Going Unnoticed

Last week, I came across an interview with Elizabeth Denham on a Canadian website called The Walrus that was published in April. There are some interesting nuggets – Denham seems to out herself as a Remainer in the third paragraph (a tad awkward given that she has only enforced on the other side) and also it turns out that the Commissioner has framed pictures of herself taking on Facebook in her office. More important is the comparison she draws between her Canadian jobs and her current role: “That’s why I like being where I am now,” she says, settling herself at a boardroom table. “To actually see people prosecuted.”

Denham probably wasn’t thinking of the run of legitimate but low-key prosecutions of nosy admin staff and practice managers which her office has carried out in recent months, which means she was up to her old tricks of inaccurately using the language of crime and prosecution to describe powers that are civil (or more properly, administrative). Since GDPR came in, she’s even less likely to prosecute than before, given that she no longer has the power to do so for an ignored enforcement or information notice. I don’t know whether she genuinely doesn’t understand how her powers work or is just using the wrong words because she thinks it makes for a better quote.

Publicity certainly plays a far greater part in the ICO’s enforcement approach than it should. A few months back, I made an FOI request to the ICO asking about a variety of enforcement issues and the information I received was fascinating. The response was late (because of course it was), but it was very thorough and detailed, and what it reveals is significant.

ICO enforcement breaks down into two main types. Enforcement notices are used where the ICO wants to stop unlawful practices or otherwise put things right. Monetary penalties are a punishment for serious breaches. Occasionally, they are used together, but often the bruised organisation is willing to go along with whatever the ICO wants, or has already put things right, so an enforcement notice is superfluous. The ICO is obliged to serve a notice of intent (NOI) in advance of a final penalty notice, giving the controller the opportunity to make representations. There is no equivalent requirement for preliminary enforcement notices, but in virtually every case, the ICO serves a preliminary notice anyway, also allowing for representations.

According to my FOI response, in 2017, the ICO issued 8 preliminary enforcement notices (PENs), but only 4 were followed up by a final enforcement notice; in 2018, 5 PENs were issued, and only 3 resulted in a final notice. The ratio of NOIs to final penalties is much closer; in 2017, there were 19 NOIs, and only one was not followed up with a penalty. In 2018, 21 NOIs were issued, 20 of which resulted in a penalty. Nevertheless, the PEN / NOI stage is clearly meaningful. In multiple cases, whatever the controller said stopped the intended enforcement in its tracks. In the light of many GDPR ‘experts’ confusion about when fines are real or proposed, the fact that not every NOI results in a fine is worth noting.

The response shows the risks of neglecting to issue a PEN. In July 2018, the ICO issued Aggregate IQ (AKA AIQ) with the first GDPR enforcement notice (indeed, it was the first GDPR enforcement action altogether). My FOI reveals that it was one of only a few cases where a preliminary notice was not issued. The AIQ EN was unenforceable, ordering them to cease processing any personal data about any UK or EU “citizens” obtained from UK political organisations “or otherwise for the purposes of data analytics, political campaigning or any other advertising purposes”. AIQ was forbidden from ever holding personal data about any EU citizen for any advertising purpose, even if that purpose was entirely lawful, and despite the fact that the GDPR applies to residents, not citizens. AIQ appealed, but before that appeal could be heard, the ICO capitulated and replaced the notice with one that required AIQ to delete a specific dataset, and only after the conclusion of an investigation in Canada. It cannot be a coincidence that this badly written notice was published as part of the launch of the ICO’s first report into Data Analytics. It seems that ICO rushed it, ignoring the normal procedure, so that the Commissioner had things to announce.

The ICO confirmed to me that it hasn’t served a penalty without an NOI, which is as it should be, but the importance of the NOI stage is underlined by another case announced with the first AIQ EN. The ICO issued a £500,000 penalty against Facebook, except that what was announced in July 2018 was the NOI, rather than the final penalty. Between July and October, the ICO would have received representations from Facebook, and as a result, the story in the final penalty was changed. The NOI claims that a million UK Facebook users’ data was passed to Cambridge Analytica and SCL among others for political purposes, but the final notice acknowledges that the ICO has no evidence that any UK users data was used for campaigning. As an aside, this means that ICO has no evidence Cambridge Analytica used Facebook data in the Brexit referendum. The final notice is based on a hypothetical yarn about the risk of a US visitor’s data being processed while passing through the UK, and an assertion that even though UK Facebook users’ data wasn’t abused for political purposes (the risk did not “eventuate“), it could have been, so there. I’ve spent years emphasising that the incident isn’t the same as a breach, but going for the maximum penalty on something that didn’t happen, having said previously that it did, is perhaps the wrong time to listen to me.

