The Whole Truth

A couple of days ago, the training company IT Governance reported that the Information Commissioner’s Office had banned Keith Hancock, director of a Manchester lead generation company, from being a company director for four years. The ICO had previously fined the company (Lad Media), and this was the follow-up. All good stuff, you might say, perhaps even a riposte to those awful people who say that the ICO never does anything. Except it isn’t true. The ICO didn’t ban anyone because they don’t have the power to do so. The action was taken by the Insolvency Service with the ICO’s assistance. Weirdly, the IT Governance’s scribe used quotes from the Insolvency Service’s press release without either reading or understanding what it said.

UPDATE: demonstrating the lack of class that is ITG’s hallmark, the story has now been updated without any reference to the fact that it had been wrong, or that they needed me to correct them. This is what it used to look like:

Screenshot 2019-02-15 at 20.04.11

I don’t expect IT Governance to get things right (their sales director once claimed that there had been GDPR fines of 6.2 billion against Facebook and Google), but you’d hope for higher standards from, say, the chairs of four Parliamentary Committees, right? Right? A week or so ago, a distinguished group of Parliamentarians (and Damian Collins) wrote to Jeremy Wright, Secretary of State for Culture, Media and Sport as part of a campaign to change the way the ICO is funded. The idea is that the ICO would get to recover the costs of its investigations from those found to be in breach of Data Protection law, and has been promoted by the Durham-based marketer Russell James. I think it’s a bad idea – it would require the ICO to record and cost the time they spend on every investigation, it could dissuade organisations from appealing ICO decisions (which is bad for everyone as ICO decisions need to be tested), and even where it was applied, it would see the ICO bogged down in arguments about how much they actually spent.

Leaving that aside, the letter itself is amateurish and inept. Several times, it refers to organisations being “found guilty“, something which only happens in criminal cases, thus ignoring the fact that much of the ICO’s work carried out under civil not criminal law. In similar vein, it refers to “data crimes“, a phrase presumably culled from Liz Denham’s misleading soundbite “data crimes are real crimes” (they’re not). This means that the scope of the letter isn’t clear – are they referring to civil breaches (which aren’t crimes), or are they referring to criminal offences, which in the ICO’s world are usually committed by individuals rather than organisations? I find it hard to believe that Dominic Grieve and Yvette Cooper would sign a letter than hadn’t been properly thought out, but as it turns out, they signed a letter that hadn’t even been proof-read. The penultimate paragraph includes a sentence that plainly has words missing “To strengthen the enforcement mechanism, and thus provide maximum credibility to the ICO should be able to recoup the costs of investigations…“, and most damning of all, it opens by describing the ICO as the ‘Independent Commissioner of Information’, which as Neil Bhatia pointed out would be make them the ICI, not the ICO.

UPDATE: a commenter below argues that I should not describe them as ‘civil’ breaches; rather, they should be described as breaches of administrative law. Technically, I think this is correct, although the point I was making is that they are definitely not crimes. I have made the entirely avoidable mistake of listening to the Information Commissioner, who describes them as ‘civil monetary penalties’, e.g. here. I will endeavour not to make the mistake of listening to the ICO again.

Here we have senior Parliamentarians putting their name to a letter that is badly written and incoherent, asking for changes to the funding of a regulator they can’t even accurately name. Russell James told me that the letter was drafted by Tom Tugendhat’s office, but it’s plain that nobody involved in its creation knows anything about Data Protection.

Bullshit is everywhere. In the same week as the ICI letter, Privacy International published a piece responding to Will.I.Am’s well-intentioned but counter-productive ideas about monetising personal data to benefit individuals. The piece included several completely false statements, including that fact that Cambridge Analytica had been fined by the ICO, and that Professor David Carroll had successfully sued the company to recover his data. I took this up with them and they attempted to correct the piece, but in doing so, they made it worse. The correction says “A previous version of the piece implied that Cambridge Analytica has been fined for their involvement in this scandal. The piece was updated on 7.02.2019 to make the text less ambiguous.” The problem with this is that the previous version didn’t imply anything: it said explicitly that Cambridge Analytica had been fined, and they haven’t. The correction goes on to say “The company has been fined for failing to respond to an access request by the Information Commissioner’s Office (ICO)”. It hasn’t. The ICO has prosecuted SCL Elections (not Cambridge Analytica) for failure to comply with an enforcement notice. Despite that famous raid, ICO hasn’t fined Cambridge Analytica or SCL, and the chances that they ever will be are roughly equivalent to me being invited to tea with the Commissioner.

