Taking the piss

On page 74 of the Information Commissioner’s newly published Annual Report, you can find the welcome news that the ICO reduced the amount of water in flushing toilets and the timings of auto flushing in urinals. Sadly, the expansion of the organisation’s footprint in Wilmslow, due to swelling numbers of staff, has led to an increase in overall emissions (insert your own joke). There is an abundance of other information about other environmental issues, including paper consumption and car journeys,

Strangely, if you look for information about one of the landmark events of UK Data Protection in 2019 – 2020, there is no sign. In December 2019, the Information Commissioner issued its first ever penalty under the General Data Protection Regulation against a company called Doorstep Dispensaree. Several pages of the report are taken up illustrating “The Year in Summary”, and the only thing mentioned for December is the launch of a consultation about AI. It’s not that the ICO had so many things to report on; one of the highlights for June 2019 was “The Information Commissioner makes a speech at a G20 side event in Tokyo“. Odd that an event which is very much the ‘only invited to the evening do’ of international speaking gigs makes the cut, but the first and so far only UK GDPR fine does not.

There are several reasons for this, I believe, all of which go to the heart of what is wrong with Elizabeth Denham’s disastrous term as Commissioner. The first is Denham’s vanity, mistaking public appearances and headlines for actual achievements. Allied to her Kim Jong Un tendencies is the prioritisation of international work and pet projects over the basics of regulation. Finally, there is a fundamental dishonesty at play – it should be deeply embarrassing for Denham that she hasn’t made a serious attempt to enforce the GDPR in two years. Because it is evidence of this failure, Doorstep Dispensaree (a solid and encouragingly detailed enforcement case that should have been the ICO’s bread and butter during this period) is written out of the story. It didn’t happen.

Most of the report is a soup of meaningless buzzphrases, presumably designed to disguise the hollow nature of what is being described. There have been “deep dive sessions” with the “most significant Digital Economy Stakeholders“, an “Innovation Listening Tour” and an “Innovation Hub”, which the ICO hopes to open up to “innovative organisations” like “catapults” and “incubators“. I think all of this that they’ve had lots of meetings; the outcomes are impossible to identify beyond wonderful “engagement“, a word which appears 22 times (‘penalty‘ appears 4 times).

It is possible to identify a couple of interesting themes. One is the ICO’s determination to support capitalism and The Man. One of the main strategic goals is “enabling innovation and economic growth“, while another is increasing trust and confidence in the way personal data is used. These are not regulatory outcomes, they are economic goals. Actual enforcement of the law is demoted to the fifth out of six goals. The ICO has established a team of people to work on the economic growth agenda, led by a Head of Economic Analysis seconded from an organisation that Wilmslow has decided we don’t need to know the name of.

The other obvious strand is both depressing and familiar, especially to an ICO refugee of such ancient vintage as myself. The joke in the ICO when I was there (2001 – 2002, fact fans) was that it didn’t matter that we never took action because “thinking is doing”, a phrase attributed to Francis Aldhouse, the Deputy Commissioner at the time. Thinking is Doing paralysed the ICO for years, but the spell was broken first by the impossibility of ignoring the cycle of security breaches begun by HMRC’s lost discs, and then by Chris Graham. For all his flaws, Graham revolutionised the ICO by allowing his staff to demolish the shameful FOI backlog and embrace the penalty powers that the lost discs fiasco gifted to Wilmslow.

Thinking is Doing is back. Doorstep Dispensaree (a thing that happened) doesn’t warrant a mention, but the BA and Marriott penalties (things that did not happen) are mentioned approvingly because they “received a large amount of media attention

One of the case studies in the Annual Report covers the ICO’s investigation into Ad Tech. After a flurry of meetings, press releases and agreeable dinners at Cibo, the ICO was supposedly poised to rewrite the internet, but instead, the Executive Director of Shiny Things Simon McDougall promised that whatever they did, ICO would not to spoil the ad industry’s Christmas. Then, when Covid-19 gave him cover, he dropped the whole thing like a stone. McDougall is paid between £115,000 and £120,000 per year, and his contract has been renewed until July 2021, for reasons I cannot begin to understand.