If you haven’t read the final Facebook notice, you really should. ICO’s argument is that UK users data could have been abused for political purposes even though it wasn’t, and the mere possibility would cause people substantial distress. I find this hard to swallow. I suspect ICO felt they had effectively announced the £500,000 penalty; most journalists reported the NOI as such. Despite Facebook’s representations pulling the rug out from under the NOI, I guess that the ICO couldn’t back down. There had to be a £500,000 penalty, so they worked backwards from there. The Commissioner now faces an appeal on a thin premise, as well as accusations from Facebook that Denham was biased when making her decision.

Had the NOI not been published (like virtually every other NOI for the past ten years), the pressure of headlines would have been absent. Facebook have already made the not unreasonable point in the Tribunal that as the final penalty has a different premise than the NOI, the process is unfair. Without a public NOI, Facebook could have put this to the ICO behind closed doors, and an amended NOI could have been issued with no loss of face. If Facebook’s representations were sufficiently robust, the case could have been dropped altogether, as happened in other cases in both 2017 and 2018. For the sake of a few days’ headlines, Denham would not be facing the possibility of a career-defining humiliation at the hands of Facebook of all people, maybe even having to pay their costs. It’s not like there aren’t a dozen legitimate cases to be made against Facebook’s handling of personal data, but this is the hill the ICO has chosen to die on. Maybe I’m wrong and Facebook will lose their appeal, but imagine if they win and this farrago helps them to get there.

The other revelation in my FOI response is an area of enforcement that the ICO does not want to publicise at all. In 2016, the ICO issued a penalty on an unnamed historical society, and in 2017, another was served on an unnamed barrister. I know this because the ICO published the details, publicly confirming the nature of the breach, amount of the penalty as well as the type of organisation. One might argue that they set a precedent in doing so. What I didn’t know until this FOI request is that there have been a further 3 secret monetary penalties, 1 in 2017 and 2 in 2018. The details have not been published, and the ICO refused to give me any information about them now.

The exemptions set out the ICO’s concerns. They claim that it might be possible for me to identify individual data subjects, even though both the barrister and historical society breaches involved very limited numbers of people but were still published. They also claim that disclosure will prejudice their ability to enforce Data Protection law, using this justification:

“We are relying on this exemption to withhold information from you where the disclosure of that information is held for an ongoing regulatory process (so, we are yet to complete our regulatory process and our intentions could still be affected by the actions of a data controller) or the information is held in relation to sensitive matters and its disclosure would adversely affect relationships which we need to maintain with the organisations involved. It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely, or at a later date, if it is inappropriate to do so. Disclosure of the withheld information at this time would therefore be likely to prejudice our ability to effectively carry out our regulatory function”

The ICO routinely releases the names of data controllers she has served monetary penalties and enforcement notices on without any fears about the damage to their relationship. Just last week, she was expressing how “deeply concerned” she is about the use of facial recognition by the private sector, despite being at the very beginning of her enquiries into one such company. And if maintaining working relationships at the expense of transparency is such a vital principle, how can they justify the publication of the Facebook NOI for no more lofty reason than to sex up the release of the analytics report? They say “It is essential that organisations continue to engage with us in a constructive and collaborative way without fear that the information they provide to us will be made public prematurely”, and yet the Facebook NOI was published prematurely despite the fact that it was a dud. What will that have done to the ICO’s relationship with a controller as influential and significant as Facebook? What incentive do FB have to work with Wilmslow in a constructive and collaborative way now? And if identifying the subjects is an issue, what is to stop the ICO from saying ‘we fined X organisation £100,000’ but refusing to say why, or alternatively, describing the incident but anonymising the controller?

It doesn’t make sense to publicise enforcement when it’s not finished, and it doesn’t make sense to keep it secret when it’s done. Every controller that has been named and shamed by the ICO should be demanding to know why these penalties have been kept secret, while Facebook have every right to demand that the Commissioner account for the perverse and ill-judged way in which she took action against them. Meanwhile, we should all ask why the information rights regulator is in such a mess.

