Open Goal

The OpenRightsGroup currently have a tool on their website to make subject access requests to political parties; they say that it is intended to investigate political profiling: “Who do political parties think we are?” is the heading on the page. There is definitely a problem with the way all parties use personal data, and the unhelpful and misleading narrative that only the Leave side in politics has questions to answer about data protection flatters the heinous practices of all major political parties. To be honest, if it was transparent, the Tories, Brexit Party and UKIP using profiling techniques to come to the conclusion that they should never contact me would be a very good thing and I wouldn’t feel any need to consent to it. As it happens, I made still valid opt-out requests to all the parties under the old Data Protection Act, and the only one who contacted me this time was the Labour Party. Thanks for nothing, comrades.

The language in ORG’s blog about profiling is emotive and potentially misleading, describing normal features of the DPA 2018 as ‘loopholes’. The blog says “DPA says that data processing can be in the public interest if it “supports or promotes democratic engagement”. This means that political parties could try to claim that their invasive scrutiny of you is lawful purely because they are trying to get you to vote”. If the processing was invasive, it would be unfair and so unlawful. If there is a reasonable alternative to the profiling, it’s not ‘necessary’ and so it’s unlawful.

GDPR allows special categories data to be processed where there is an exception, and one such exception is substantial public interest, based on specific legal authorisations. The DPA contains such authorisations for certain activities, and one such is that political parties can process political opinions (and only political opinions) for political purposes. Again, for ORG, this is a ‘loophole‘.  The SPI provisions aren’t a clever way for parties to get around the law: they are the law. It’s legitimate for parties to do what the law allows them to do; if ORG complained that the parties don’t abide by the SPI provisions or aren’t sufficiently transparent, that might be fair comment. This might seem like a minor point, but I think ORG are attacking the legislation unfairly, not possibly non-compliance with it.

I think there are also some #GDPR issues to consider with the tool itself. The chief problem is lack of a formal, explicit fair processing notice, which results in confusion that could easily have been avoided. The tool identifies which part of the country you’re in, in order to rule in / out parties which only stand in individual nations rather than all of the UK. After uploading proof of your ID, it then makes a request to all the parties. You cannot pick and choose; it has to be all of them. Before you finally send, the tool clearly shows you which parties your requests will be going to which is good, but another aspect doesn’t sit right with me. This is ORG’s explanation of why you can’t use the tool to select individual parties to apply to:

The aim of you sending this request is to contribute to Open Rights Group’s research understanding how all UK political parties use personal data for campaigning and other purposes. To gain the necessary information to analyse this properly, we need to gather data from all parties across all parts of the UK. It would not be helpful to our research to gather data selectively so we have not allowed for the tool to do this.

I assume ORG don’t get access to the data disclosed to you because there is no mention that they do anywhere on the page or on the forms when you use the tool. Any such access would be a serious, penalty-deserving infringement of #GDPR, so presumably it doesn’t happen

The site says “To gain the necessary information to analyse [profiling] properly”, they have to make you apply to all parties. Then: “If you opt-in to future emails from Open Rights Group, we will check in with you after 30 days to confirm whether you have received a response”. But that can’t be the end of it; knowing whether the request was answered will not tell ORG “how all UK political parties use personal data for campaigning and other purposes“. Either ORG intend to ask to see the data that was requested, or the exercise is pointless. So why aren’t they clear about the later stages of the process now? Do they know what they’re going to do, and if so, why not explain it?

Of course, ORG will almost certainly counter my concerns by saying that any data supplied to them from received requests will be obtained with consent (there’s no other lawful way they could get it), but the assertions about the aim of the research aren’t matched by transparency about how it will be carried out. This is, at best, not good practice. When you’re scrutinising an opaque process, you shouldn’t be running one yourself. A proper fair processing notice would solve this, and there isn’t one.

There’s more. I’m sure there will be people who want to know about every party’s processing, even if the one they support. But equally, there will be people using the tool who aren’t interested in what every party has got – ORG might be, but the applicant may not. There will be people who never would have made the request at all without the tool’s existence. Are these requests unfounded?

If a party receives an ORG SAR (which will be easily identifiable from the standard text they’re using), could they argue that answering a SAR sent solely for someone else’s research purpose is unfounded or excessive? A lot of people – especially those who come to Data Protection from a political or campaigning perspective – see SARs and other rights as campaigning tools. A queasy assortment of characters have already attempted to weaponise data rights as a tool in the Brexit Wars (possibly encouraged by a Data Protection regulator who seems unusually preoccupied with the activities of only one side of the debate). Admittedly, ORG are targeting all parties rather than one side, but I still question the wisdom and legality of what they’re doing.