The closer that the report gets to reality rather than Denham’s preoccupations with politics and online harms, the harder it gets to spare her blushes. The report cites 236 instances of “regulatory action“, but it’s really hard to work out what this means. Of that total, just 15 are fines, 7 are enforcement notices, and 8 are assessment notices (i.e. mandatory audits). There are 8 prosecutions and 4 cautions. 54 of the “regulatory actions” are in fact information notices, which do not represent action at all.

An Information Notice is an investigatory tool which might led to action, and might not; in itself, it’s just demanding information. What are the other 139 “regulatory actions“, and why doesn’t the Commissioner what to admit what they are? Has there been a blizzard of warnings and reprimands that are being kept secret? Or, as the inclusion of information notices denotes, is the maths necessary to create the 236 more akin to gymnastics?

The report boasts of ICO intervention in a number of court cases, and happily sets out their successful involvement in the Elgizouli case. It’s a sign of how thin-skinned Denham’s ICO has become that they can’t bring themselves to admit that in the other two cases they cite (the challenges to South Wales Police’s use of facial recognition and the DPA’s immigration exemption), they backed the losing side.

In the end, the figures don’t lie. The toilet flush numbers are encouraging, but other information is less reassuring. The ICO set itself a target of resolving (i.e. closing) 80% of complaints within 12 weeks. Despite receiving less complaints than in the previous year, gaining 100 staff and receiving a massive boost in funding, they managed only 74%. 84 cases are more than a year old. Despite 46% of complaints received being about subject access, the ICO took no enforcement action against subject access infringements in the period.

Perhaps most damning of all, the total number of fines issued in the period (£2,409,000) was less than half what it was in 2018 – 2019 (£5,436,000). There are people who praise the ICO for their guidance and conference appearances, but this is like measuring the police for their road safety demonstrations in schools. The ICO isn’t a “proportionate and practical regulator” – it’s far from where it should be, achieving nothing but emissions of hot air.

Denham’s foreword has an almost valedictory tone. There’s a strong effort to defend the ICO’s determination to spend time on anything as long as it isn’t related to the UK, but the final thought is about how Denham thinks she has achieved her objective of transforming the ICO into “an information rights regulator that is helpful, authoritative, tech-savvy, practical and firm“. While what she’s actually done is hollowed out a passable regulator and turned it into an ineffective, politically biased think-tank, the only positive thing I can take away from this annual report is the hope that if Denham thinks it’s mission accomplished, she will move on to pastures new. Hopefully her successor will have some experience at putting out fires.

Blast from the past

As we all endure the lockdown and the uncertainty about when and how it might end, I have been trying to avoid thinking about the past. It’s tempting to dwell on the last time I went to the cinema (Home, Manchester ironically to watch ‘The Lighthouse’), the last time I went to a pub (Tweedies in Grasmere, just hours before Johnson closed them all), the last face-to-face training course I ran (lovely people, awful drive home). But thinking back to what I had, and the uncertainty about how, when and if I will get it back, doesn’t make the interminable Groundhog Days move any faster. I’d be better off just ploughing on and working out what to do next.

So it was a strange experience to be thrown backwards in time to the heady days of 2017, when the GDPR frenzy was at its height, and the world and his dog were setting up GDPR consultancies. People still make fun of the outdated nature of my company name, but I registered 2040 Training in 2008, and I’m proud of its pre-GDPR nomenclature. The list of GDPR-themed companies that are now dissolved is a melancholy roll call – goodbye GDPR Ltd, GDPR Assist (not that one), GDPR Assistance, GDPR Certification Group (got to admire their optimism), GDPR Claims, GDPR Compliance, GDPR Compliance Consulting, GDPR Compliance Consultancy, GDPR Compliance for SMEs and GDPR Consultants International (offices in New York, Paris and Peckham). You are all with the Angels now.

I was cast into this reverie by a friend who drew my attention to GDPR Legal, a relatively new GDPR company, and a few moments on their website was like climbing into a DeLorean. It was all there. The professional design, the ability to provide all possible services related to Data Protection (you can get a DPO for as little as £100 a month), and of course “qualified DPO’s (sic)”. I was disappointed that there was no mention of them being certified and nary a hint of the IBITGQ, but you can’t have everything. They still pulled out some crowdpleasers, including flatulent business speak and the obvious fact that they are trying to sell software, sometimes in the same couple of sentences: “Our service includes a comprehensive consult to help identify gaps and opportunities, a comprehensive report that includes a project plan with timelines and milestones, a cost analysis, and a schedule. We also offer a software suite that will help you get there quickly and smoothly.” Timelines and milestones, people. This is what we want.

