketing promoting a political campaign was sent to people’s email addresses via Eventbrite without their consent.

The ICO informed Mr Masoud of its view of this complaint and provided him with further guidance to aid compliance in any future or other ongoing projects. A record of the case will be kept on file to help inform the ICO’s view of the way Mr Masoud processes personal data. The ICO considered that further action is not necessary at this stage since Mr Masoud no longer has access to the personal data – the event page has been closed and all data has been deleted by Eventbrite.

The ICO also concluded that Amnesty International was not the data controller, hence not itself in breach of the legislation.