If I was a political party DPO, inundated with SARs and complaints (albeit deservedly), I’d probably look askance at these SARs and look for reasons to knock them back. Some campaigners might be outraged at the idea, but Data Protection in practice isn’t always a high-minded exercise in civil rights. Sometimes, it’s trench warfare. Sometimes, data protection practitioners will do what they can to deal with the torrent of work that spills onto them.

I accept that my opinion that organised SAR campaigns are inherently unethical isn’t widely shared, but when I tell you that they’re also stupid, I’m a lot more confident that I’m right. The Data Protection Act 1998 kept the door to why the request was being made firmly closed, but even the Directive talked about subject access existing “in order to verify in particular the accuracy of the data and the lawfulness of the processing“. The GDPR blows the door wide open – ‘unfounded‘ and ‘excessive‘ both invite attention to why the request was made. ORG would probably argue that they’re trying to verify the lawfulness of political party processing, but the parties could equally argue that they’re encouraging requests that the applicant themselves probably wouldn’t have made. The indiscriminate nature of the tool and the inadequate explanation of why such a blunderbuss is being deployed could play into the hands of a party that decides to roll the dice.

The UK’s political shitshow is not going to end any time soon, and if you want to use your data rights to find out what anyone is doing with your data, that is entirely your business and clearly part of what SARs are for. But if you’re doing it to make a point rather than to see your data, I think you’re misusing your rights and if you get refused, you probably deserve it. Worse still, if you’re participating in an orchestrated campaign, I think you’re playing with fire. The very politicos you might object to may notice the inconvenience and irritation of mass SARs, and decide, as the UK floats away from the European data protection mainstream, to create some real loopholes where none currently exist.

Hare-brained

Most people have little routines that they enjoy on a Sunday. Doing a spot of gardening, going for a run – I know one person who relishes his Sunday trip to the tip. For me, a minor weekend pleasure is the masochistic ritual of reading a maddeningly ill-informed article about Data Protection in the Guardian or Observer. This weekend did not disappoint, despite a surprising break with tradition in that the piece in question was not written by John McNaughton.

This time, we have Stephanie Hare, expressing sentiments summed up in a headline that gets two things wrong before the article even gets going: “These new rules were meant to protect our privacy. They don’t work.” No, the GDPR is not meant to protect anyone’s privacy. The word ‘privacy’ is mentioned once in a footnote that refers to another piece of legislation (which isn’t supposed to protect our privacy either). The purpose of the GDPR is to maintain the European model of data protection i.e. a deal between commerce and individual rights. It’s an asymmetric and imperfect deal, but the idea is the internal market requires the use of personal data in order to function, especially across International borders, and so there needs to be a regulated system to allow governments and businesses to use data. The language of the GDPR, like the directive before it, makes absolutely clear how the deal works. The organisation that gathers and uses the data is the ‘controller’. That tells you all you need to know. The individual is no more than the ‘subject’, given some rights and a limited amount of control over how their data is used.

I think the GDPR does a better job than its predecessor of making those rights work meaningfully – it’s free in most cases to exercise them, the fairness provisions explicitly acknowledge transparency and clarity, the right to be forgotten (if that’s what we have to call it) puts more of an onus on the controller than the subject. More subtly, the GDPR recognises power imbalances and automated processing of all kinds as being inherently high risk because of the lack of control that the subject suffers. This is all good stuff, but GDPR doesn’t protect your privacy, and complaining that it doesn’t is like complaining that a decent quality car will not float. It’s pointless to criticise the GDPR as ‘not working’ when you think it should be doing something it isn’t designed for. Hare is letting the regulators and companies completely off the hook by implying that it’s a free for all, rather than a situation where the law is clear and people aren’t following or enforcing it.

It gets worse. Hare’s first assertion is “Who owns your data? This is one of the toughest questions facing governments, companies and regulators today and no one has answered it to anyone’s satisfaction.” The answer to this question is actually really easy: the person who holds the data owns it. You don’t own the data about you held by HMRC or Twitter or Facebook. They do. They probably have intellectual property rights over it, but for all practical purposes, they decide what happens to it, who receives copies of or extracts of it, and when it is deleted. The subject plainly doesn’t own it. They have rights over it sometimes, and they own a copy of any data they request, but that’s it. Asking about ownership is really asking the wrong question – apart from the fact that activists and campaigners are never going to get an answer they like, what’s worse is that by accepting that the debate should be about ownership rather than rights and control, you’re accepting the IAB and Mark Zuckerberg’s approach to data. I’m not an activist, and even I can see that you’re debating The Man on his terms. If we want to stop the commodification of data, we could start by talking about the problem in a better way.