The lack of any detail is possibly a matter for concern. The website claims that the company’s specialists have “over 50 years of experience delivering a pragmatic consulting service with qualified DPO’s and GDPR Practitioner skills” but it is difficult to find out who any of them are. There is no ‘meet the team’ or ‘our people’ section. I might be wrong, but I don’t think there’s a single human being’s name anywhere on there. If you had all these brilliant experienced professionals, wouldn’t you want to advertise who they are – I might make fun of them, but even the folk who have blocked me on LinkedIn aren’t ashamed of saying who their consultants are. Is it 50 people with a year’s experience each? Indeed, the only name I can associate with the company (via Companies House) is the Director, a man who has no experience in Data Protection, but is also director of a shedload of software and marketing companies. Any time the site needs to get into any detail, it hyperlinks to the ICO.

So far, so what? You probably think this blog is cruel. If someone wants to set up a company selling GDPR services, why do I care? Isn’t this just sour grapes at another disruptive entrant in the vibrant GDPR market?

There are two reasons why I call these people out. The first is their privacy policy. It’s not a good sign when a privacy policy page on a GDPR company’s website begins with ‘Privacy Policy coming soon’, but as it happens, immediately below is the company’s privacy policy. Well, I say it’s their’s. It’s oddly formatted, and when you click on the links that are supposed to take you to the policy’s constituent parts, you’re in fact redirected to the log-in page for GoDaddy, with whom the site was registered. All the way through, there are lots of brackets in places that they don’t belong. It didn’t take me long to work out what was going on – I think the brackets were the elements of the template policy that GDPR Legal has used which needed to be personalised, and they’ve forgotten to remove them. 50 collective years of experience, and nobody is competent enough to write the company’s own privacy policy, they just use someone else’s template. Indeed, if you search for the first part of the policy “Important information and who we are“, it leads you to dozens of websites using the same template, from Visit Manchester to NHS Improvement. I can’t find where it originated, but it’s an indictment of the quality of work here that they took it off the shelf and didn’t even format it properly. My Privacy Policy is smart-arsery of the first order, but at least I wrote it myself.

The other reason is worse. GDPR Legal has a blog with three posts on it. Two are bland and short, but the most recent, published just this week, is much longer and more detailed. It reads very differently from other parts of the site, and there was something about the tone and structure that was familiar to me. It didn’t take long to remember where I had seen something like this before. The blog is about GDPR and children, and this is the second paragraph:

Because kids are less aware of the risks involved in handing over their personal data, they need greater protection when you are collecting and processing their data.Here is a guide and checklist for what you need to know about GDPR and children’s data.”

This is the first sentence of the ICO’s webpage about GDPR and children:

Children need particular protection when you are collecting and processing their personal data because they may be less aware of the risks involved.

Coincidence, you think? This is the third line:

If a business processes children’s personal data then great care and thought should be given about the need to protect them from the outset, and any systems and processes should be designed with this in mind

This is the second line of the ICO’s page:

If you process children’s personal data then you should think about the need to protect them from the outset, and design your systems and processes with this in mind

Blog, fourth para:

Compliance with the data protection principles and in particular fairness should be central to all processing of children’s personal data. ”

ICO page, third line:

“Compliance with the data protection principles and in particular fairness should be central to all your processing of children’s personal data

They rejigged the first few elements a little, but after that, whoever was doing it evidently got bored and it’s pretty much word for word:

GDPR Legal Blog:

A business needs to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

ICO page

You need to have a lawful basis for processing a child’s personal data. Consent is one possible lawful basis for processing, but it is not the only option. Sometimes using an alternative basis is more appropriate and provides better protection for the child.

GDPR Legal Blog

General Checklists

  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist. 
  • We design our processing with children in mind from the outset and use a data protection by design and by default approach. 
  • We make sure that our processing is fair and complies with the data protection principles. 
  • As a matter of good practice, we use DPIAs (data protection impact assessments) to help us assess and mitigate the risks to children. 
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA. 
  • As a matter of good practice, we take children’s views into account when designing our processing.

