The Whole Truth

A couple of days ago, the training company IT Governance reported that the Information Commissioner’s Office had banned Keith Hancock, director of a Manchester lead generation company, from being a company director for four years. The ICO had previously fined the company (Lad Media), and this was the follow-up. All good stuff, you might say, perhaps even a riposte to those awful people who say that the ICO never does anything. Except it isn’t true. The ICO didn’t ban anyone because they don’t have the power to do so. The action was taken by the Insolvency Service with the ICO’s assistance. Weirdly, the IT Governance’s scribe used quotes from the Insolvency Service’s press release without either reading or understanding what it said.

UPDATE: demonstrating the lack of class that is ITG’s hallmark, the story has now been updated without any reference to the fact that it had been wrong, or that they needed me to correct them. This is what it used to look like:

Screenshot 2019-02-15 at 20.04.11

I don’t expect IT Governance to get things right (their sales director once claimed that there had been GDPR fines of 6.2 billion against Facebook and Google), but you’d hope for higher standards from, say, the chairs of four Parliamentary Committees, right? Right? A week or so ago, a distinguished group of Parliamentarians (and Damian Collins) wrote to Jeremy Wright, Secretary of State for Culture, Media and Sport as part of a campaign to change the way the ICO is funded. The idea is that the ICO would get to recover the costs of its investigations from those found to be in breach of Data Protection law, and has been promoted by the Durham-based marketer Russell James. I think it’s a bad idea – it would require the ICO to record and cost the time they spend on every investigation, it could dissuade organisations from appealing ICO decisions (which is bad for everyone as ICO decisions need to be tested), and even where it was applied, it would see the ICO bogged down in arguments about how much they actually spent.

Leaving that aside, the letter itself is amateurish and inept. Several times, it refers to organisations being “found guilty“, something which only happens in criminal cases, thus ignoring the fact that much of the ICO’s work carried out under civil not criminal law. In similar vein, it refers to “data crimes“, a phrase presumably culled from Liz Denham’s misleading soundbite “data crimes are real crimes” (they’re not). This means that the scope of the letter isn’t clear – are they referring to civil breaches (which aren’t crimes), or are they referring to criminal offences, which in the ICO’s world are usually committed by individuals rather than organisations? I find it hard to believe that Dominic Grieve and Yvette Cooper would sign a letter than hadn’t been properly thought out, but as it turns out, they signed a letter that hadn’t even been proof-read. The penultimate paragraph includes a sentence that plainly has words missing “To strengthen the enforcement mechanism, and thus provide maximum credibility to the ICO should be able to recoup the costs of investigations…“, and most damning of all, it opens by describing the ICO as the ‘Independent Commissioner of Information’, which as Neil Bhatia pointed out would be make them the ICI, not the ICO.

UPDATE: a commenter below argues that I should not describe them as ‘civil’ breaches; rather, they should be described as breaches of administrative law. Technically, I think this is correct, although the point I was making is that they are definitely not crimes. I have made the entirely avoidable mistake of listening to the Information Commissioner, who describes them as ‘civil monetary penalties’, e.g. here. I will endeavour not to make the mistake of listening to the ICO again.

Here we have senior Parliamentarians putting their name to a letter that is badly written and incoherent, asking for changes to the funding of a regulator they can’t even accurately name. Russell James told me that the letter was drafted by Tom Tugendhat’s office, but it’s plain that nobody involved in its creation knows anything about Data Protection.

Bullshit is everywhere. In the same week as the ICI letter, Privacy International published a piece responding to Will.I.Am’s well-intentioned but counter-productive ideas about monetising personal data to benefit individuals. The piece included several completely false statements, including that fact that Cambridge Analytica had been fined by the ICO, and that Professor David Carroll had successfully sued the company to recover his data. I took this up with them and they attempted to correct the piece, but in doing so, they made it worse. The correction says “A previous version of the piece implied that Cambridge Analytica has been fined for their involvement in this scandal. The piece was updated on 7.02.2019 to make the text less ambiguous.” The problem with this is that the previous version didn’t imply anything: it said explicitly that Cambridge Analytica had been fined, and they haven’t. The correction goes on to say “The company has been fined for failing to respond to an access request by the Information Commissioner’s Office (ICO)”. It hasn’t. The ICO has prosecuted SCL Elections (not Cambridge Analytica) for failure to comply with an enforcement notice. Despite that famous raid, ICO hasn’t fined Cambridge Analytica or SCL, and the chances that they ever will be are roughly equivalent to me being invited to tea with the Commissioner.