I don’t doubt Hare’s sincerity for a moment, but some of her most basic assertions are wrong which makes it very difficult to agree with her. She says that under GDPR, “we gained the right to find out what data is held on us and to request its deletion“. This is completely incorrect. These rights have existed (and have been used) since at least 1995. It’s true that they have not been not well-enforced, and that GDPR expresses them more effectively, but in my experience, people who present GDPR as a sea change in rights are those who think Data Protection started in 2016. Apparently, it’s a problem that individuals have to exercise their rights, and “the GDPR could have solved this easily by making privacy the default and requiring us to opt in if we want to have our data collected“. If I was being charitable, I would assume that Hare was talking only about commercial uses of data for advertising purposes but she doesn’t say so. We can’t run the NHS, social care, taxation or criminal justice on the basis of consent. You can’t protect vulnerable children from abuse if their parents have to agree to their data being processed. You can’t collect income tax only from those who consent for their data to be collected. Talking about personal data exclusively in terms of consent is ignoring all sorts of processing, legitimate or otherwise, that takes place because of statutory or contractual justifications. It’s almost aggressively unhelpful.

Hare describes “a grotesque game” of consent where people are pushed into consenting or alternatively diverted into a maze of confusing privacy policies. The GDPR that she claims doesn’t work explicitly outlaws this sham consent. There is no doubt or debate about this: GDPR consent must be freely given, specific and informed, or it is not consent. Nobody who understands GDPR has any doubt about this – the question is whether regulators like Helen Dixon and Elizabeth Denham are willing to attack business models that are built on such flagrant GDPR breaches. So far, the jury is out on Dixon, but Denham has shown her hand by dodging enforcement on Real Time Bidding and fining Facebook for entirely imaginary events, ultimately settling the case in a way that leaves Facebook’s business model entirely untouched. The problem here is not the GDPR – it is the people who are supposed to be implementing and enforcing it.

Worst of all, Hare’s summary quotes Edward Snowden’s ill-informed speech at the Web Summit last week, picking out the stupidest thing he said and presenting it as her trump card: “He thinks that legislation should address the collection of our data, not its protection after it is collected.” Just to be clear (because I always italicise quotes on this blog), the article emphasises the word ‘collection’ with italics. Hare clearly feels that this is a vital insight, instead of evidence of total ignorance. Like a lot of security people, Snowden has seen the word ‘protection’ and worked from there. The foundation of EU data protection law for more than 20 years is that the use of data must be lawful, and lawfulness can only be achieved by justifying the collection of data. This is the skeleton of Data Protection, this is what holds it up, and Hare’s use of the Snowden quote is, in my opinion, evidence that she does not know this. It is utterly irresponsible to use a platform like the Guardian to mislead people in this way, no matter how strong your concerns might be. The GDPR is inherently and irrevocably concerned with data collection, and if Hare (and Snowden) do not know this, they need to educate themselves before pontificating. By the way, if you were one of the dozens of Data Protection people who retweeted that Snowden quote as if it was some amazing revelation, all you did was demonstrate your ignorance.

There are other depressing things within the article – like a lot of people, Hare cites warnings from the recent Human Rights Committee report into online privacy, and in particular, picks up their patronising conclusion that 13 – 15 year olds are incapable of consenting. This writes off hundreds of thousands of young people and robs them of autonomy (something which people who believe in privacy should be very wary of doing). Anyone who has read the Human Rights Committee report will know that it recommends creating a single repository of all information held about every person, updated in real time. Aside from ID cards, I cannot think of a more dangerous, privacy-invasive proposal than taking *everything* about you and putting it in one place so that the Government (and every hacker in the universe) can get access to it.

It is not enough to care. It is not enough to express your concerns about an admittedly voracious and parasitic internet business model. You need to know what you’re talking about. Pulling apart a clearly sincere and well-intentioned piece from someone who I probably agree with about a lot of things is not a good look, and will probably lose me even more friends and admirers than ever before. But this isn’t good enough. I’m not taking the piss out of someone because they said ‘Regulations’ when they meant ‘Regulation’. This whole article is based on a completely flawed understanding of the law and what it sets out to do. If you have the platform, you have to use it responsibly, and I think Hare and the Guardian have let down a cause which both claim to uphold.

Low Profile

The use of personal data to advance political causes has never had as high a profile as it does now, thanks mainly to Brexit and the lurid tales of data manipulation usually bundled under the vague heading of the ‘Cambridge Analytica scandal’. Thanks to the efforts of certain journalists, the narrative is now fixed. Cambridge Analytica stole personal data from Facebook and used it to manipulate credulous voters to win the Brexit vote. It doesn’t matter that this didn’t happen (if you don’t believe me, read the ICO’s final monetary penalty on Facebook and their report into the political analytics investigation), this is what most people believe. When I ask people what they think Cambridge Analytica did, they usually don’t know or point to allegations that nobody has been able to prove, and when I tell them that CA didn’t work on the Brexit referendum, they often tell me to read something (Brittany Kaiser’s supposedly revelatory emails, for example) that they clearly haven’t read themselves. One of the most depressing things about all this is the number of supposedly intelligent people who rail against fake news, when they are as guilty of spreading it as anyone.