ICO page: 

Checklists

General

  • We comply with all the requirements of the GDPR, not just those specifically relating to children and included in this checklist.
  • We design our processing with children in mind from the outset, and use a data protection by design and by default approach.
  • We make sure that our processing is fair and complies with the data protection principles.
  • As a matter of good practice, we use DPIAs to help us assess and mitigate the risks to children.
  • If our processing is likely to result in a high risk to the rights and freedom of children then we always do a DPIA.
  • As a matter of good practice, we take children’s views into account when designing our processing.”

NB: I’ve screenshotted all of it.

Someone at GDPR Legal lifted the whole thing uncredited and passed it off as their own work. A company that claims to be able to provide “practical and bespoke advice”, guiding “major projects in some of the UK’s largest businesses” nicked content from the ICO’s website. This kind of cutting and pasting gives plagiarism a bad name. At least GDPR’s previous Grand Master Plagiarist did it in style with some top-drawer endorsements.

The GDPR frenzy is over. Some of the new entrants have gone from strength to strength, and some of them are now selling kitchens. The current crisis will test everyone, and I doubt that the DP landscape will look the same in a year’s time. Nevertheless, while I hope the data protection sector remains robust enough to accommodate both the slick, corporate operations, and a few maniac artisans like me, it surely doesn’t need chancers any more? I hope we can all agree that a company that can’t even design its own privacy policy, that won’t admit who its experts are, and who steals from the regulator deserves to be shamed? I hope this blog might persuade a few unwary punters to do some due diligence before handing over their cash and perhaps pick a company who writes their own material. Whatever the LinkedIn blockers think of me, and I of them, surely we’re all better than this?

Lateral Thinking

Last week, I wrote a blog about the ‘personal data agency’ Yo-Da, outlining my concerns about their grandiose claims, the lack of detail about how their service works and their hypocritical decision to ignore a subject access request I made to them. Predictably, this led to further online tussles between myself and Benjamin Falk, the company’s founder and ‘chief talker’. As a result of our final conversation, Yo-Da has effectively disappeared from the internet. Clearly, I touched a nerve.

Yo-Da’s website made concrete claims about what their service did, and in fact had done. There were testimonials from satisfied users, and three case studies. Although it was clear that the service wasn’t operating yet, the testimonials were unambiguous: here is what Yo-Da has done for me. There was no hint that they were fictional, nothing to suggest that the service couldn’t do what the site said.

Yo-Da systematically and automatically exercises your data rights

+

Use Yo-Da to ask any company in Europe to delete your personal information

User ‘Samuel’ claimed “Now I go to Yo-Da, search for the company whose (sic) been breached, and with 1-click find out what is happening with my personal information”, while ‘Nathan’ said “Yo-Da was simple to use and helped me understand just how many businesses in Europe have my data.

None of this is true. Yo-Da do not have a working product that does these things. As Falk put it to me “Our technology is still under development” and “We have some ideas that are working. They aren’t perfect.” I am not saying that Yo-Da aren’t developing an automated data rights service; I’m certain that they are. I’m not saying a product will never launch; I expect that it will and I am looking forward to it, though perhaps not for the same reason as Samuel and Nathan. The point is, it doesn’t exist now and the website said that it did.

Originally, Falk claimed that he had deliberately ignored my subject access request because it was unfounded. ‘Unpleasant’ people like me don’t have data rights, he claimed. This didn’t sound right, especially as after I published my blog, Yo-Da’s DPO (Trilateral Research) suddenly woke up and tried to process my request, as if this was the first they’d heard of it. During our correspondence, they made it clear that they agreed with Falk’s decision that my request was unfounded, but were silent on the decision to ignore it.

But in my argument with Falk, he admitted the truth “We have an outsourced DPO for a reason; we can’t afford a full time one. That’s why the SAR went ignored; our service isn’t live yet and so we didn’t expect to receive any requests, because we aren’t collecting any personal data on anyone

In a single tweet, Falk said a lot. He was admitting that all of the testimonials and case studies were fake (he ultimately said to me that they were “obviously fake”). At the same time, he was also not telling the truth. Falk said that the website was a “dummy” to “gauge interest”. In other words, the site exists as an advert for a theoretical service, but its other purpose is to persuade people to sign up to Yo-Da’s mailing list. It was designed to collect personal data. Yo-Da were saying ‘sign up with us to use this service that actually works’. I believe that this is a direct breach of the first GDPR principle on fairness and transparency. I want to know why Trilateral Research acted as a DPO for an organisation that did this.

