The Times published an interesting story on Saturday about businesses being approached by the Information Commissioner’s Office. According to the story, thousands of small business owners and landlords have received “heavy-handed” letters about the annual fee which many organisations are liable to pay under the Data Protection Act 2018. The GDPR abolished the requirement for controllers to register with their supervisory authority, but the bureaucracy has been maintained to provide funding for the ICO’s Data Protection activities. Ostensibly, the ICO chasing up people who by law owe them money should be uncontroversial, but like most things that Wilmslow gets involved in, it isn’t that simple. For one thing, I don’t know how the ICO is selecting their targets, but as the Times reports, a lot of recipients are actually exempt. Half of the clients of a tax advisor quoted are exempt, and I’ve been approached by a number of people being chased over dormant or dead companies. It would be interesting to know what criteria is being used.

A bigger concern is what the ICO is going to spend the money on. Small businesses have to pay the ICO at least £35 per year, but their spokesperson said in the article that “The fees are used to provide services to help organisations process and manage the personal data they are responsible for in line with their legal obligations and in ways that may inspire public confidence“. I’d question whether the ICO will itself inspire much public confidence, and whether businesses will be as keen to pay up, when they find out what the ICO has been spending their money on. A series of fascinating FOI requests on What Do They Know, as well as requests I have made, demonstrate that services to help organisations aren’t the only essentials on which the ICO budget is spent.

In the 12 months leading up to the end of November 2019, the ICO spent £49,043.16 on first and business class flights, luxury enjoyed by eight senior ICO officials on just 20 occasions. Elizabeth Denham CBE turned left most often, with 7 of the flights at a cost of £15,793.88, closely followed by her deputy James Dipple-Johnstone, who was lucky enough to escape the indignity of economy class on five occasions, for the bargain price of £10,612.70. Fans of Mr Dipple-Johnstone’s idiosyncratic stewardship of the ICO budget will remember his expenses claim while caught out while on a jolly to conferences in Asia and New Zealand. When his flight from Doha was diverted to chilly Vienna, he was prevailed upon to buy a jumper and some warm trousers, but thankfully the ICO was able to pick up the tab. Other Wilmslow luminaries taking advantage of the ICO’s seemingly generous travel policies included the Director of Freedom of Information Gill Bull, the Director of Investigations Stephen Eckersley, one of Denham’s other deputies Steve Wood and Simon McDougall, friend of the advertising industry (he does have a job of some kind, but I have no idea what it is). The most expensive single booking was for the Director of Strategic Policy Amanda Williams, whose airmiles came at a cost of £4419.32. Williams took only one luxury trip, so it’s nice to know that it counts.

To put this already profligate spending into perspective, Denham’s flights accounted for the fees of 450 small businesses, while Dipple-Johnstone’s swallowed 303. Williams’ chart-topping trip gobbled up 126 small business fees by itself. In total, the cost of first and business class flights for the pampered elite at the ICO’s top table ate up 1400 small business fees. So much for services to help them, all of these companies paid for Mrs Denham and her courtiers to get extra legroom and hopefully some bubbles as they wait to take off. I’m sure that whichever three small businesses stepped in to fund Dipple-Johnstone’s cold weather ensemble are glad he didn’t get a chill.

But that is not all. The only place I ever seen Denham in the real world is the First Class Lounge at Euston Station, but this is unlikely to have been a one-off visit for the Commissioner. Of the 43 first class rail journeys made in the same period by ICO staff, 32 were claimed by Denham, with the other eleven split between the usual suspects (JDJ managed only three, with Steve Wood nabbing 5). The costs of the first class trips were obviously lower than the flights (£5777.75, with £3806.65 accounted for by Denham) but nevertheless, I’m sure the 108 small businesses who kept the Commissioner and her colleagues away from the indignity of standard class will feel that their contribution to the work of the ICO was not wasted. We cannot expect the leaders of the UK’s Data Protection hub to go without free tea and coffee and those lumpy chocolate biscuits that people pretend they are taking for their children.

Of course, you might accuse me of hypocrisy as I unashamedly go first class on a regular basis. I write this on a Sunday afternoon, knowing that I will be in First Class tomorrow morning. The point is whose money I am spending. When I charge expenses to clients, I only ever invoice for standard class prices, and 2040 Training Ltd is a private company of which I am the sole shareholder. I’m not spending your money, or that of millions of businesses that I am cajoling to pay up. Moreover, doing less than half of my work journeys in First Class is about the only corporate expense that has any direct benefit to me personally. The same cannot be said for the ICO and Elizabeth Denham. As I wrote about last year, the ICO spent just shy of £18,000 on executive coaching for Denham. As revealed in another WDTK FOI request that the ICO answered 4 months late, the former Canadian Minister for Trees Philip Halkett was hired without any external advert or tender process. I followed up this request with one of my own for recorded information about some of the contracts. I asked what qualified Halkett for such special treatment, and ICO explained that as her former executive coach, he was “uniquely placed to deliver the service“. The only recorded information they could give me about what he provided was a single line in the contract (the rest of which was withheld). 514 small businesses paid their fees so that Halkett, a retired Canadian with no experience in Data Protection, could provide “coaching and strategic advice as required by the Commissioner from time to time“.