Nevertheless, if there is a good thing to come out of all this nonsense, it could be better scrutiny of how political parties and campaigns use personal data. The ICO says it has carried out audits of the major parties, though so far, nothing has come to light about what they’ve found. In the meantime, journalists have definitely started to look at political processing in more detail. An interesting example emerged today with Rowland Manthorpe’s story on Sky News of the Liberal Democrats’ use of profiling to understand voters. Using subject access, Manthorpe saw the wide range of different factors gathered and used by the LibDems to predict his likely voting intentions, and therefore inform whether and how they might approach him.

It’s very tempting to say ‘so what’? Any party that claims that they don’t do this, using data gleaned from Experian and other data brokers, is almost certainly lying. To make out that that the LibDems are doing something weird and creepy when it’s standard political practice is perhaps unfair. I did a subject access request to the Conservative Party earlier in the year, and I found an equally large amount of information – the Tories think that I have kids, read the Independent and was aged between 26 and 35 in 2017, but have now moved up to the 36 – 45 age bracket. If you seen me recently, you may wish to pause until you stop laughing. They’ve estimated my personal and household income and when I finished full-time education, and classify my household as “forward-thinking younger families who sought affordable homes in good suburbs which they may now be out-growing“. They know every time I have voted since 2014, although not who for.

What’s interesting about all of this is whether any of it is lawful. First off, it’s not transparent. The political parties have privacy policies that allude to some of this profiling but if you don’t support or vote for a party or a campaign, what reason would you ever have to read that policy? I am never going to vote Tory, so why would I look at the bit of their privacy policy that says that they’re going to buy my data from Experian in order to profile me, even if that section exists? And what of Experian, who have happily sold my data to the Tories – what transparency from them? Long story short, I think the transparency aspect of political profiling is fatal to its lawfulness. We don’t know this is happening, and the parties do very little proactively to communicate to voters that it’s going on.

Parking that, it’s worth considering the other aspects of GDPR and the Data Protection Act 2018 which are relevant to this question. To process any personal data, an organisation must have a lawful basis from Article 6 of the GDPR to do so. Several are automatically off the table for this kind of profiling – consent (because they haven’t asked), contract (there isn’t one), vital interests (nobody will die if the Tories don’t incorrectly guess that I have kids) and legal obligation are all gone. This leaves two – necessary for a task carried out in the public interest or necessary for a legitimate interest. Neither of these is automatically available. A task carried out in the public interest has to have some kind of statutory underpinning, which is apparently available via Section 8 of the DPA 2018, which specifies ‘an activity that supports or promotes democratic engagement‘ as a task carried out in the public interest. The explanatory notes to the DPA fleshes this out:

The term “democratic engagement” is intended to cover a wide range of political activities inside and outside election periods, including but not limited to: democratic representation; communicating with electors and interested parties; surveying and opinion gathering, campaigning activities; activities to increase voter turnout; supporting the work of elected representatives, prospective candidates and official candidates; and fundraising to support any of these activities

In order to rely on what many people call ‘public task’, political parties have to satisfy themselves (and potentially the ICO or the courts) that their profiling fits this definition, and that the best way to, for example, communicate with electors is first to profile them. I’m not saying that it’s impossible to clear that hurdle – necessary doesn’t mean the only way, just the most appropriate and proportionate way, but it’s for the LibDems (and every other party) to show that they have thought about this and considered the alternatives. Because this processing is likely to have been carried out automatically (I presume that they don’t have crowds of artisan psephologists doing it by candlelight), this could mean that a Data Protection Impact Assessment is required. I’m not certain of this because I’m not sure whether the profiling would have a significant legal or other effect on the person, but if you read the ICO’s code of practice on political campaigning, they bend over backwards to argue the case for political advertising having that effect. In any case, there are other criteria in the European Data Protection Board’s guidance which might well lead to a mandatory DPIA (for example, large scale innovative techniques, or depending on the data used, large scale processing of special categories).

Of course, they may choose to rely on legitimate interests, which again requires work. They have to demonstrate that they have balanced their legitimate interest in understanding voters against the rights and freedoms of those voters. This is must be *necessary*, and in my opinion, it is exceptionally difficult to make the case for legitimate interests where a person has not been informed of the processing.