You could be forgiven for asking ‘does it matter’? Does it matter that people get things wrong as long as their heart is the right place? Russell James told me repeatedly that it didn’t matter that the MPs’ letter was full of errors; what matters is that the letter was sent and the wheels are turning. It’s true that pedantry and point-scoring are an unhelpful feature of Data Protection discourse. However, there’s a difference between a conversation and a formal letter or article. More importantly, there’s a difference between pedantry and precision. If you’re talking about privacy impact assessments in the context of the GDPR and I correct you to say it’s a Data Protection Impact Assessment, I’m being a dick. We both know what you mean, and my correction adds nothing. If everyone thinks that the ICO fined Cambridge Analytica when they didn’t, it stops people asking questions about why Wilmslow has spent £2.5 million on an investigation that has resulted in a dodgy fine against Facebook and some mediocre PECR penalties on Arron Banks’ ramshackle empire. If MPs don’t understand the laws that they’re signing letters about, how do we know that they’ve scrutinised the campaign that they’re backing?

The problem is, the Commissioner’s Office are as bad as everyone else and sometimes they’re the source of the infection. Last week, the ICO tweeted that they’d fined Magnacrest Housing, when in fact, it was a court that issued the fine. When SCL Elections pleaded guilty to failing to respond to the ICO’s Enforcement Notice, the Commissioner proudly announced that they had taken action against Cambridge Analytica – although admittedly part of the same group, they’re two different companies, and nobody at the ICO wants to be precise about that because Headlines. The Commissioner herself has repeated the ‘data crimes are real crimes’ claim on many occasions, despite the fact that it’s both misleading and an unhelpful over-simplification. Denham endorsed a book she hadn’t read as “authoritative“, describing its author as someone who “flew the flag for data protection many years before it broke into the mainstream with the GDPR” when he was in fact a PR guy who jumped on the bandwagon.

Denham doesn’t even seem to be overly precise about what her job is – she was quoted by her corporate Twitter account yesterday as saying “What’s technically and legally possible is not necessarily morally sustainable in our society. That’s what the debate is about.” Denham is a regulator – it is her job to enforce the law. As several people have told me since I complained about the statement, Data Protection is principles-based and therefore not as fixed and binary as other areas of the law. I cannot deny this, but even taking it into account, the slippery and complex aspects of DP are still ultimately in the “legally possible” part of the Venn diagram. It’s none of the ICO’s business whether companies do things that are legally possible but morally questionable. If a company breaches DP or PECR, the ICO should take action. Either Cambridge Analytica broke DP law in the UK and the ICO can prove it, or they didn’t. It doesn’t matter that Alexander Nix is a smug gobshite because being a smug gobshite is not a breach of DP law.

We live in an era of fake news where the President of the United States routinely gaslights the world and AI can write prose like a human. The truth matters. Facts matter. Accuracy matters (it’s one of the GDPR principles after all). We all make mistakes. I do it all the time, and the best I can do is hold my hands up and do better next time. But when you’re a big organisation with a much bigger audience than some show-off trainer like me, when you’re an MP asking for a change in how a regulator is run, and especially when you’re charged with regulating something as important as the protection of personal data of 60 odd million people, it matters a lot more. You have to care about the facts because so many people are listening, and you have to take the time to get it right.

And now, in the time-honoured tradition of this blog, I will hit ‘Publish’ and spend the next hour spotting all the typos I’ve made and editing them out before anyone notices.