And one final question: did she bring the framed pictures with her or did we pay to get them done?

Mum’s the Word

A few days ago, the organisers of the Parklife Festival in Heaton Park in Manchester sent out badly spelt text messages to those who had booked to attend. The Manchester Evening News reports that the texts purported to be from the recipient’s mum, but in fact were a plug for the festival’s after parties.

A running theme of this blog is the way in which organisations sometimes overlook or ignore the rules in order to win business, and the casual intrusion and impoliteness that this represents. Assuming that the story is accurate, I think the Parklife organisers may have breached both the law and the advertising standards code (the CAP Code).

Of course, for starters, the festival organisers need consent from recipients to send them text marketing. This has to be active, clear consent, and not some bollocks buried in the T&Cs. Even if they can satisfy the so-called ‘soft opt-in’ (where messages for similar products and services can be sent subject to an opt-out), this would need to have been done explicitly. The fact that a person has booked tickets or expressed an interest would not be enough to infer consent. Parklife’s organisers may well have done this, but given the other problems, it’s a reasonable question to ask.

Regulation 23 of the Privacy and Electronic Communications Regulations states that a marketer cannot ‘disguise or conceal‘ their identity. By sending what is in fact a marketing text in the guise of a message from Mum, Parklife’s organisers have apparently breached this section. As the MEN points out and the BBC have confirmed, some of the recipients will have lost their mums, and so a text message from ‘Mum’ isn’t just crass marketing, it’s distressing. Whether or not the ICO will take action is a matter for them and presumably, may be based in part on whether they get any complaints. However, if they do take action, the NME reports that Parklife’s organisers have already apologised for ‘unnecessary personal distress‘, which would presumably be a factor in any proposed PECR civil monetary penalty. A CMP can only be issued if the communication would or would be likely to cause substantial damage or distress, which seems like a high threshold. However, getting a text message from what seems to be your dead mother is probably the kind of thing that CMPs were designed to address, especially if the text arrives the day before the deceased’s birthday.

As well as PECR, many marketing communications are covered by the CAP Code, which is enforced (to the extent of forcing advertisers to withdraw offending items) by the Advertising Standards Authority. The CAP Code has a number of interesting sections:

3.1 Marketing communications must not materially mislead or be likely to do so.


3.3 Marketing communications must not mislead the consumer by omitting material information. They must not mislead by hiding material information or presenting it in an unclear, unintelligible, ambiguous or untimely manner.


3.5 Marketing communications must not materially mislead by omitting the identity of the marketer.


4.2 Marketing communications must not cause fear or distress without justifiable reason

And finally, just for good measure,

4.3 References to anyone who is dead must be handled with particular care to avoid causing offence or distress.

I’m not as familiar with the CAP Code as I am with DP and PECR, but this sounds like a fairly open and shut case.

The MEN reports that Sacha Lord, who runs the company behind the festival tweeted ‘So this is what it feels like to be a jar of Marmite! #LoveItOrHateIt’. I’m certain it’s more what it feels like to be a bellend, but it may be more than that. Any of the folk who received this moronic marketing may wish to consult with the ICO‘s website, or that of the ASA. It’s also a good example of where marketing law isn’t complex or confusing, as some marketers and their apologists like to claim. You don’t send text messages that look like they’re from people’s mum, especially because she might be dead. 

Replace ‘I’ with ‘A’ and it’s funnier

A lot of people who I know – regardless of politics – admit having a soft spot for Boris Johnson. When playing the left-leaning parlour game of “Name A Senior Tory You Wouldn’t Slap”, Boris seems to win out quite a lot (I’m virtually the only person I know who likes Eric Pickles). I’m a member of the Mercutio* party anyway, but Johnson never gets my vote. I don’t know if it’s the self-conscious hair, his exceptionally grating silly ass persona, or simply the fact that despite being a calculating and ideological politician, he has convinced so many that he is some sort of cuddly figure of fun – whatever it is, I can’t stand him.

However, I enter the ‘Twittersnatch’ debate not merely to have a pop at the current Mayor of London. After all one of the problems with the current mayoral battle is that, for my money, it resurrects the gag from the 1960 US Presidential election (‘be thankful only one of them can win’).  In my view, the appropriation of the Mayor’s following and the ‘so what’ reaction of Johnson’s people demonstrate that politicians still don’t understand social media or data protection.