Manthorpe’s story lays out another potential problem. The LibDems are creating special categories data (political opinion) and it’s not unknown for politicos to use profiling to infer other characteristics, like Zac Goldsmith’s apparent attempts to infer ethnicity from surnames in the 2016 London Mayoral Election. The use of special categories is technically prohibited, but one of the exemptions is the substantial public interest. The LibDems would have to demonstrate that it is in the substantial public interest for them to process the data, and as before, that it is necessary for them to process data in this way.

That isn’t enough on its own. The use of substantial public interest has to be underpinned by a specific legal authorisation, which can be found in the Schedules of the DPA 2018. The only one that political parties can rely on is paragraph 22, which allows parties to process political opinions where necessary (that word again) for the purposes of the organisation’s political activities. The GDPR’s demand for accountability means that all of this decision-making will need to be documented, and every party will have to show that they considered the proportionality and necessity of their actions. At this point, I think the DPIA question is clearly answered – because the process leads to the creation by inference of political opinions, the party is processing sensitive data on a large scale, hitting two of the criteria set out by the EDPB guidance. Two criteria means that processing is high risk and requires a DPIA; the processing is unlawful if they cannot demonstrate having carried out one.

Of course, all of this only applies to the processing, and both the GDPR and DPA make clear that they have to stop processing the data if the person requests it, even if they’ve done all of the work I’ve described above. There are no exceptions to this. Moreover, if the party wants to send a text or an email to any person, none of this helps; GDPR and DPA may allow the profiling (I don’t believe any party will have implemented the above rigorously enough to satisfy the law), but it does nothing about the rules for direct marketing in PECR. Even if they satisfy the GDPR requirements for processing special categories, that doesn’t help at all with PECR’s flat demand for GDPR-style consent when emailing individual subscribers (i.e. people using their own email addresses).

The LibDems claimed to Manthorpe that their privacy policy cures all ills:

The party complies with all relevant UK and European data protection legislation. We take the GDPR principle of transparency very seriously and state the ways we may use personal data clearly within the privacy policy on our website.

I don’t accept this for a moment. I’m a Data Protection nerd and I don’t go on random organisations’ websites to read their privacy policies just in case they might apply to me. The fact that contacting millions of people to tell them that they’re being profiled would be punishingly expensive isn’t GDPR’s problem – the sense of entitlement that political parties feel about data and how they use it should be secondary to the law. But even if you accept their argument, the fact that all parties are likely to have a file on every voter isn’t in our interests, it’s in theirs. They should be under pressure to show that platitudes like the statement above are backed up by the rigour and evidence demanded by the legislation. This should not be a story about the LibDems; this should be seen as a window into what all political parties do, and feel entitled to do. I have no faith in the ICO to sort this out, but scrutiny of what’s going on is in all of our interests.

 

ADVERT: I’m running GDPR courses across the UK until the end of 2019. In 2020, I’ll be running new courses on the DPA, Law Enforcement and Data Protection and Data Protection by Design. Take a look at my website for more: www.2040training.co.uk 

Going Unnoticed

Last week, I came across an interview with Elizabeth Denham on a Canadian website called The Walrus that was published in April. There are some interesting nuggets – Denham seems to out herself as a Remainer in the third paragraph (a tad awkward given that she has only enforced on the other side) and also it turns out that the Commissioner has framed pictures of herself taking on Facebook in her office. More important is the comparison she draws between her Canadian jobs and her current role: “That’s why I like being where I am now,” she says, settling herself at a boardroom table. “To actually see people prosecuted.”

Denham probably wasn’t thinking of the run of legitimate but low-key prosecutions of nosy admin staff and practice managers which her office has carried out in recent months, which means she was up to her old tricks of inaccurately using the language of crime and prosecution to describe powers that are civil (or more properly, administrative). Since GDPR came in, she’s even less likely to prosecute than before, given that she no longer has the power to do so for an ignored enforcement or information notice. I don’t know whether she genuinely doesn’t understand how her powers work or is just using the wrong words because she thinks it makes for a better quote.

Publicity certainly plays a far greater part in the ICO’s enforcement approach than it should. A few months back, I made an FOI request to the ICO asking about a variety of enforcement issues and the information I received was fascinating. The response was late (because of course it was), but it was very thorough and detailed, and what it reveals is significant.

ICO enforcement breaks down into two main types. Enforcement notices are used where the ICO wants to stop unlawful practices or otherwise put things right. Monetary penalties are a punishment for serious breaches. Occasionally, they are used together, but often the bruised organisation is willing to go along with whatever the ICO wants, or has already put things right, so an enforcement notice is superfluous. The ICO is obliged to serve a notice of intent (NOI) in advance of a final penalty notice, giving the controller the opportunity to make representations. There is no equivalent requirement for preliminary enforcement notices, but in virtually every case, the ICO serves a preliminary notice anyway, also allowing for representations.