Bad Policy

On July 19th 2018, Linda McKee made a simple (but admirably polite) FOI request to the Information Commissioner’s Office. McKee asked for a copy of the ICO’s special categories policy document, a requirement of the Data Protection Act 2018 when processing special categories data in certain circumstances. The DPA was passed in early May 2018, but the requirement for special categories policies had been known since the DP Bill was published in September 2017. Policy documents were not required under the previous DP regime, and having run training courses on both the Bill and the Act, I can confirm that many people in the sector were keen to see real life examples of a policy document. McKee’s request made a lot of sense.

On 17 August (maintaining the ICO’s flawless record of replying to FOIs at the last minute), Wilmslow responded. They confirmed that a policy document was held, but as there was a clear intention to publish the policy document in the future, they refused to disclose it. This seemed a bit daft to me; Section 22 of FOI is designed to protect the organisation from early publication of information. The revelation of the ICO’s special categories policy would hardly cause ripples throughout the sector. Staff would not have been diverted from their normal jobs to deal with the torrent of press attention its release would provoke. They should have coughed it up and moved on.

McKee asked for an internal review, and at this point, the Commissioner headed determinedly the wrong way. There is no fixed time limit for an internal review, which is a flaw in the legislation but nevertheless not something that the organisation should exploit, and the ICO dragged it out for MONTHS. I have to be honest, I didn’t really pay attention, aside from using the ICO’s inability to release a relatively simple document as a gag on my DPA courses. Towards the end of 2018, I checked back in on McKee’s woes, to see an interesting suggestion on the What Do They Know thread. It seemed that when the ICO replied in August, the policy hadn’t actually been finalised.

I couldn’t quite believe this, so over Christmas, I made an FOI request to clear the matter up. I asked whether the policy was held in a final approved form when the ICO replied to McKee in August, for any recorded information about whether the ICO should actually have replied that the policy was not held (because it was not finished), and for a summary of why the ICO refused the request.

And here, a brief interlude to consider a section of the FOI Act that has tantalised FOI experts for years without resolution. Section 77 makes it a criminal offence for the organisation to alter, deface, block, erase, destroy or conceal any record held by it with a view to frustrate its disclosure. So if I am working for a public authority and I pretend that a record isn’t held in order to prevent an FOI punter from receiving it, I have committed an offence. If the organisation conspires in this, the organisation can itself be prosecuted by the Commissioner.

Back to my request to the ICO. They replied (once again, remarkably close to the 20 day deadline), and told me two interesting things. First, in answer to my question about whether the policy was held in a final approved form: “The policy was not held in final approved form“. Second, any recorded information about whether any data held constituted the requested information, or whether the ICO should in fact responded that the information was not held: “We do not hold recorded information. As you will be aware the Freedom of Information Act only covers recorded information held by a public authority. However, it may help you to know that there was a verbal discussion in regard to the response to this Freedom of Information request.” So, there was a verbal discussion that people plainly remember, and the ICO thinks it might help me to know this, without even a squeak about what the discussion was about. Thanks, Wilmslow, consider me unenlightened.

I believe that the ICO’s response to McKee’s request is untrue. The correct answer to her request is ‘no information held’, with advice and assistance that the data was in draft. Section 22 applies where the requested information exists but the organisation intends to publish it unchanged in the future; the ICO’s policy wasn’t complete. Look at what McKee asked for all those months ago: she asked for “your Policy designed to show compliance with Schedule 1, Part 4 of DPA 2018“. An incomplete, unapproved policy plainly does not answer the request, and the ICO should have confirmed that. The use of the exemption was a dishonest dodge to avoid admitting the truth.

If the ICO had a policy and pretended that they did not, under Section 77 it would have been a criminal offence for them to conceal its existence once it had been requested. As it happens, the ICO did the opposite – pretending that the information existed and refusing to give it out because it would be published in the future, rather than admitting that several months after the DPA was passed, the policy was not complete. Whoever decided that this was the right approach should think long and hard about a transparency regulator taking such a cynical attitude to legislation they are supposed to uphold and protect.