Falk said that he was joking when he said that he ignored my request on purpose, but Trilateral didn’t acknowledge that. They wrote of a ‘delay’ in acknowledging my request, but concurred with Falk’s unfounded decision. That decision was never made; my SAR was just missed. Nobody was checking the ‘dpo@yo-da.co’ email account – Falk wasn’t, and neither were they, despite being the putative DPO. Either they didn’t know what had happened, or they didn’t care. They definitely backed up their client rather than digging into why a SAR had been received and ignored on spurious grounds without their involvement. Let’s be generous and assume that they didn’t know that Falk was bullshitting. Their client had taken a controversial and disputable decision in a SAR case, and he hadn’t consulted them before he did it, but they didn’t acknowledge that. They backed the unfounded refusal.

Even if Yo-Da one day launches a product that successfully facilitates automated data rights requests to every company in Europe (prediction: this will never happen), they definitely don’t have that product now, and their website claimed that they did. Either Trilateral didn’t know that this is the case, which means that they failed to do basic due diligence on their client, or they knew that the Yo-Da website was soliciting personal data on the basis of false claims.

When I pointed out to Falk that all of the sign-up data had been collected unlawfully (it’s not fair and transparent to gather data about a service that doesn’t exist), the conversation ended. The Yo-Da website instantly vanished, and their Twitter account was deactivated minutes later. I’m certain that Falk will be back, his little spat with me considered to be no more than a bump in the road to world domination. But forget him; what does this say about Trilateral? The best defence I can think of is that they took Falk’s money to be in-name-only DPO but didn’t scrutinise the company or their claims. This is bad. If they had any idea that Yo-Da doesn’t currently do what the website claimed, it’s worse.

According to the European Data Protection Board, the professional qualities that must be demonstrated by a Data Protection Officer include “integrity and high professional ethics”. I seriously question whether Trilateral have demonstrated integrity and high professional ethics in this case. It’s plainly unethical to be named as DPO for an organisation, and then ignore what comes into the DPO email address. Article 38(4) of the GDPR states “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation” but Trilateral weren’t even listening. It’s unethical to take on a client without knowing in detail how their services work (or even whether their services work), and that’s the only defence I can see in this case. It’s unethical to be DPO for an organisation that is making false or exaggerated claims to obtain personal data.

I regularly get asked by clients if I can recommend an outsourced DPO or a company who can do the kind of sustained consultancy work that a solo operator like me doesn’t have the capacity for. There are a few names I’m happy to give. I have no hesitation in saying that on the basis of this shoddy episode, I wouldn’t touch Trilateral Research with a bargepole.

The Curse of the Padlock

One of the dangers of working in Data Protection is the risk of becoming a pedant. Precision matters; court cases have turned on the meaning of individual words like ‘likely’ and ‘distress’. The legislation is a maze of definitions and concepts that the competent practitioner needs to get to grips with. Lazy thinking can be revealed by an inability to get the details right, so it’s possible to become obsessed with the detail. Even the BCS Data Protection exam has a question which requires you to list the elements of the definition of consent in the right order. It’s easy to lapse into pedantry, to point out every wrongly quoted article, every jumbled phrase.

Nevertheless, getting a simple thing right is often important. GDPR does not cover ‘personal identifiable information’; it covers ‘personal data’ and the definition of the two is not the same. A person who talks about PII in the context of European Data Protection is starting in the wrong place (the US), and can make mistakes as a result. Another error that seems to be creeping in all over the place is more profound, and risks entrenching one of the biggest misconceptions about how data protection works, a misconception many of us have spent years trying to break down.

The problem is the phrase ‘data privacy’.

I see it everywhere – on LinkedIn naturally, in news coverage of the sector, and predictably, the ICO has fallen for it. They describe themselves as “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” Look at the Data Privacy Advisory Service, who summarise their services as “At DPAS we help organisations safeguard the fundamental human right to have data kept private by putting in place the best possible protection to keep it secure. This is delivered in line with the General Data Protection Regulation (GDPR) and The Data Protection Act 2018.”