According to my FOI response, in 2017, the ICO issued 8 preliminary enforcement notices (PENs), but only 4 were followed up by a final enforcement notice; in 2018, 5 PENs were issued, and only 3 resulted in a final notice. The ratio of NOIs to final penalties is much closer; in 2017, there were 19 NOIs, and only one was not followed up with a penalty. In 2018, 21 NOIs were issued, 20 of which resulted in a penalty. Nevertheless, the PEN / NOI stage is clearly meaningful. In multiple cases, whatever the controller said stopped the intended enforcement in its tracks. In the light of many GDPR ‘experts’ confusion about when fines are real or proposed, the fact that not every NOI results in a fine is worth noting.

The response shows the risks of neglecting to issue a PEN. In July 2018, the ICO issued Aggregate IQ (AKA AIQ) with the first GDPR enforcement notice (indeed, it was the first GDPR enforcement action altogether). My FOI reveals that it was one of only a few cases where a preliminary notice was not issued. The AIQ EN was unenforceable, ordering them to cease processing any personal data about any UK or EU “citizens” obtained from UK political organisations “or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”. AIQ was forbidden from ever holding personal data about any EU citizen for any advertising purpose, even if that purpose was entirely lawful, and despite the fact that the GDPR applies to residents, not citizens. AIQ appealed, but before that appeal could be heard, the ICO capitulated and replaced the notice with one that required AIQ to delete a specific dataset, and only after the conclusion of an investigation in Canada. It cannot be a coincidence that this badly written notice was published as part of the launch of the ICO’s first report into Data Analytics. It seems that ICO rushed it, ignoring the normal procedure, so that the Commissioner had things to announce.

The ICO confirmed to me that it hasn’t served a penalty without an NOI, which is as it should be, but the importance of the NOI stage is underlined by another case announced with the first AIQ EN. The ICO issued a £500,000 penalty against Facebook, except that what was announced in July 2018 was the NOI, rather than the final penalty. Between July and October, the ICO would have received representations from Facebook, and as a result, the story in the final penalty was changed. The NOI claims that a million UK Facebook users’ data was passed to Cambridge Analytica and SCL among others for political purposes, but the final notice acknowledges that the ICO has no evidence that any UK users data was used for campaigning. As an aside, this means that ICO has no evidence Cambridge Analytica used Facebook data in the Brexit referendum. The final notice is based on a hypothetical yarn about the risk of a US visitor’s data being processed while passing through the UK, and an assertion that even though UK Facebook users’ data wasn’t abused for political purposes (the risk did not “eventuate“), it could have been, so there. I’ve spent years emphasising that the incident isn’t the same as a breach, but going for the maximum penalty on something that didn’t happen, having said previously that it did, is perhaps the wrong time to listen to me.

If you haven’t read the final Facebook notice, you really should. ICO’s argument is that UK users data could have been abused for political purposes even though it wasn’t, and the mere possibility would cause people substantial distress. I find this hard to swallow. I suspect ICO felt they had effectively announced the £500,000 penalty; most journalists reported the NOI as such. Despite Facebook’s representations pulling the rug out from under the NOI, I guess that the ICO couldn’t back down. There had to be a £500,000 penalty, so they worked backwards from there. The Commissioner now faces an appeal on a thin premise, as well as accusations from Facebook that Denham was biased when making her decision.

Had the NOI not been published (like virtually every other NOI for the past ten years), the pressure of headlines would have been absent. Facebook have already made the not unreasonable point in the Tribunal that as the final penalty has a different premise than the NOI, the process is unfair. Without a public NOI, Facebook could have put this to the ICO behind closed doors, and an amended NOI could have been issued with no loss of face. If Facebook’s representations were sufficiently robust, the case could have been dropped altogether, as happened in other cases in both 2017 and 2018. For the sake of a few days’ headlines, Denham would not be facing the possibility of a career-defining humiliation at the hands of Facebook of all people, maybe even having to pay their costs. It’s not like there aren’t a dozen legitimate cases to be made against Facebook’s handling of personal data, but this is the hill the ICO has chosen to die on. Maybe I’m wrong and Facebook will lose their appeal, but imagine if they win and this farrago helps them to get there.

The other revelation in my FOI response is an area of enforcement that the ICO does not want to publicise at all. In 2016, the ICO issued a penalty on an unnamed historical society, and in 2017, another was served on an unnamed barrister. I know this because the ICO published the details, publicly confirming the nature of the breach, amount of the penalty as well as the type of organisation. One might argue that they set a precedent in doing so. What I didn’t know until this FOI request is that there have been a further 3 secret monetary penalties, 1 in 2017 and 2 in 2018. The details have not been published, and the ICO refused to give me any information about them now.