While QE2 tries to grab the headlines, demanding that FOI be extended to cover new organisations, her own house is far from being in order. The lack of FOI enforcement against recalcitrant and secretive government departments is an ongoing stain on the ICO’s reputation, while the lazy cynicism and lack of frankness over the office’s own activities suggests that the ICO can talk the talk, but walking the walk is beyond them. Regular readers of this blog are probably inured to my lack of faith in House Wycliffe, but for all Denham’s chasing of headlines, day to day experience of how the ICO carries out the most mundane of its functions suggests carelessness and disarray. Rather than trumpeting the press releases about extending FOI to charities and commercial bodies, more people should ask whether the ICO is capable of doing even those tasks it already has.

A case in point(lessness)

The Information Commissioner did a bit of business in Hendon Magistrates’ Court recently, as SCL Elections was fined £15000 for breaching an enforcement notice. Long ago, Professor David Carroll made a subject access request to Cambridge Analytica. As Cambridge Analytica was based in the US where SARs do not apply, they passed it to SCL Elections, a related company established in the UK, to process his request. Having received a response, Carroll claimed it was inadequate and complained to the ICO. After some correspondence, SCL and Cambridge Analytica went into administration. The ICO then served SCL with an enforcement notice over Carroll’s SAR, and SCL failed to comply with or appeal it.

On the face of it, it’s a win – fines in the Mags for breaches of ICO notices are usually in the low thousands, and after more than a year of a multi-million-pound investigation into data analytics, this seems a rare example of something actually happening. Following the humiliation of the first GDPR enforcement notice against AIQ, which had to be withdrawn and replaced, and the Facebook £500,000 penalty which was immediately appealed, you could argue that it’s a solid result for Team Wilmslow.

But the ICO reaction is weird – their website misleadingly claims that SCL was ‘also known as Cambridge Analytica’. SCL was a shareholder in Cambridge Analytica but the two companies are separate and based in different countries. Moreover, the ICO press release states “In pleading guilty, the company has accepted it should have responded fully to Professor Carroll’s subject access request and the ICO’s notice in the first place” but this is not what reality suggests. SCL’s guilty plea was helpfully tweeted out by Denham’s hagiographer Carole Cadwalladr, and it clearly says that they were pleading guilty to failing to answer the notice, not to any ‘misuse of data’.

Denham seems stuck in the past. This prosecution is, she says, ‘the first against Cambridge Analytica’ and her comment implies it won’t be the last, despite the fact that both SCL and Cambridge Analytica are being wound up. Since May 2018, the ICO’s needle on GDPR has barely twitched beyond that abortive AIQ notice, but the noise on analytics has been deafening. Whatever Cambridge Analytica did back in 2016, a massive change like GDPR requires a Commissioner completely focussed on implementing it. Stories about delays and poor decisions at the ICO are rife in the Data Protection community at the moment; the ICO can’t even keep its website up and running, and yet Denham seems dedicated to fighting old battles like a Japanese soldier lost in the Pacific who doesn’t know WW2 is over.

I can’t see what the SCL case has achieved. Carroll has trumpeted the criminal nature of the prosecution, claiming it proves that CA was a ‘criminal enterprise’, but the case is a relic. Under GDPR / DPA 2018, ignoring an enforcement notice is no longer a criminal offence and so there will never be another case like this. SCL might have pleaded guilty, but the substantive question of whether they gave Carroll all the data he was entitled to remains unresolved. They didn’t admit that they hadn’t, and the court cannot order them to deliver any outstanding data even if the judge thought that they should. The punishment for ignoring an enforcement notice can only ever be a financial one – a fine on conviction under the old rules, a penalty from the ICO under the new. The ICO must have known this going in.

The idea, of course, is a data controller will comply with an enforcement notice rather than face the possible punishment, but when the ICO served the notice on SCL, they were already in administration, so they were unlikely to respond in the normal way. Indeed, as the administrators confirmed, the prosecution was only possible because they gave ICO permission to take it forward. In a bizarre twist, the administrators’ guilty plea also revealed that data relating to Carroll isn’t in their possession – it is stored on the servers seized by the ICO on the celebrated Night of the Blue Jackets. So we’re in the bewildering position of the ICO starting enforcement on a defunct company, aware that the enforcement in question cannot result in any personal data being disclosed, and in the full knowledge that any relevant information is actually in their possession. It’s DP enforcement designed by MC Escher. You have to wonder why ICO didn’t just give Carroll his data themselves.