The story goes like this: Boris Johnson’s Twitter account was @MayorOfLondon. In order to campaign for re-election, he changed his Twitter name to @BorisJohnson, taking all of his followers with him: http://www.bbc.co.uk/news/uk-politics-17450985. Following a flurry of criticism, a new account was born (@BackBoris2012), and only those who followed that new account will receive the campaigning tweets. If at this point, you’ve lost interest, I don’t blame you. This is not a titantic struggle of ideals, but a playground squabble.

However, what is the Data Protection angle in this spat? Guido Fawkes pointed out (somewhere that I can’t bloody find and will correct when I do!) that Johnson apparently brought many of his followers with him when the @MayorofLondon account was created, so surely, they should have expected whatever promotional guff spews from the excited fingers of whichever Damian or Jemima is operating the account on any given day?

I’m starting from the presumption that a twitter name is personal data. It’s unique, it applies (mostly) a living individual and in most cases, the living individual can readily be identified from the profile page. Many of the @MayorOfLondon followers will be clearly identified as real people merely by knowing their twitter name. I’m told that the @MayorOfLondon account was used as a GLA tool to promote the ceremonial or London-plugging elements of Johnson’s role, so anyone who followed it would have a reasonable expectation that their data (the twitter name) would be processed solely for that purpose. Even if this was a promotional purposes, it is obviously different from the aim of getting Johnson re-elected. The Data Controller of that twitter account – if used to promote the Mayoralty and not Johnson the Conservative politician – was the Greater London Authority. The Data Controller of the Boris Johnson account – if used to get him re-elected – would either be Johnson, the Tory Party or some campaigning hybrid of the two.

Twitter, like most social networks, is a strange world that doesn’t easily fit into the neat definitions of Data Controller or Data Processor – Twitter can’t be the latter because it just sold two years of tweets to Datasift, a company with a name so explicitly Orwellian I have to assume it’s an elaborate corporate joke. Nevertheless, within the overall portal / umbrella, a corporate outfit / campaigning politician asking for personal data in order to send out messages is a data controller to the extent that they decide what happens to their following. They should not act in a high-handed manner, and cannot ignore UK law. Followers cannot fairly be shunted over into a channel devoted to a political purpose without some explicit opt-out (at best). The first Data Protection principle demands that the use of personal data is fair, and it isn’t fair to completely change the purposes for which you process a Twitter follower’s name.

For that reason, I think it’s at least arguable that the data of any identifiable Twitter user was used unfairly, assuming they were individuals as opposed to corporate users like @angrybirds or imaginary ones like @pobgovebot, and especially if they signed up during the @MayorOfLondon phase, rather than being moved over from a previous Johnson account. I can’t imagine that the Information Commissioner’s Office will weigh in heavily now, nor is there much point in them suddenly finding their ass-kicking gear. But if this is the last idiotic wheeze that comes out of either side of the Livingstone / Johnson smackdown, I will be very surprised.

The problem is, in my experience, people involved in politics tend not to know much about data protection, and even less about direct marketing. It’s worth noting that Labour, the Liberal Democrats, the Conservatives and the Scottish Nationalist all have enforcement notices against them from the Information Commissioner’s Officer under the Privacy and Electronic Communications Regulations, forcing them not to make automated telephone calls unless they have explicit consent: see here. A breach of any of these notices would result in prosecution. This despite the fact that everyone I have ever met hates automated calls, even if they feature the voice of Liz Dawn or Sir Sean Connery. Rather than (in Helen Lewis’ apposite tweeted phrase) clutching their pearls in shock, the people responsible for the Twittersnatch should have admitted that it was a clumsy and unreasonable thing to do. And it’s only because they backed down that they didn’t get deeper into the DPA mire.

* Read ‘Romeo and Juliet’ if you didn’t get that reference, or better yet, find a production of the play and see it. This will be the most constructive thing you’ll ever do as a result of reading this blog.