The exemptions set out the ICO’s concerns. They claim that it might be possible for me to identify individual data subjects, even though both the barrister and historical society breaches involved very limited numbers of people but were still published. They also claim that disclosure will prejudice their ability to enforce Data Protection law, using this justification:

“We are relying on this exemption to withhold information from you where the disclosure of that information is held for an ongoing regulatory process (so, we are yet to complete our regulatory process and our intentions could still be affected by the actions of a data controller) or the information is held in relation to sensitive matters and its disclosure would adversely affect relationships which we need to maintain with the organisations involved. It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely, or at a later date, if it is inappropriate to do so. Disclosure of the withheld information at this time would therefore be likely to prejudice our ability to effectively carry out our regulatory function”

The ICO routinely releases the names of data controllers she has served monetary penalties and enforcement notices on without any fears about the damage to their relationship. Just last week, she was expressing how “deeply concerned” she is about the use of facial recognition by the private sector, despite being at the very beginning of her enquiries into one such company. And if maintaining working relationships at the expense of transparency is such a vital principle, how can they justify the publication of the Facebook NOI for no more lofty reason than to sex up the release of the analytics report? They say “It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely”, and yet the Facebook NOI was published prematurely despite the fact that it was a dud. What will that have done to the ICO’s relationship with a controller as influential and significant as Facebook? What incentive do FB have to work with Wilmslow in a constructive and collaborative way now? And if identifying the subjects is an issue, what is to stop the ICO from saying ‘we fined X organisation £100,000’ but refusing to say why, or alternatively, describing the incident but anonymising the controller?

It doesn’t make sense to publicise enforcement when it’s not finished, and it doesn’t make sense to keep it secret when it’s done. Every controller that has been named and shamed by the ICO should be demanding to know why these penalties have been kept secret, while Facebook have every right to demand that the Commissioner account for the perverse and ill-judged way in which she took action against them. Meanwhile, we should all ask why the information rights regulator is in such a mess.

And one final question: did she bring the framed pictures with her or did we pay to get them done?

Mistaken Identity

Over the past week, numerous excited stories have covered a talk given by James Pavur, an Oxford University researcher and Rhodes Scholar, at the Blackhat Convention in Las Vegas. With his girlfriend’s consent, Pavur made 150 subject access requests in her name. In what the BBC called a ‘privacy hack’ until they were shamed into changing the headline, some of those that replied failed to carry out some kind of ID check. Pavur’s pitch is that GDPR is inherently flawed, allowing easy access for identity thieves. This idea has already got the IT vendors circling, and outraged GDPR-denier Roslyn Layton used the story to describe GDPR as a “cybersecurity/identity theft nightmare“. Pavur’s slides are available on the Blackhat website, but so is a more detailed whitepaper written by himself and his girlfriend Casey Knerr, and anyone who has pontificated about the pair’s revelations should really take a look at it.

Much has been made of Pavur’s credentials as an Oxford man, but that doesn’t stop the 10 page document containing errors and misconceptions. The authors claim that Marriott and British Airways have already been fined (they haven’t), and that there are only two reasons to refuse a subject access request (ignoring the existence of exemptions in the Data Protection Act 2018). They use ‘information commissioners’ as a term to describe regulators across Europe, and believe that the likely outcome of a controller rejecting a SAR from a suspiciously acting applicant would be ‘prosecution’. In the UK and most if not all EU countries, this is legally impossible. At the end, their standard SAR letter cites the Data Protection Act 1998, despite the fact that in context, any DPA is irrelevant and that particular one was repealed more than a year ago.

Such a list of clangers would be bad (though not necessarily unexpected) in a Register article, but despite presenting their case with a sheen of academic seriousness, Pavur and Knerr have some serious misconceptions about how GDPR works. It supposedly offers “unprecedented control” to the applicant, despite their experiment utilising a right that has existed in the UK since 1984. They claim GDPR represents a “sea change” in the way EU residents can control, restrict and understand the use of their personal information, even though most rights are limited in some way and are rooted firmly in what went before. They claim that “little attention has been paid to the possibility of request abuse”. I’ve been working on Data Protection since the authors were schoolchildren, and I can say for certain that this claim is completely false. SARs being made by third parties, especially with malicious intent, has been a routine concern in the public and private sector for decades. Checking ID is instinctive and routine in many organisations, to the point of being restrictive in some places.