Underneath the surface froth, there are some interesting issues. SCL’s approach to the ICO (as set out in the enforcement notice) is an exemplar in how not to deal with a regulator. In my former life as a Data Protection Officer, I was guilty of a ‘make them blink first’ approach to ICO case officers, but I never did anything as stupid as to make comparisons to the Taliban in my correspondence, or to demand that the ICO stop harassing my employer. More importantly, SCL committed a glaring tactical mistake by switching their approach mid-race. Initially, they answered Carroll’s request, but then u-turned into a claim that his request was invalid because he was a US citizen (hence the remark that he was no more entitled to make a request than a member of the Taliban). In my opinion, had they stuck to their guns and argued that there was no more data, the case would have been less appealing as an enforcement issue. In deciding to change tack, the onus is on them to convince the ICO of the change, rather than getting all holier-than-thou.

Equally interesting is Carroll’s claim that he should be treated as a creditor of the business, which he outlined to the FTProf Carroll argues that the data originally held by Cambridge Analytica actually belongs to the users and should be returned to them, despite the insolvency. “I am a data creditor — just like the financial creditors,” he says. “There are outstanding obligations to me.”

I think this argument is nonsense, but the idea that data subjects own their data is a popular myth (revived with enthusiasm by the introduction of the GDPR). The problem / advantage with personal data is that it can be easily and quickly replicated; I can take a copy of your data without your permission, but unlike a conventional theft, you still have it. You can get access to the data I hold about you under a SAR or portability, but once again, I give you a copy and keep my version. Only in limited circumstances can you request that I delete it, and there are many exceptions.

Admittedly, GDPR gives the subject more control over their data than before, but it doesn’t give them ownership. It’s misleading to suggest that a data controller doesn’t really own personal data when there are so many circumstances where they can obtain, disclose, retain or destroy it without the permission of the subject, and when the opportunities for the subject to object are so limited. I don’t think Carroll understands this, but it would be interesting to see his ‘creditor’ notion tested.

Teasing this out might have been a justification for the ICO to enforce on SCL, except for the obvious fact that these issues would never be raised by doing so. If SCL hadn’t pleaded guilty, the question for the court would be whether SCL breached the notice and nothing else. Because SCL made no attempt to comply with or appeal the notice, they never had much to argue about. The enforcement notice was remarkably misguided considering ICO actually holds the data, but it is a tribute to SCL’s ineptitude that they didn’t choose to highlight this by appealing.

According to Carroll, the fight goes on with other cases, so his beef with SCL / Cambridge Analytica might one day result in something interesting, but there’s nothing here. I don’t believe that the ICO has any business enforcing Data Protection on behalf of Americans when they’re so lackadaisical about doing so on behalf of people in the UK, and so this case is an almost offensive waste of resources. But even if you disagree, all they’ve achieved here is given the corpse of SCL a good kicking, with a result that doesn’t tell us anything about the future or very much about the past.


Immigrant song

With the sensitivity for which they are rightly renowned, the Home Office chose to celebrate Christmas by tweeting a cheery video full of beaming millennials, promoting the new ‘settled status’ registration scheme for EU nationals who want to stay in the UK after Brexit. People who have made their home in the UK have to register and pay for the privilege. Setting aside the crass, thoughtless way in which the scheme was promoted, concerns have been expressed on social media about the Data Protection implications, especially as regards how data is used and whether it complies with GDPR and the DPA 2018. There is an interesting sentence in the documentation: “we may also share your information with other public and private organisations in the UK and overseas“. The people behind the @the3million twitter account made an FOI request about this, and the Home Office have refused to confirm the identity of the organisations in question. They relied on S31 of the FOI Act, which allows information to be withheld if (among other things) disclosure would or would be likely to prejudice “the operation of the immigration controls“.