The idea is nonsense. It doesn’t exist. There is no right to data privacy – there is certainly no fundamental right ‘to have data kept private’. This isn’t a snide dig at someone quoting the wrong article. The concept of ‘data privacy’ is a complete misunderstanding of what Data Protection is for, and everyone who promotes it is actively thwarting the efforts of the rest of us to implement data protection in a practical way.

Article 8 of the European Convention on Human Rights says: ‘Everyone has the right to respect for his private and family life, his home and his correspondence“. This right is not absolute; it can be interfered with (only when necessary) in the interests of “national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others“. The right is not just about data – it certainly can be, as is evidenced by cases where celebrities and others use the privacy right to prevent the use of images that breach their right to privacy. But the right to privacy doesn’t have to be about data at all – you can breach a person’s right to privacy by simply observing them, by being in a place where they expect privacy, or by denying them the opportunity to do something privately. Data doesn’t have to come into it.

Clearly, if you did a Venn diagram, there would be circumstances where privacy and data protection overlap. By following the Data Protection principles when you handle a person’s private correspondence for example, you probably also do what’s necessary to protect their privacy. The same is true for confidentiality – not all confidential data is personal data, but a decent stab at the principles will probably respect both. There is, however, a significant portion of the Venn diagram where Data Protection and Privacy do not meet, and the DP part of that is important.

The notion of ‘Data Privacy’ obscures two vital elements of Data Protection. First, data protection is not only about private data. It is covers all personal data, private, secret, and public. For years, I have been banging my head against the brick wall of ‘it’s not personal data, it’s in the public domain’. Trying to explain to people that data like photographs, email addresses and other publicly available data is still personal data, just available and easier to use than some other data has long been a difficulty. There was a chink of light in Article 14 of the GDPR which clearly states that a person should be informed even when their data is accessed from ‘publicly accessible sources’. This explicit recognition that public data is still personal data is very helpful, but the notion that ‘data protection’ and ‘data privacy’ are interchangeable muddies the waters again.

Second, in related news, GDPR is not about keeping data private; it is about ensuring that personal data processing is properly regulated. For years, Data Protection has been plagued by the padlock. The Information Commissioner used it as a logo (‘but the padlock is unlocked’ is a defence that umpteen different ICO folk have used when I complained about it), and when I did a Google image search for ‘Data Protection’ today, this is the top set of results:

Screenshot 2019-05-26 at 09.17.53

The problem with the Data Protection Padlock is that it presents the legislation as something that locks data up, keeps it away from people. This understanding of data protection leads directly to the belief that disclosure of personal data is inherently problematic and exceptional, and that belief is toxic. I’m not persuaded that Victoria Climbie or Peter Connelly died solely because data about them wasn’t shared, but the pervasive fear of data sharing didn’t help. The GDPR says that ‘the protection of natural persons in relation to the processing of personal data is a fundamental right‘. The word ‘privacy‘ isn’t mentioned anywhere beyond a reference in a footnote to the ePrivacy Directive, and the processing of personal data is firmly put in the context of operating the EU’s internal market: “This regulation is intended to contribute to the accomplishment of an area of freedom, security and justice, and of an economic union“.

You can’t achieve the economic union by locking all the data away, by keeping it private. To characterise data protection law as being about ‘data privacy’ is to misrepresent its purpose completely. European Data Protection is a compromise – trade is underpinned by the use, even the exploitation of personal data, but people have rights, they have control over their data in some (but not all) circumstances, and the legislation built on foundations of transparency and fairness, not privacy. Arguably, the GDPR tries to even up the power imbalance in some circumstances, but it is not designed to lock up data and keep it private.

Of course, some people might be using ‘privacy’ as a synonym for ‘secure’ – the DPAS statement above seems to elide the two. Only a fool would want to play down the importance of security in the context of using any personal data, but the reduction of Data Protection solely to security is as destructive to a proper understanding of it as the privacy / protection mess. We’ve managed to drag Data Protection out of the IT department, and we need to stamp on this idea that security is the exemplar of good DP practice. Your data can be private and secure, but kept for no good reason, for too long, in an inaccurate state, and there could be too much of it.