Other assertions suggest a lack of experience of how SARs actually work. Because of the perceived danger of twitchy regulators fining organisations for not immediately answering SARs “it is therefore fairly risky to fail to provide data in response to a SAR, even for a valid purpose”. This year, the ICO has had to enforce on high profile organisations for failing to answer SARs (it didn’t fine any of them), and is itself is happy to refuse SARs it receives from elderly troublemakers. SARs are routinely ignored and refused, but the authors imagine that nobody ever wants to say no for fear of entirely imaginary consequences.

Pavur and Knerr think that panicking controllers will make a mess of the ID check: “we hypothesized that organisations may be tempted to take shortcuts or be distracted by the scope and complexity of the request”. This ignores three factors. First, for many organisations, a SAR is nothing new, and the people dealing with it will have seen hundreds of SARs before. Second, the power advantage is with the controller, often a large organisation ranged against a single applicant (and in the UK, facing a regulator unlikely to act on the basis of one SAR complaint). Third, and most important, they don’t factor in the reality that the ID check takes place *outside* the month. ICO says that until the ID check is made, the request is not valid and the clock is not ticking. A sense of panic when the request arrives – necessary for the authors’ scenario to work – will only be present in those with little experience, and if you’re telling me that people who don’t understand Data Protection tend to cock it up, I have breaking news about where bears shit.

Another unrealistic idea is that by asking whether data has been inadvertently exposed in a breach (a notion written into the template request), the authors make the organisation afraid that the applicant has knowledge of some actual breach. “We hypothesised that such a belief might cause organisations to overlook identity verification abnormalities”. I can’t speak for every organisation, but in my experience, a breach heightens awareness of DP issues. Making the organisation think that the applicant has inside knowledge of a breach will make most people dot every ‘I’ and cross every ‘T’. Equally, by suggesting that ID be checked through the unlikely option of a secure online portal, the authors hope to make the organisation feel they’re running out of options, especially because they think the portal would have to be sourced within a month. Once again, this is the wrong way around. An applicant who wants to have their ID checked via such a method would either get a flat no, or the controller could sort it out first and then have the month to process the request.

A crucial part of the white paper is this statement: “No particularly rigorous methodology was employed to select organisations for this study”. Pavur and Knerr say that the 150 businesses operate mainly in the UK and US, the two countries they’re most familiar with. I’m going to stick my neck out and bet that the majority of the businesses who handed over the data without checking are US-based. Only two of the examples in the paper are definitely UK – a rail operator and a “major UK hotel chain”. Many of the examples are plainly US businesses (they cite them as Fortune 100 companies), and one of the most specific examples of sensitive data that they obtain is a Social Security Number, which must be a US institution of some kind.

If you tell me that a significant number of UK businesses, who have been dealing with SARs since 1984, don’t do proper ID checks, that’s a real concern. If you tell me that it’s mainly US companies, so what? Many US companies reject the application of GDPR out of hand, and I have some sympathy for their position, but it’s ridiculous to expect them to be applying unwelcome foreign legislation effectively. This is the risk that you take when you give your data to a US company that isn’t represented in the UK or EU. Pavur and Knerr haven’t released the names of the organisations that failed to check ID, and until they do, there’s not much in the paper to show that this is a problem in the UK, and a lot to suggest that it’s not.

The potential solutions they come up with are flawed. They say regulators should reassure organisations that they will not be prosecuted if they reject requests without ID, despite no evidence that any regulator says anything different (or indeed, has enforced in such circumstances). Their main recommendation for legislators is recommending that government ID verification schemes should be used by all controllers to check the ID of SAR applicants. It’s true that there is no standardised ID check and controllers will act on a case by case basis, but that’s infinitely preferable to Dominic Cummings’ government knowing every time you exercise your data protection rights.

I have never run a training course that mentions SARs that doesn’t mention checking ID. At least in the UK, a request isn’t seen to be valid unless some form of ID has been presented. In the last month, two different data controllers (the Conservative Party and Trilateral Research) have insisted on seeing a driving license or equivalent before processing my SAR, despite me applying from the email address they have on file. A few US controllers handling SARs in a sloppy manner isn’t a cause for great concern. It certainly doesn’t suggest significant flaws in the way GDPR is drafted.

For all my criticisms of the pair’s approach, they do admit that the white paper was “a cursory assessment”.  I don’t doubt their expertise in security, their good intentions or the truth of their ultimate message: checking ID is essential when dealing with SARs. The problem with the experiment is that it reads like what two clever people reckon subject access is like, rather than how it works in the real world. I’d strongly suggest that if they follow up on this first attempt with a more robust piece of research (which is hinted at in the white paper), they approach the subject with a more realistic and detailed understanding of how Data Protection actually works, and maybe get some advice from people with real SAR experience.