Last week, I wrote a blog about the ‘personal data agency’ Yo-Da, outlining my concerns about their grandiose claims, the lack of detail about how their service works and their hypocritical decision to ignore a subject access request I made to them. Predictably, this led to further online tussles between myself and Benjamin Falk, the company’s founder and ‘chief talker’. As a result of our final conversation, Yo-Da has effectively disappeared from the internet. Clearly, I touched a nerve.
Yo-Da’s website made concrete claims about what their service did, and in fact had done. There were testimonials from satisfied users, and three case studies. Although it was clear that the service wasn’t operating yet, the testimonials were unambiguous: here is what Yo-Da has done for me. There was no hint that they were fictional, nothing to suggest that the service couldn’t do what the site said.
“Yo-Da systematically and automatically exercises your data rights”
“Use Yo-Da to ask any company in Europe to delete your personal information”
User ‘Samuel’ claimed “Now I go to Yo-Da, search for the company whose (sic) been breached, and with 1-click find out what is happening with my personal information”, while ‘Nathan’ said “Yo-Da was simple to use and helped me understand just how many businesses in Europe have my data.”
None of this is true. Yo-Da do not have a working product that does these things. As Falk put it to me “Our technology is still under development” and “We have some ideas that are working. They aren’t perfect.” I am not saying that Yo-Da aren’t developing an automated data rights service; I’m certain that they are. I’m not saying a product will never launch; I expect that it will and I am looking forward to it, though perhaps not for the same reason as Samuel and Nathan. The point is, it doesn’t exist now and the website said that it did.
Originally, Falk claimed that he had deliberately ignored my subject access request because it was unfounded. ‘Unpleasant’ people like me don’t have data rights, he claimed. This didn’t sound right, especially as after I published my blog, Yo-Da’s DPO (Trilateral Research) suddenly woke up and tried to process my request, as if this was the first they’d heard of it. During our correspondence, they made it clear that they agreed with Falk’s decision that my request was unfounded, but were silent on the decision to ignore it.
But in my argument with Falk, he admitted the truth “We have an outsourced DPO for a reason; we can’t afford a full time one. That’s why the SAR went ignored; our service isn’t live yet and so we didn’t expect to receive any requests, because we aren’t collecting any personal data on anyone”
In a single tweet, Falk said a lot. He was admitting that all of the testimonials and case studies were fake (he ultimately said to me that they were “obviously fake”). At the same time, he was also not telling the truth. Falk said that the website was a “dummy” to “gauge interest”. In other words, the site exists as an advert for a theoretical service, but its other purpose is to persuade people to sign up to Yo-Da’s mailing list. It was designed to collect personal data. Yo-Da were saying ‘sign up with us to use this service that actually works’. I believe that this is a direct breach of the first GDPR principle on fairness and transparency. I want to know why Trilateral Research acted as a DPO for an organisation that did this.
Falk said that he was joking when he said that he ignored my request on purpose, but Trilateral didn’t acknowledge that. They wrote of a ‘delay’ in acknowledging my request, but concurred with Falk’s unfounded decision. That decision was never made; my SAR was just missed. Nobody was checking the ‘firstname.lastname@example.org’ email account – Falk wasn’t, and neither were they, despite being the putative DPO. Either they didn’t know what had happened, or they didn’t care. They definitely backed up their client rather than digging into why a SAR had been received and ignored on spurious grounds without their involvement. Let’s be generous and assume that they didn’t know that Falk was bullshitting. Their client had taken a controversial and disputable decision in a SAR case, and he hadn’t consulted them before he did it, but they didn’t acknowledge that. They backed the unfounded refusal.
Even if Yo-Da one day launches a product that successfully facilitates automated data rights requests to every company in Europe (prediction: this will never happen), they definitely don’t have that product now, and their website claimed that they did. Either Trilateral didn’t know that this is the case, which means that they failed to do basic due diligence on their client, or they knew that the Yo-Da website was soliciting personal data on the basis of false claims.
When I pointed out to Falk that all of the sign-up data had been collected unlawfully (it’s not fair and transparent to gather data about a service that doesn’t exist), the conversation ended. The Yo-Da website instantly vanished, and their Twitter account was deactivated minutes later. I’m certain that Falk will be back, his little spat with me considered to be no more than a bump in the road to world domination. But forget him; what does this say about Trilateral? The best defence I can think of is that they took Falk’s money to be in-name-only DPO but didn’t scrutinise the company or their claims. This is bad. If they had any idea that Yo-Da doesn’t currently do what the website claimed, it’s worse.
According to the European Data Protection Board, the professional qualities that must be demonstrated by a Data Protection Officer include “integrity and high professional ethics”. I seriously question whether Trilateral have demonstrated integrity and high professional ethics in this case. It’s plainly unethical to be named as DPO for an organisation, and then ignore what comes into the DPO email address. Article 38(4) of the GDPR states “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation” but Trilateral weren’t even listening. It’s unethical to take on a client without knowing in detail how their services work (or even whether their services work), and that’s the only defence I can see in this case. It’s unethical to be DPO for an organisation that is making false or exaggerated claims to obtain personal data.
I regularly get asked by clients if I can recommend an outsourced DPO or a company who can do the kind of sustained consultancy work that a solo operator like me doesn’t have the capacity for. There are a few names I’m happy to give. I have no hesitation in saying that on the basis of this shoddy episode, I wouldn’t touch Trilateral Research with a bargepole.