Some personal data is private and should remain so. In many situations, the processing of personal data without an eye on people’s legitimate expectations of privacy, especially when monitoring, watching or listening to them, is likely to be unfair and so unlawful. There is a strong link between Data Protection and Privacy, and any attempt to divorce them would be stupid. But the use of ‘data privacy’ as a synonym for data protection is misleading and dangerous – it perpetuates a fundamental misreading of what the legislation is for, and makes the lives of everyone trying to make GDPR work effectively a thousands times harder. It’s time to take this nonsense, lock it up and throw away the key.

Home, James

A few months ago, I wrote a blog about data protection and nonsense, highlighting inaccurate claims made by training companies, marketers and pressure groups. A bad tempered spat ensued in comments on LinkedIn between myself and Russell James, the marketer behind the lobbying attempt to change the ICO’s funding model to include cost recovery. James insisted that it didn’t matter that a letter sent by four MPs to the DCMS asking for the change, apparently at his instigation, contained inaccurate claims (the description of DP breaches as ‘crimes’) and embarrassingly got the name of the Information Commissioner wrong (it’s the Independent Commissioner of Information, according to the distinguished Parliamentarians, or whoever actually wrote it).

I asked James what the Information Commissioner’s Office themselves thought of his plan to allow the ICO to recoup the costs of investigations from those “found guilty of data crimes” (which I think means those who are in the receiving end of enforcement from Wilmslow, although it’s hard to be 100% certain). The idea that someone would persuade MPs to lobby the ICO’s sponsor department to change their funding mechanism without at least the tacit approval of the Commissioner or her staff seemed ridiculous, but the normally prolix Mr James was silent on the matter. So I decided to ask the Information Commissioner.

I made an FOI request including all of the following information:
1) Any recorded information about approaches made by Russell James or others to the ICO about the idea of the ICO adopting a cost-recovery model, including any correspondence with Mr James or his associates.
2) Any responses provided to James or others about the ICO adopting a cost-recovery model.
3) Any correspondence with Tom Tugendhat, Yvette Cooper, Dominic Grieve or Damian Collins, or their staff about the idea of a cost-recovery model, or the letter sent to the DCMS
4) Any internal discussion of the cost-recovery model.
5) Any correspondence, notes of meetings or other records of meetings between Mr James and any ICO member of staff, including the names of the staff. (this was subsequently clarified to cover only the cost recovery model, and not any other correspondence Mr James might have had with the ICO.)

Whatever the ICO made of Mr James’ ambitious plan, I was certain that this request would capture their thoughts. At worst, the ICO might refuse to disclose their internal discussions of the idea, but at least I might get some sense of the extent of them.

The ICO provided me with three paragraphs from a letter sent to them by Mr James around the time the MPs wrote to the DCMS. James told me that ICI letter was written by the office of Tom Tugendhat, but this one was remarkably similar in tone, and had the same lack of understanding of how the Data Protection enforcement regime works. James told the ICO that they were about to “leverage significant revenue“. Greatly increased income for the DCMS via the huge sums GDPR fines paid to them would, James asserted, result in much more cash for Wilmslow. This sounds great, if it wasn’t for the the fact that the ICO hasn’t issued a single penalty under the GDPR yet. More importantly, he is confused about what happens to the penalties, and how the ICO is funded. DP penalties have always been paid into the Treasury’s consolidated fund, bypassing the DCMS altogether. Moreover, the ICO doesn’t receive any funding from the DCMS for its Data Protection work. As this document (freely available on the ICO’s website) states, all the ICO’s DP work is paid for by DP fees collected from Data Controllers, as has been the case for many years. The ICO could do a CNIL-style €50 million penalty every week, and neither they nor the DCMS would see a cent of it.

James also claims in his letter that his campaign has “ministerial support from government officials“; I don’t know if that he’s claiming the support of ministers, or the support of government officials, but the phrase itself sounds like it was written by someone who doesn’t know the difference between the two. I’d ask him which it was, but I sent him a single direct message asking for comments before publishing the last blog I wrote this issue. He ignored me, but later pretended that I had deluged him with many such messages. If Tugendhat hadn’t tweeted the ICI letter, I’d think it was fake.