Facebook posts can mean prison

When I lived in Wigan, the most common response to seeing a copy of the local weekly, the Wigan Observer, was to turn to the page that showed who had been up in front of the magistrates. Like most people, what I wanted to know was whether anyone I had been to school with had broken into a shed or got drunk and hit a policeman with a fire extinguisher. In recent days, the Manchester Evening News, normally a paper with a rich and varied coverage, has been transformed by marathon court sittings into a multi-page version of the same thing. It’s an endless succession of self-destructive anecdotes – the guy identified by his Batman jumper, the chef who stole a camera ‘because he did not have one’, and the squaddie who tried to sell a £2000 Les Paul guitar that he claimed he had bought during the riots.
Today, I assume the MEN will go for the comparatively huge sentences for two chaps in Cheshire who tried (and thankfully, failed) to use Facebook to incite riots in Northwich and Warrington: http://tinyurl.com/3utotsu. However, the story is an object lesson in how so many people do not understand social media or electronic communications.
I’m paranoid. As far as possible, I never write anything in an email that I wouldn’t want to have broadcast. I had an email exchange recently where a friend sent increasingly rude and abusive jokes about a third party we both know, and all of my responses were basically “                    “ . I didn’t want my opinions on record, especially as the tone of an email is incredibly hard to judge.
On the other hand, Facebook, instant messaging and email allow some parts of society to extinguish the concept of an unexpressed thought. The Daily Mail is a rich seam of stories about people saying ridiculous and damaging things on Facebook and similar sites – the teacher who criticised her pupils http://tinyurl.com/3c65fkx or the girl sacked after describing her new job as ‘boring’ http://tinyurl.com/d4h9c5. The Mail still hasn’t thought of different way of illustrating these stories than asking the subject to pose in front of a computer, as if it’s impossible to understand the situation otherwise. In both of these cases, people’s careers are damaged; in others, (a quick Google search will show you many), people also get sacked, or damage their reputations or ruin their family lives.
Fast forward to today, and we see these two young men going to prison (and the Mail has another one here: http://tinyurl.com/4xpowny. Meanwhile, the DisabledGo News blog reports Facebook comments allegedly made by employees of Atos, the firm delivering the work programme, describing disabled clients as ‘parasitic wankers’ and ‘down and outs’: http://tinyurl.com/3bpvb66. This could have consequences both for their careers, and for the company’s contracts.
I’m far from the first to say this, but much as social media has connected the world in new and interesting ways, it has also opened the door for a lot of people to cause themselves huge damage. No matter who you are, the lesson has to be learned: THINK BEFORE YOU TYPE. Who might read what I have said? How might it be misinterpreted? Can I trust the recipients not to forward it on to everyone they know? Facebook encourages lots of friends, while an email is the ultimate form of portable, airborne information.

The Information Commissioner says you can do FOIs via Twitter

I am not the most enthusiastic fan of social media. I love new technology, but at some point I associated social media with children (I know, I was wrong), and only now do I see the error of my ways. I use Facebook solely for the purpose of entering competitions, I have just this evening started using Twitter properly, and that’s about it.

So when the Information Commissioner’s advice that it was acceptable to use Twitter to make FOI requests emerged, I wasn’t a happy anorak. Is it really unkind to see it as the regulatory equivalent of Dad Dancing, something to show that the ICO is down with the kids? Every time I’ve run an FOI course in the last 18 months, I have mentioned to my punters that it was entirely possible that a tweeted FOI was a legitimate one, but my heart sank every time I said it. Twitter is instant, urgent, of the moment, and for the most part, it’s transitory. The little box into which one deposits a tweet says ‘What’s Happening?’, not “What Do You Want To Know In 20 Working Days Subject to a Rigorous Process of Searching and Decision Making?”
An FOI request doesn’t have to be huge and momentous, but it should be considered. It should be thought through. I would defend to the death the right of people to make justifiably silly or trivial FOI requests (if the person who asked the Foreign and Commonwealth Office how much they spent on Ferrero Rocher ever identifies themselves to me, I promise to buy them a drink), but especially in the current climate, it’s not unreasonable to ask FOI requesters to ask themselves: what do I want to know, why do I want to know it, and am I asking the right person? 140 characters might oblige some FOI requesters to boil their queries down into coherence (some users of What Do They Know really need a word limit), but equally, it might just encourage people with itchy tweeting fingers to go crazy with a swarm of FOI one-liners.
Time will tell whether this will amount to anything. But as an experiment, I have just made an FOI request via Twitter to the Information Commissioner’s Office. After all, it’s always nice to see them following their own guidance.

I would say that it’s equally nice when they don’t follow their own guidance, but of course *that never happens*.