S31 requires the Home Office to demonstrate a causal link between disclosure and prejudice, and has a public interest test that allows for disclosure if the public interest in doing so outweighs the public interest in withholding. So while the Home Office picked the right exemption, their decision to refuse could be challenged. The ICO doesn’t have a strong record of overturning these kinds of decisions, so the fate of any complaint is hard to predict.

But what’s that? Surely individuals subject to this process have GDPR rights, and can find this out for themselves via a subject access request? Two elements of GDPR would appear to assist – Article 13 requires the Home Office to specify “the recipients or categories of recipients” to which personal data will be disclosed in order to be transparent, while Article 15 gives the subject a right to the same information on request as part of a subject access request.

Except they don’t. I’m certain that the wording I have seen doesn’t comply with Article 13 because even the ‘categories’ bit would only work if it was clear what types of recipients are involved, and it’s plainly not. However, the GDPR allows for exemptions, and there is an exemption that the Home Office managed to get through Parliament in the DPA 2018 which allows them to keep the identity of the recipients secret. Schedule 2, Pt 1, (4) says that both transparency and subject access rights can be set aside if applying them would or would be likely to “undermine the maintenance of effective immigration controls“. If the Home Office don’t want to tell people going through the process who their data will be shared with, this exemption allows to do so. They have to believe that transparency will undermine effective immigration control, but this is the Home Office – they probably do believe that.

So what recourse do EU citizens have? They could, of course, challenge the Home Office approach by either taking them to court or complaining to the Information Commissioner. The Commissioner could decide that the application of the exemption was incorrect (as they could with S31 of FOI), and they have powers to enforce that decision. Aside from Elizabeth Denham’s obsession with data analytics in politics (especially when allegedly deployed by the Leave side), the ICO does not have a strong track record of taking on big organisations. Admittedly, the ICO recently took on the Metropolitan Police over their Gangs Matrix database, but the problem with that is the Gangs Matrix was a mess and the Met more or less acknowledged that.

The problem here is that if the Home Office maintain their position, the ICO would have to substitute their judgment for their’s. This wouldn’t be a mistake or a cock-up; if the Home Office use the DPA exemptions in the same way as they have the FOI ones, the only way that people can get better transparency is for the ICO to tell them that they’re wrong. This is often when Wilmslow bottles it. It’s straightforward to enforce on an organisation that has just lost thousands of people’s data (I’m sure it takes a lot of graft, but the decision to do it isn’t as hard). It’s much more difficult when the data controller hasn’t made a mistake, but is using the exemptions as described. Even if the ICO believes that the exemptions have been wrongly applied (and they might not), the Home Office is likely to ignore any recommendations and appeal any enforcement action.

The alternative is the courts, which is just as much of a roll of the dice as a complaint to the ICO, with the added complexity and cost of actually going to court. I have confidence that a court would test the Home Office’s arguments more robustly that the ICO would, but the Home Office wouldn’t be acting irrationally or unreasonably, and a judge might agree with them. These exemptions made it through Parliament and are on the statute book; the Home Office can plainly use them, and it’s not a breach of the GDPR unless the ICO or a court says that they have been applied unfairly.

Personally, I doubt that knowing who is receiving your data will undermine this process sufficiently justify the secrecy that the Home Office has already imposed using FOI, and which I expect they will use under DP, but it doesn’t matter what I think. This is where the hype around the GDPR runs into the brick wall of reality. The Home Office doesn’t need consent to gather, use and disclose personal data in this process, as long as it has another lawful basis to do so (legal obligation or official authority will certainly kick in here). The DPA gives them exemptions to keep the nature of that processing opaque, and if they choose to use them, challenging that decision is difficult and the outcome is uncertain. This leaves an odd situation but a lawful one – if they wish to live in a country they have already made their home, it seems that EU citizens have to submit to a closed, secretive process and they cannot find out what happens to their data during that process, who gets to see it, and for what purpose.