Whatever the shortcomings of Mr James’ insights into Data Protection (when I told him I was making an FOI about his plan, he thought it was the same as a SAR), his confidence in the success of the James Tax is hard to fault. According to him, it is now “a short time before your department (ICO) will have a more resilient financial footing“. Given this thrilling news, one can only speculate at how excited the fine folk of the ICO would be at the impending cash bonanza.

Alas, apart from a copy of the ICI letter, which the ICO sensibly chose not to provide to me as it was plainly in the public domain, they held no data about the James Tax. None. Nothing. Nada. Indeed, they made a point of telling me: “For clarity, I can confirm that we do not hold any information which falls within the scope of the other parts of your request“.  This means that they did not have any recorded discussions about it, share the letter internally, or even reply to that part of Mr James’ letter. If anyone had anything to say about the James Tax, they didn’t want to write it down.

Mr James has set himself up as the doughty defender of “Liz and the crew” as he once described his surprisingly reticent friends in Wilmslow to me. He has launched a campaign to change the law and roped four two highly respectable MPs in to support it. I think it is reasonable to ask whether someone with such a misbegotten understanding of how Data Protection works is the right person to change it. Given that the ICO has seemingly offered no support, not even a comment on his plan, I assume that they do not welcome the idea. It’s not hard to imagine why – calculating the costs of an investigation is extra work and bureaucracy. Moreover, if the ICO is entitled to claim the costs of victory, surely it should be forced to foot the bill for defeat – every time the ICO’s enforcement team’s investigation results in no action, the ICO should contribute to the time the controller spent in answering the many letters and information notices for which the office is celebrated.

If a case goes to appeal, while the James Tax would presumably allow the costs of going to the Tribunal to be recouped if successful, for fairness’ sake, the same logic must apply the other way around. If the Tribunal vindicates the ICO’s target (and losses at the Tribunal are not unknown, especially in recent times), presumably the ICO would have to pay the legal bills too. There are already financial incentives and advantages for the Commissioner. If the ICO issues a financial penalty, the controller gets a 20% discount if they choose not to appeal. If a controller’s actions are truly misbegotten and they choose to appeal, the Tribunal and the courts above can award costs against the recalcitrant data controller. To change the relationship further in the ICO’s interests should not just be one-way.

If the James Tax includes recouping costs of dealing with appeals (and my arguments with him on LinkedIn suggests that it does), this will also have a negative effect on one of the most important parts of the DP enforcement system. Any controller who has been fined will, according to the James Tax, already face the added cost of the ICO’s investigation. Appealing – already a roll of dice in many cases – will be that much more of a risk. As well as their own costs, controllers will have to factor in the additional ICO tally.

We already have Denham grumbling about appeals, even using a speech by Mark Zuckerberg about possible regulation in the US as an excuse to demand he drops his appeal against the Facebook fine in the UK. James’ ideas might further suppress the possibility of appealing against ICO decisions. For everyone involved in the sector, this would be a disaster. To borrow James’ inaccurate criminal characterisation of DP enforcement, the ICO is already the investigator, prosecutor and judge – I don’t want to strengthen that hand any more. Moreover, in the interview above, Denham signalled disdain for the concerns of ordinary people, stating that they don’t complain about the right things. As part of its analytics investigation, the ICO has enforced on cases where there have been no complaints. Denham’s ICO need to be challenged, and challenged regularly. The tribunals and the courts frequently give detailed and helpful explanations of how the law works – ICO never produced guidance on consent as useful as the Tribunal’s decision in Optical Express, and whether the ICO wins or loses, all sorts of insights are available in Tribunal decisions.

Nobody appeals lightly. Combine Denham’s hostility to challenge with the James Tax, and we might lose vital opportunities for debate and caselaw. You can dismiss this blog as just an opportunity for me to take the piss out of another GDPR certified professional, but James has set himself up as a public campaigner. He wants to change how the ICO is funded and how all controllers are potentially treated. This cannot just pass without scrutiny, especially as he appears to lack both an understanding of the system he wants to change, and the support of the regulator whose powers he wants to alter. If the people arguing for changes don’t even think it’s important what the ICO is called or whether it’s a ‘department’ or not, we should wonder what other important details they have missed.