You could be forgiven for asking ‘does it matter’? Does it matter that people get things wrong as long as their heart is the right place? Russell James told me repeatedly that it didn’t matter that the MPs’ letter was full of errors; what matters is that the letter was sent and the wheels are turning. It’s true that pedantry and point-scoring are an unhelpful feature of Data Protection discourse. However, there’s a difference between a conversation and a formal letter or article. More importantly, there’s a difference between pedantry and precision. If you’re talking about privacy impact assessments in the context of the GDPR and I correct you to say it’s a Data Protection Impact Assessment, I’m being a dick. We both know what you mean, and my correction adds nothing. If everyone thinks that the ICO fined Cambridge Analytica when they didn’t, it stops people asking questions about why Wilmslow has spent £2.5 million on an investigation that has resulted in a dodgy fine against Facebook and some mediocre PECR penalties on Arron Banks’ ramshackle empire. If MPs don’t understand the laws that they’re signing letters about, how do we know that they’ve scrutinised the campaign that they’re backing?

The problem is, the Commissioner’s Office are as bad as everyone else and sometimes they’re the source of the infection. Last week, the ICO tweeted that they’d fined Magnacrest Housing, when in fact, it was a court that issued the fine. When SCL Elections pleaded guilty to failing to respond to the ICO’s Enforcement Notice, the Commissioner proudly announced that they had taken action against Cambridge Analytica – although admittedly part of the same group, they’re two different companies, and nobody at the ICO wants to be precise about that because Headlines. The Commissioner herself has repeated the ‘data crimes are real crimes’ claim on many occasions, despite the fact that it’s both misleading and an unhelpful over-simplification. Denham endorsed a book she hadn’t read as “authoritative“, describing its author as someone who “flew the flag for data protection many years before it broke into the mainstream with the GDPR” when he was in fact a PR guy who jumped on the bandwagon.

Denham doesn’t even seem to be overly precise about what her job is – she was quoted by her corporate Twitter account yesterday as saying “What’s technically and legally possible is not necessarily morally sustainable in our society. That’s what the debate is about.” Denham is a regulator – it is her job to enforce the law. As several people have told me since I complained about the statement, Data Protection is principles-based and therefore not as fixed and binary as other areas of the law. I cannot deny this, but even taking it into account, the slippery and complex aspects of DP are still ultimately in the “legally possible” part of the Venn diagram. It’s none of the ICO’s business whether companies do things that are legally possible but morally questionable. If a company breaches DP or PECR, the ICO should take action. Either Cambridge Analytica broke DP law in the UK and the ICO can prove it, or they didn’t. It doesn’t matter that Alexander Nix is a smug gobshite because being a smug gobshite is not a breach of DP law.

We live in an era of fake news where the President of the United States routinely gaslights the world and AI can write prose like a human. The truth matters. Facts matter. Accuracy matters (it’s one of the GDPR principles after all). We all make mistakes. I do it all the time, and the best I can do is hold my hands up and do better next time. But when you’re a big organisation with a much bigger audience than some show-off trainer like me, when you’re an MP asking for a change in how a regulator is run, and especially when you’re charged with regulating something as important as the protection of personal data of 60 odd million people, it matters a lot more. You have to care about the facts because so many people are listening, and you have to take the time to get it right.

And now, in the time-honoured tradition of this blog, I will hit ‘Publish’ and spend the next hour spotting all the typos I’ve made and editing them out before anyone notices.

Comments

  1. Idontwanttoprovidemyname says:

    Where is the privacy notice for this website? I notice you’re accepting and moderating comments.

    • Do you think I should self report it as a personal data breach?

      • Idontwanttoprovidemyname says:

        Not if your heart is in the right place

      • Well, I’ve been told that I’m an adversary to regulators, which is pleasing, but not as good as the time the ICO’s comms people described me as one of a group of ‘drivers of negative sentiment’. Tell you what, I’ll confess my sins by shouting them in the ICO car park next time I’m in Wilmslow and we’ll see what they do.

  2. ICO issues fines under administrative law not civil law, hence reference to administrative fines in GDPR. Appeals against ICO decisions go to the tribunals not the civil courts.

    • That’s a fair point and I acknowledge my error. I’m using ‘civil’ as a broad catch-all for ‘not criminal’, and that’s not as precise a distinction as it could be. As corrected in the blog post, I have made the ridiculous mistake of being influenced by the Information Commissioner’s Office, who describe their penalties as ‘Civil Monetary Penalties’ (for example, the ICO offers the option of downloading all ‘civil monetary penalties’ in a csv file, and the ‘notes to editors’ section of most penalties including the Facebook fine describe them so). Listening to the ICO is a stupid thing to do, given how sloppy the ICO is in so many ways, and it’s one I will make great efforts not to make again. Thanks very much for this valuable lesson.

%d bloggers like this: