Live and Let Dai

To say that anything connected with GDPR is the worst example of its kind is a foolhardy business. I’ve read so many terrible articles, LinkedIn posts and Tweets about GDPR, to single any one of them out and say ‘THIS ONE IS THE WORST’ seems pointless. Most of them are bad. However, after watching 33 minutes of waffle, padding and gleefully misinformed bullshit, I am reckless enough to say that the intellectual property lawyer Dai Davis’ talk here is the worst presentation or talk I have seen about the GDPR in any format.

Admittedly, the trainer in me hated it because of the incompetence – Davis has to keep going back to the podium to change slides because he hasn’t brought a remote, and he pads the talk out with protracted questions to the audience that don’t add anything to what he is saying. When someone intelligent-sounding in the audience takes him on by asking a proper question, he runs a mile.

More seriously, a good chunk of the talk is taken up with an attempt to create a formula for how much you should spend on data protection compliance based on the likelihood of being fined. It’s an eye-catching and controversial thing to throw out in a conference, but I don’t believe even Davis knows what point he’s making. Is he really saying that a every organisation should spend a meaningless, averaged-out €2000 to comply with GDPR, or is that just a flourish? Every organisation is different to another, and will have radically different priorities and appetites for risk, so trying to create a standardised methodology is so random and unhelpful, I don’t think it’s a serious point.  Given the number of basic mistakes and baseless assertions he makes in such a short time, however, the only thing I can add to his calculations is that however much you spend on GDPR, you should probably not spend it on advice from him.

I may not have got them all, but here is as full a collection of all the blunders as I could manage:

  • Davis cannot remember how many deputies the Commissioner has, but he knows that it’s between 11 and 13. There are 3 deputies (James Dipple-Johnstone, Paul Arnold and Steve Wood); there have never been more than 3.
  • Davis consistently gets the name of the ICO wrong – it’s almost always the ‘Information Commission Office’, although he varies it at least once with ‘Information Commission Data Protection Officer’ (he wasn’t talking about their DPO). To be charitable, it might be because he’s talking quickly, but the errors are relentless. He clearly thinks that Elizabeth Denham’s job title is ‘ICO’. because he calls her this repeatedly, and talks about what he would do if he was “the ICO“.
  • He asserts that the GDPR is not a ‘step change’ from the old legislation solely because it has lots of words, even though many of those words are very similar to words in the same order in the old version
  • He notes that there has not been a GDPR fine yet. Davis was speaking on May 30th, two days after the first 72 hours to *report* a relevant breach would have elapsed.
  • He asserts several times that in theory “every single breach” has to be reported to the ICO. This is completely false. There is a specific definition of a breach in the GDPR and incidents that do not meet a certain threshold of risk do not have to be reported.
  • He says that telecoms companies had to report breaches to the ICO since 2012. Communications providers have had this duty since 2011, not just telecoms companies.
  • Davis claims that public sector bodies self-report breaches to the ICO because they have no idea about how to take a commercial risk. There is the problem that public sector bodies are not commercial organisations by and large, so that argument makes no sense, but it’s also factually incorrect. To take one example, NHS bodies (the example shouted out by an audience member) have been obliged by the operation of the Information Governance Toolkit to report breaches to the ICO since at least 1st June 2013 (I think it was actually earlier than this, but that’s the one given in a Toolkit document that Davis could have found with a single Google search if facts were something he had any curiosity about).
  • Davis claims that the ICO is not really responsible for prosecutions for S55 offences, despite talking exclusively about prosecutions that the ICO carried out.
  • He includes the prosecutions in his calculations for the risk of being fined by the ICO, seemingly unaware that fines and prosecutions are two entirely distinct activities, with S55 prosecutions being against individuals rather than organisations. Throughout, Davis talks about the ICO enforcing on ‘people’, so I don’t know if he knows that the penalties were issued against data controllers.
  • He says that there were 18000 complaints in 2016 and the ICO has done nothing about nearly all of them. As someone who thinks the ICO is crap, even I have to acknowledge that most of these complaints were resolved informally and the absence of a fine does not mean that nothing happened. In quite a few cases, the complaint would not have been valid, and so no action would be appropriate.
  • He twice says that the maximum penalty for a breach under the DPA 1998 was £5,000,000; it was £500,000.
  • He quotes the head of the ICO’s ‘Breach Notification Division’, which does not exist.
  • He claims that the GDPR contains more loopholes that requires the ICO to hire criminal lawyers. The standard of evidence for a GDPR breach is balance of probabilities, and GDPR removes the requirement to prove damage or distress for a monetary penalty.
  • He says the ICO has 700 staff – they haven’t recruited these staff yet.
  • He tells a story of how he tells his hotel clients (who, if they exist, have my pity) that they cannot claim to be GDPR compliant because they use “mobile telephones” and allow their staff to send text messages. According to Davis, it is impossible to use mobile phones securely.

At the point where Davis says “smart lawyers like me“, my jaw did not drop, it fell off.

Leaving aside how garbled and smug Davis’ performance is, you might wish to charitable and take on his central thesis – that you probably won’t get a GDPR fine. He’s right. There have been relatively few penalties under Data Protection thus far and so the risk of getting one is relatively small. I cannot disagree with this banal point because I have made it myself any times. However, I can’t tell if his conclusion is simply that nobody should bother complying or whether there would have been a ‘however, you should comply because…’ moment, because there isn’t a conclusion. Presumably because he has run out of time, Davis just stops. So what, Dai? What’s your point? What should the audience do with this information? Should they just ignore GDPR?  There’s definitely a sense of this when he says that 10 years from now, the owner of a B&B will not know what GDPR is.

If Davis had the guts or the discipline to get to a conclusion that GDPR doesn’t matter, that would have been something. His contempt for detail would still be an impediment, but ‘Ignore GDPR’ is an assertion worth tackling. I could counter by arguing that the threat of a fine isn’t a good reason to comply, but respecting human dignity and avoiding harm to real people though inaccuracy, intrusion and insecurity is, but Davis never stops circling the airport, so I don’t even know if that’s what he’s saying.

If his contention that organisations don’t have the ability to measure risk effectively and need to get GDPR in perspective, that’s actually a good point, but he makes it so incompetently that again I’m not motivated to take him on. I have grudging sympathy for the idea that reputational damage is an overhyped risk (again, it’s not a point he makes clearly), but I know that many in the Data Protection world would passionately disagree, and I suspect that they could use Facebook’s current woes as evidence that public perception over data misuse isn’t something that boardrooms can ignore.

In the end, I think Davis is a clever man pontificating about a subject he neither cares for or understands, but the danger is that people will watch the talk and be contaminated by it. You could argue that I am making it worse by drawing attention to it solely so I can take the piss. All I can say is, the talk is out there. People will see it. As this is the case, if you find his argument (such as it is) attractive, it’s worth pointing out how sloppy and ill-informed his thinking is. It’s worth asking if this is the ‘Ignore GDPR’ guy, why would you listen to him?

Cop out

On May 3rd 2018, Elizabeth Denham appeared on Channel 4 News as part of her long running commitment to generating headlines. Denham’s track record on the programme is not great – it was on the same programme in March that she adopted the interesting tactic (uniquely, as far as I can see) of informing an organisation in public and in advance that she planned to apply for a warrant to raid them, losing what might be a useful element of surprise in order to look tough in front of Jon Snow.

In the more recent interview, the Commissioner claimed that she had the power to fine directors and had done so. I made an FOI request about this, and the ICO admitted that “we do not have the power to directly fine directors“, directly contradicting what Denham said. You can tell me that ICO has the power to go after directors in limited circumstances that can result in a court issuing a fine and that must be what she meant (ICO did) but that’s not good enough. The DP regulator went on the telly and claimed to have a power she doesn’t have – it’s surely part of Denham’s job to increase understanding of Data Protection, not to muddy the waters.

In the same interview, Denham cheerily announced that she saw herself as a Sheriff of the internet. Arguably, she should be a Mountie but let’s leave that to one side. I assumed that the statement was a throwaway, not a serious statement of how Denham sees herself and her office. I was wrong. There’s a pattern. In a fawning profile by the Observer’s Carole Cadwalladr a few weeks ago, the Commissioner delivered a soundbite that I suspect is intended to epitomise the Denham Era: “Data crimes are real crimes“. And in the recently leaked DCMS Committee report into Fake News, she was at it again:

For the public, we need to be able to understand why an individual sees a certain ad. Why does an individual see a message in their newsfeed that somebody else does not see? We are really the data cops here. We are doing a data audit to be able to understand and to pull back the curtain on the advertising model around political campaigning and election

I think the misleading impression being created here could attract the label ‘fake news’ just as much as any of the internet nonsense Denham and her fanbase are supposedly against. Data crimes are usually not real crimes, and in most cases, the ICO are not the cops. The GDPR doesn’t make anything a criminal offence, and the offences under the Data Protection Act 2018, like those in its predecessor the 1998 Act, are specific. It’s a criminal offence to take, procure or sell personal data without the permission of the data controller; it’s an offence to re-identify depersonalised data (in circumstances so tightly defined I doubt there will be a successful prosecution), and it can be an offence to oblige someone to make a subject access request. Admittedly, the DPA 2018 is stricter in this area – offences under the DPA 1998 were not recordable so you wouldn’t get a criminal record if you committed them, a position that is sensibly reversed in the new version.

However, in some circumstances, the DPA 2018 is less oriented towards offences than the  DPA 1998. A breach of an Enforcement or Information Notice is no longer subject to prosecution, being punishable by a penalty instead. That might result in stricter punishments, but that depends on Wilmslow showing a willingness to use the powers, and in any case, it’s not a criminal sanction. The much-vaunted criminal prosecution of SCL by the Commissioner over David Carroll’s subject access request is doomed in my opinion, but if it goes ahead, it will almost certainly be the last prosecution for a breach of a notice. None of the DP offences are punishable with prison, and for all Denham’s bluster about being a data cop, she never publicly applies the pressure for custodial sentences. For all his faults, her predecessor Christopher Graham never missed an opportunity to do so.

If Facebook willingly shared its customers personal data with Cambridge Analytica, it would not be a criminal offence. If they reused their customers’ data and sold it to list brokers, it would not be a criminal offence. As drafted, the ‘victim’ of most data protection offences would be the data controller, not the person whose data is misappropriated, sold or misused. Denham wants to conjure up images of cops and robbers, but she’s misleading the public. Who knows, maybe she doesn’t want people to realise that the only sanction for the majority of data transgressions are monetary penalty that she has the power to approve. Maybe she means ‘data crimes should be real crimes‘, but if that’s the case, that what she should say instead of giving the wrong impression.

There’s another problem. By setting herself up as the Internet Sheriff, Denham is creating expectations I don’t believe she’s prepared to meet. In all her public appearances, the Commissioner is clearly trying to mark out the internet and new technology as her manor. Supporters like Cadwalladr are only too happy to play along. The Observer piece contains a brief but devastating verdict on thirty or so years of ICO work and four previous Commissioners: “a somewhat dusty regulator dealing in a niche topic“. I’m the last person to defend the ICO, but this writes off Wilmslow’s endeavours on phone hacking, union blacklisting, the lost HMRC data disks and many DP and PECR fines which even I can’t deny have changed behaviour for the better in many sectors. I can’t say that Denham endorses this trashing of her predecessors’ efforts, but she hasn’t repudiated it either. What must her staff think of it?

Strip away the recent headlines for prosecutions and £500,000 fines that haven’t actually happened yet, and Denham’s record is hardly the Data Protection equivalent of Wyatt Earp taking on the Clantons. When dealing with the misuse of 1.6 million people’s data by the Royal Free Hospital and the AI company owned by Google (exactly the kind of tech territory we’re supposed to believe she wants to police), Denham’s ICO asked the Royal Free to sign an undertaking. There is no automatic sanction if they go back on it. Faced with multiple instances of charities profiling potential donors in secret (not a million miles away from the kind of surreptitious data gathering that attracts her current ire), Denham’s response was reportedly to cut the originally proposed fines, such that Oxfam was fined just £6000. Late in 2017, Sheriff Denham issued an enforcement notice against the Ministry of Justice over shameful and long-running subject access backlogs that doubtlessly affected many people in desperate legal circumstances. She gave them eight months to comply and sneaked the notice out on the last working day before Christmas without a press release.

You can tell me that the ICO has consistently issued monetary penalties on Denham’s watch but so did Graham, though the double whammy of £400,000 CMPs on both TalkTalk and Carphone Warehouse weigh against my argument to some extent. But beyond those, Denham has done nothing revolutionary or interesting in enforcement. There has been no action on accuracy or retention, and little on the vital first principle beyond the charity cases that were obviously started under Graham.

Outwardly, Denham seems poised and plausible. Fate has dealt her the biggest data protection story in a decade and some overly sympathetic press coverage, so maybe she’s right to milk it and build up her part. There’s no question that she has a higher public profile than any of the Commissioners who have gone before her, and I know a lot of people in the DP world who think that this is automatically a good thing. I’m not convinced. I think ‘data crimes are real crimes’ could become as unhelpful a distraction as the pervasive ‘GDPR = consent’ myth, and nothing about the past two years convinces me that Denham really has what it takes to round up the internet’s outlaws. As always, I will delighted to be proved wrong; some eyecatching monster scalps is what I have spent years of blogging asking for, and it will make my job easier for the next few years. But unless she really pulls out the big guns, the Commissioner’s legacy may be less Gunfight at the IT Corral, and more Denham’s Last Stand.

 

“masterclass in not answering questions”

Just about a month ago, I had a little Twitter disagreement with Paul-Olivier Dehaye, patron saint of subject access requests. He said his tool for making subject access was brilliant and revolutionary, and I said it was shit. There was a bit more to it than that, but I was hoping to make this a short blog.

The use of third parties to make subject access requests on one’s behalf is not new – solicitors have always done it, and companies have made batched SARs at least since the bank charges furore of the last decade. The problem with a third party – or automation of the process – is that it gives the Data Controller something to play with. Dehaye admitted to me that in all the time he spent developing his SAR tool, he didn’t speak to anyone with any experience of dealing with SARs from the controller’s perspective, and it shows.

Even though one of Dehaye’s tedious cheerleaders told me that SARs were going to be “frictionless” post-GDPR, there are inevitably some bumps in the road when asking for data even in this Brave New World. The Data Controller needs to identify the application properly, and the involvement of a third party might complicate that – or might be exploited to complicate that, as anyone who has ever dealt with a poorly-written solicitor SAR can probably tell you. If there is a lot of data, the controller can ask the subject to narrow the scope of their request. If they believe that the request is unfounded or excessive, they can make a charge, or even refuse. An automated third party doesn’t make any of this easier.

Ironically given his status as pro-DP activist, I think Dehaye wants SARs to seem difficult. “In my own experience, SARs are complicated to do in a way that properly defends data subject rights” he said, but given that he’s building a business based on data, he kind of would say that. When I first encountered him, Dehaye told me that he was planning to charge subjects for using his tool; while that plan might have changed, he gets evasive when you ask whether he might charge for add-on services in the future. One of the main advantages of GDPR for the subject is that SARs are now free – the best way to exercise the right is to ask for the data direct, without the involvement of a politically-motivated middleman whose company isn’t even in the EU. I voted Remain and I think Brexit is moronic, but that doesn’t mean that weaponising SARs is a good idea. After all, someone might turn round and do it to you.

I decided to make a SAR to Dehaye’s company on the 25th May. His response, though admirably swift, wasn’t exactly the zenith of transparency that one might have hoped for. One might even describe it as a masterclass in not answering questions. I provided a variety of different email addresses and phone numbers that the company might hold in relation to me – the purpose of this was to allow the data controller to identify whether any of my data was held. I did the same thing with my request to Experian – I don’t know what data Experian holds on me, so I provided all the possible identifiers that I could think of. I don’t know what, if any, data Dehaye or his company might hold, so I needed to provide a variety of different identifiers.

EDIT: in response to a request from the data controller, click here for the full text of my request (redacted only to remove personal data that is not in the public domain) and the full text of their reply.

Article 12 of GDPR states that “The controller shall facilitate the exercise of data subject rights under Articles 15 to 22” and shall answer requests unless it “demonstrates that it is not in a position to identify the data subject” – it is plainly correct for the controller to want to know who the applicant is, in order to avoid giving data to the wrong person. However, Recital 64 says that the controller’s measures to identify the subject must be “reasonable“. Dehaye demanded that I send a separate request from each of the email addresses I specified. This means that he thinks that if an organisation has harvested emails from a variety of sources, the controller only has to disclose data if they receive confirmation from that account that it is linked to the subject. So if a person applies from a Gmail account, and the controller has harvested a work email address, even if they have linked the two together, Dehaye doesn’t think that the subject is entitled to the work-related data unless they make a separate request.

Similarly, I provided my home address, my 2 mobile numbers (business and personal) and my landline. Bear in mind, a data controller may have harvested all of this data, so the SAR applicant might need to provide it in order to say this is me, this is my data, do you have it? Dehaye’s response to this part of my request was to demand copies of phone bills for each account, and a recent utility bill for the home address. Clearly, this is the approach he would advocate for any data controller faced with such a request. As it happens, my girlfriend’s name is on the landline account, so I cannot prove that the landline is my personal data, even though it is. One of my mobiles is pay-as-you-go, so I don’t get bills, and the work mobile is on my website, and so can be linked to me without the need for unnecessary proof. As with most people, I receive electronic utility bills, and do not have them immediately to hand. Dehaye’s approach seems to be that if a Data Controller has harvested your data, subject access requires the applicant to provide a lot more personal data in order to get access.

The point of the ID check is to ensure that the person is who they say they are – once that’s done, if the controller has doubts about whether an identifier does link back to the subject (i.e. an email address), they can check, or just send any relevant data to that separate identifier. If Dehaye thinks that his approach is legally correct, there is no reason why Leave.EU, Vote Leave or any other organisation shouldn’t do exactly the same thing if they receive a SAR from now on. When I asked him in April how his tool would deal with the ID element he said “Let’s set the standard” – now we know what that looks like. It looks like giving huge quantities of personal data to someone you don’t trust.

This is a no-win – either Dehaye’s approach is right, and I have to go through an administrative nightmare when SAR-ing organisations that grab data from anywhere they can get it, providing them with a fat dossier of extra information before I can get access, or Dehaye is a hypocrite who complains about hurdles to subject access but builds a wall when asked to practice what he preaches. In any case, if Dehaye’s obstructive and unhelpful approach was correct, it would still be easier to handle without the added complication of a middleman.

UPDATE 28/5/18: Mr Dehaye has admitted that he deliberately adopted an obstructive approach because he thinks I am a trouble-maker. I believe that this is a clear breach of the GDPR; if the Data Controller Personal Data.IO is capable of playing these kinds of games, and deliberately discriminates against data subjects, I think this seriously undermines their credibility to act as an agent for other people’s SARS. The company is setting a cynical, obstructive example, and it would be catastrophic for subject rights if other controllers followed their lead.

Zero Gravity

In March, I received an unsolicited email from a company called Gravicus. It was scaremongering nonsense, touting their data management software via the threat of director liability for data breaches. So far, so what: I get a lot of spammy junk from GDPR people to my 2040 Training email address, but this was to a personal Gmail address that I don’t give out all that often. The email claimed that it had been sent to me because I was “registered on Leadiro”, who I have never heard of. Under PECR, email sent to an address for which I am an individual subscriber can only be sent with consent (or soft opt-in), and given that I had heard of neither Gravicus or Leadiro before the email arrived, they had neither.

I contacted Gravicus to make a subject access request on 20th March, asking how they had obtained my data, what Leadiro had told them and for any other personal data about me that they held. Separately, I contacted Leadiro and asked them why they were selling my data. Leadiro got back to me, and confirmed that they had not supplied my data to Gravicus.

Having had no reply from Gravicus beyond an automated acknowledgement, I emailed them again on April 2nd, asking for confirmation that my request was being dealt with, and also passing on what Leadiro said. A week went by with no acknowledgement, so I wrote to the company’s registered office address and business address, chasing them up.

Gravicus finally reacted on 16th April via a letter from their lawyers, Keystone Law. Keystone admitted on behalf of their clients that the Leadiro story was false, and that my data had been harvested from the “business oriented and professional website” LinkedIn. I apparently connected “voluntarily” with a named Gravicus consultant, who then exported her connections to obtain contact details of “relevant professionals in the sector”. Nearly a month into my request, Gravicus wanted a copy of my passport and utility bill, certified by a lawyer, accountant or similar professional, as well as the £10 fee. I paid the £10 and sent an uncertified copy of my passport. The lawyers still demanded the utility bill as proof of my address, despite the fact that Gravicus’ own version of events shows that they would have nothing to compare it to – they have only ever dealt with me via email or Twitter. In any case, Keystone had already named the individual who harvested my address, so if it was wrong to reply to my subject access request without proof of address, why was it right to give me the name of the consultant? I threatened to complain to the Information Commissioner, and they backed down. I have no doubt that Gravicus took this approach to obstruct my request, which when they had already breached PECR and Data Protection isn’t the best way to resolve a problem.

It is a breach of LinkedIn’s terms and conditions to

  • “Disclose information that you do not have the consent to disclose”
  • “Copy, use, disclose or distribute any information obtained from the Services, whether directly or through third parties (such as search engines), without the consent of LinkedIn”
  • “Use, disclose or distribute any data obtained in violation of this policy”

Harvesting and using email addresses from LinkedIn in breach of their terms and conditions, without transparency and a legal basis is a clear breach of Data Protection. Gravicus did not have my consent, and by misrepresenting the source of my data in the email that they sent me, they blew any chance of relying on legitimate interests. Their use of my data was unlawful. Gravicus’ lawyers claimed that the confusion over where my data came from was understandable because Leadiro was one source that they were using. But that isn’t true. The CEO of Leadiro told me explicitly: “Gravicus are not a Leadiro customer, and have never been a Leadiro customer“. Added to that, sending a marketing email to an individual subscriber without consent is a breach of PECR, and Gravicus knew I was an individual subscriber because their records had my address marked as ‘Personal’.

Despite the fact that Gravicus’ original spam email touted data breaches as being the personal responsibility of directors, one of the shabbiest things about their response is the way they sought to throw their consultant under the bus. They named her straight away, and claimed that the company didn’t know that she was harvesting emails from LinkedIn, even though their lawyers continually stressed that I had voluntarily made my email available to her. In other words, you asked for it, but we didn’t know it was happening. I don’t believe this, but it doesn’t matter whose idea it was. The directors are responsible for what their company does, not some consultant who blocks people on Twitter when they ask awkward questions. Instead of dealing with me like a human being, Gravicus lawyered up and tried to obstruct my subject access request with bogus demands for unnecessary personal data, itself an additional breach of DP law.

This might seem like a lot of fuss for a spam email. But look at what Gravicus is selling as a data processor. Their product works like this: “Tell Osprey your data sources, provide your access credentials and it will connect automatically to analyse your data“. As a data processor, they will have access to a huge amount of sensitive and possibly special categories personal data held by their clients. The GDPR states that data controllers “shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject“.

Gravicus harvested my data unlawfully, they gave me false information about where personal data has been obtained from, they demanded excessive personal data when dealing with my subject access request, and they sent me unlawful unsolicited emails in breach of PECR. They claim that they’ve stopped gathering data in this way, but it never should have happened in the first place, and suggests that the directors don’t know what’s going on in their company. In any case, when caught out, they hide behind their lawyers and consultants instead of dealing direct. Any organisation thinking of using them as a data processor should think long and hard about whether Gravicus can offer the kind of guarantees that GDPR requires.

Unambiguously yours

There’s an old joke about a tourist in Ireland asking for directions and getting the reply ‘If I was you, I wouldn’t start from here’. To anyone in the position of wondering whether to contact all of the people on their mailing list to get GDPR-standard consent to send marketing, fund-raising or promotional emails and texts, I can only say this: I wouldn’t start from here.

With apologies to regular readers who already know (there must be six of you by now), the problem comes because most of the people advising on the solution don’t seem to know what the problem is. They think that the General Data Protection Regulation makes a significant change to the nature of consent from what is required now, and so they tell their clients and employers that there is an urgent need to carry out a ‘re-consenting’ exercise. A memo has clearly gone out – a distinguished correspondent has sent me two examples of organisations sending out emails to get consent in the past week, and yesterday, the charity Stonewall used Valentine’s Day as a prompt to beg its supporters to ‘not leave us this way’. It was lovely, and it is probably an admission that Stonewall have been acting unlawfully since at least 2003, if not 1998.

Here’s the problem. The 1995 Data Protection Directive defines consent like this:

any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed

and

the data subject has unambiguously given his consent

If you’re new to this, read those sentences a few times. Think about ‘freely given’. Think about the consent being an ‘indication’, something by which the person ‘signifies’ their ‘agreement’. Think about ‘unambiguously given‘. If you think that this be interpreted as an opt-out, where are your car keys? Consent, according to you, is me taking your car keys and leaving you a legalistic note somewhere that says that unless you tell me not to borrow your car, I can borrow your car. Or because I borrowed it another time and you didn’t object, I can keep borrowing your car until you tell me not to.

This is nonsense. Consent cannot be inferred. It cannot be implied. A badly written opt-out buried in terms and conditions, consent assumed because I made a donation, the fact that you have my email address and you assume that I must have given it to you with my consent for marketing rather than (for example) you bought it from a list broker who launders dodgy data like drug money – none of these examples constitute consent. Consent is consent. You asked and I said yes. We all know what it means and to pretend otherwise is to lie so you can persuade yourself that you can spam people.

Yes, the GDPR adds a couple of things. It requires consent to be ‘demonstrable’. It states explicitly that consent can only be obtained by a ‘statement or by a clear affirmative action’. But if you claim that the absence of the above phrase in the Directive is any help to the opt-out model, you’re lying to yourself. An opt-out is inherently ambiguous, and the directive says that consent cannot be unambiguous. I might have misunderstood the wording (especially if the language was clunky or technical, which it often is), the data may have been obtained for a different purpose and the consent option is buried in terms and conditions, I might just have missed it or forgotten. The Directive is clear.

Jump ahead to the Privacy and Electronic Communications Regulations, based on Directive 2002/58/EC (often known the ePrivacy Directive). The definition of consent comes from the Data Protection Directive, and so if the ePrivacy Directive says you need consent, what you need is unambiguous, freely given, specific and informed consent. The ePrivacy Directive is enacted by the Privacy and Electronic Communications (EC Directive) Regulations 2003, or PECR (which all good people pronounce as ‘Pecker’ and revel in the opportunities that doing so affords them).

PECR makes life even harder for the opt-outers. For emails, PECR says that the recipient must have “previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender“. If you think that a person can ‘notify’ you by not doing something (i.e. not opting-out), once again, where are your car keys?

Surprisingly given all the execrable practice to which the Commissioner happily turns a blind eye, Wilmslow fired a shot across everyone’s bows with three enforcement cases last year. Morrisons and Flybe are to some extent red herrings as they deliberately targeted people who had explicitly opted out of receiving direct marketing, so when the companies emailed them asking them to opt back in, it was plainly bullshit. The Honda case is more interesting, in the sense that Honda ignored everyone who had opted in (because they’d opted in) and everyone who had opted out (naturally). They contacted people where they didn’t know either way, where they held no evidence of consent. Despite the fact that in all three cases, the contact itself wasn’t selling anything, all were sent for marketing purposes, and here, the ICO argued that the organisations didn’t have consent for sending emails for marketing purposes. It’s been argued by idiots that all Honda were trying to do was comply with GDPR, but that’s patently false. They were trying to pack out their marketing list before a perceived change in the law (GDPR) while ignoring another law that was just fine thanks (PECR).

And now we come to the payoff. If Stonewall (and all the others) have consent to send fund-raising emails, they don’t need to ask again. If they don’t have freely given, specific, informed and unambiguous consent, they shouldn’t be sending emails for marketing purposes now, even if the purpose is to ask for consent from people who are happy to give it because the email is inherently unlawful. It wouldn’t be unlawful for Stonewall to write to all of its supporters and ask them for consent, because post isn’t electronic so PECR doesn’t apply. I would say that there is plainly a legitimate interest for them to use post to ask people for permission to send fund-raising and promotional correspondence by email, so there is no GDPR problem.

The problem with a re-consenting exercise is that the organisation is basically admitting to a PECR breach. The problem is exacerbated by doing that re-consenting exercise by email, because as Honda have demonstrated, doing so is in itself a breach of PECR. People complained to the ICO about the Honda emails, which is why they enforced. If you do a re-consenting exercise by email, anyone irritated enough by the request may well complain. Then what?

So what do I think organisations should do in the light of all this? Well, I wouldn’t start from here. But ignoring the law for a moment, this might be a time to be pragmatic. If you send people content that they want and you don’t annoy them (email being less annoying and distracting than phone or text in my opinion), if you have nice big bright unsubscribe buttons, and if YOU RESPECT BLOODY UNSUBSCRIBE REQUESTS (Hello Daily Telegraph), what’s the risk? Why draw attention to yourself?

I am convinced that sending emails to people who haven’t opted-in is unlawful unless you’ve got the soft opt-in (which because it’s predicated on data gathered through a sale, most charities won’t have). But many organisations have been content to do that for years despite it being unlawful now. So what’s actually changing? I think everyone should comply with the law because privacy – the right to be left alone – is a vital foundation for a civilised society. But if you’re sitting on a mailing list and you’re not sure what to do with it, I would forgive you if you took a slower, longer path, taking every natural opportunity to get renewed consent from existing contacts, getting strong unambiguous consent from anyone new, and hoping that churn and natural wastage gets you where you need to be. And if you’re wrestling with this right now and you’ve read this far, good luck and best wishes.