Compensation culture

We’ve had years of headlines about Cambridge Analytica and Facebook which have captured the public’s imagination like never before, and generated huge publicity for the Information Commissioner’s Office and their army of blue-jacketed enforcers. Action, on the other hand, has been slightly less forthcoming. No action has been taken against Cambridge Analytica itself – there is the prosecution of SCL Elections over a subject access request made by an American (David Carroll), but if anyone can explain why prosecuting the now defunct company when the best outcome is a fine that will never be paid because it will be buried at the bottom of the pile of creditors, comment below. The ICO issued their first GDPR enforcement notice against AIQ, and it was so clumsy it had to be withdrawn and replaced (it’s astonishing that the ICO’s mishandling of this landmark action has gone virtually unnoticed). There is the famous Facebook fine of course, but that is already under appeal. Given that the Commissioner’s case changed radically from the Notice of Intent (published against all normal ICO practice) to final penalty, I don’t think that the ICO should count any chickens on the outcome.

The other issue haunting the case is a number of legal firms mounting ambitious compensation claims on behalf of those who believe themselves to be affected. Just as I am sceptical about the ICO’s track record, some odd assertions in a story in the Independent about David Carroll’s own attempt to sue Cambridge Analytica make me wonder whether the compensation road will be any less rocky. The claim is happening under the old Data Protection Act, and so Carroll and his solicitors will have to prove some kind of damage. Carroll’s solicitor Ravi Naik from ITN Solicitors is quoted as saying payouts could spiral to as much as £43 billion if only 10% of the possible affected pool of people claimed successfully.

Even if one conservatively uses the lowest end of the range, both in number and value of each claim, and calculates on the basis of 10 per cent of the estimated 87 million affected Facebook users only, with claims of £5,000 each against Cambridge Analytica, that still implies a total potential claim value of £43.5bn

I think his claims are optimistic at best, and at worst, comically exaggerated. Facebook did claim that up to 87 million people’s data may have been affected, but they’ve wavered since – to the extent that the ICO now admit that UK data wasn’t used by Cambridge Analytica in their final penalty on Facebook, despite building their NOI around that very claim. Carroll is claiming between £5000 and £20000, but he won’t get a penny unless he can show evidence of the breach in the first place, and then evidence of the damage. Claiming compensation for non-material damage is tricky. You can’t show something concrete like lost wages or business – the money won’t be awarded just because Carroll says he’s upset or annoyed, and the courts have shown scepticism in the past about claims of damage or distress (look at the Tetrus case that ICO lost on the issue of distress a few years back).

That 87 million number is a maximum, not a certainty, and the UK courts have shown themselves to be unmoved by generic class action claims of damage. Look at Richard Lloyd’s failed claim against Google, where the court said that different people will react to the use of their data in different ways. Perhaps Carroll has made a good case about the harm he says was done to him, but even if he has, that is not to say that all claimants are in the same position. If my data was abused by Facebook, my reaction would be numb resignation at worst. I can’t get outraged about Facebook abusing my data, any more than I can get upset by rain being wet. This is why I don’t use Facebook.

The consensus on LinkedIn seems to be that a possible breach is automatically accompanied by a ringing cash register – but that’s not a safe assumption, backed by any evidence. Lloyd lost his Google claim. Everyone who wrote excited Tweets and LinkedIn posts about the outcome of the recent Morrisons case – where the supermarket was found vicariously liable for a breach committed by an employee – ignored the fact that even if Morrisons lose their planned appeal to the Supreme Court, the issue of how much each claimant gets hasn’t been considered yet. Admittedly, Morrisons is a claim for misuse of private information and breach of confidence, but even so, we haven’t got to the bit about the money yet. The claimants may each get a big payout; they may get bus fare. There hasn’t been a case in the UK where multiple people received a big payout because their personal data was abused.

Naik’s extravagant claims and ambitious maths make for an impressive headline, but it’s speculation. I’m uncomfortable about the idea of tempting people into joining litigation (which is presumably the point of Naik’s claim) using hyped-up numbers in this way. The words sound sensible, and Naik effectively describes his estimate as conservative, but it’s a fantasy. Carroll will lose unless he can persuade the court that a breach occurred, that he experienced damage, and that there is a figure that will compensate him for that harm. We have had a few interesting and successful compensation claims in the past, but the idea that we’re looking at lottery jackpots for DP claimants is, so far, Fake News.