Needless to say, none of the UK fee paying businesses were permitted to put themselves forward for the coaching work, or for the £20,000 ‘service excellence’ consultancy (571 small business fees) awarded without a tender process to an academic in Canada. The ICO’s own lawyers questioned whether that contract had been awarded lawfully, only to be told by Director of Resources Andrew Hubert that “The ICO appointed Mark Colgate as he is the author of the methodology we wanted to use so uniquely placed to present that methodology to our staff. Basically he is sole author and sole supplier. We are happy to accept the procurement risk on that basis.” The emails show that neither Procurement or the ICO’s Commercial Legal team were involved in the process of hiring Colgate. Whether ICO staff actually needed his TOFU-based customer service guff is debatable, but the idea that none of the hundreds, if not thousands of UK-based customer service experts who have to fund the ICO were even worth considering, but this bloke from Denham’s home town was the only possible candidate is fanciful. That no proper processes were followed and the ICO hired Colgate on the basis of a one-page emailed proposal that boils down to ‘I’ll do some training and give your team managers my book’ ought to concern everyone.

Taken together, these FOI requests paint an odd picture. Senior officers travel the world in first class to attend conferences that build their profiles, but offer scant benefits to UK-based businesses. Friends of the Commissioner are paid thousands of pounds without any due process. The most charitable way I can describe this is self-indulgent and lacking in oversight, but the problem is that Denham’s tenure is characterised by poor judgment. The Information Commissioner’s Office has spent millions of pounds investigating the Cambridge Analytica / Facebook ‘scandal’ only to find that it didn’t involve UK Facebook users. That investigation culminated in a bizarre humiliation, with Facebook invited to repudiate the whole thing on the ICO’s own website, and commended by the Commissioner for their sterling privacy work. The massive BA and Marriott fines, wildly out of proportion when compared to the rest of Europe, appear to be in disarray, delayed for three months without any explanation. Confirmation that this had happened had to be dragged out of Wilmslow by lawyers and journalists who realised that the time limit to complete them was running out. There is still no formal statement on the ICO’s website about this massive development. Journalists attending appeals against enforcement action against Leave.EU and Eldon Insurance tell of the ICO’s own barrister admitting that the ICO’s decision-making process fell short of what should be expected, with no internal records of the decision to act available. The outcome of that case is coming in February.

A regular reader of this blog complains that every other entry is just me moaning about Liz Denham, and it’s true that I am a long-standing driver of negative sentiment (as I was once delightfully labelled by the ICO’s PR people). But this isn’t just the random potshots of a disaffected show-off. The ICO’s staff (i.e. the people who actually do the work rather than chase the headlines) are famously paid well below the market rate, and yet the ‘Leadership Team’ are circling the world in First Class, hiring their mates and botching high profile investigations that probably never should have started. 2040 Training has paid its fee for 2019/20, but I wonder what I’m getting for my money. According to the ICO Annual Report, Elizabeth Denham is paid £160,000 per annum, plus a “non-consolidated, non-pensionable annual allowance of £20,000“. If she wants coaching, she can afford to pay for it herself. If she needs coaching (and the meltdown I describe above suggests that she might), she is in the wrong job. At the very least, she should pay back the £18000 paid to Halkett and stop expecting the fee-paying organisations of the UK to fund her taste for luxury travel. The rumours circulating government suggest that the ICO’s sponsor department, the DCMS, is for the chop. If that is true, before their time runs out, they must dig into Denham’s chaotic, self-indulgent regime and ensure that the thousands of businesses who keep the ICO afloat are not being taken for a ride.

 

 

There’s never a good time to accidentally publish a huge batch of personal data online, but the interregnum between Christmas and New Year, when nothing happens and most people are bored is a particularly unfortunate moment to choose. The Cabinet Office’s foul-up in publishing the home addresses of the thousand or so people in receipt of a gong as part of the New Year’s Honours was particularly ill-timed, but given the diverse nature of those affected, it’s hard to imagine that there would ever be a time where it wouldn’t hit the headlines. The location of Elton John’s mansion is probably not a secret, but many honours recipients are not celebrities, and some might be put at risk by their addresses being known.

In many ways, the story is familiar. The Cabinet Office say it’s an accident, the BBC dig up a Data Protection ‘expert’ I’ve never heard of to say nothing in particular about it, and everyone on LinkedIn has made their mind up. But there is one interesting aspect that recent changes to legislation has significantly altered. One of the other people enjoying a moment in the spotlight was the CEO of a software company. He downloaded the spreadsheet on Friday night, and regaled Radio 4’s PM programme with the details of the diligent research he had done into the homes of some of the people on the list.

The GDPR does not apply to the data processing activities of “a natural person in the course of a purely personal or household activity“, but the Data Protection Act 2018 (like its predecessor the DPA 1998) works differently, and significantly differently for situations like this. Section 170 makes it an offence for a person knowingly or recklessly to “obtain or disclose personal data without the consent of the controller“, to procure such an unauthorised disclosure and finally “after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained“. The obtaining, procuring and disclosing elements were there before, but the offence of retaining data is new. A legal entity could clearly be charged with any of these offences, but the majority of prosecutions (mounted unusually by the ICO rather than the CPS) for the old S55 and the new S170 offences are individuals.

And here’s the punchline. It’s quite possible that the Cabinet Office’s procedures and controls are flawed, or their training is deficient (or both). In such circumstances, the organisation would have infringed the GDPR and potentially face a fine as a result. Given the Information Commissioner’s obsession with headlines and over-reaction to high profile events, I suspect a fine in this case is quite possible. It’s also possible that everything inside the Cabinet Office is absolutely mint and this is just a monumental cock-up. I don’t know, and I’m prepared to wait and see what the ICO finds out when they investigate. I might relentlessly take the piss out of the Commissioner’s Office, but one of the things I’m happy to acknowledge that they’re good at is getting to the bottom of security incidents and why they happened.

However, none of that makes any difference to anyone who accesses the honours spreadsheet. An organisation may significantly infringe GDPR and breach confidentiality by sending personal data to the wrong place or making it available online, but that does not give a free hand to the recipient. Anyone who innocently accessed the spreadsheet cannot be held responsible for the fact that they are now aware of personal data to which they were not entitled, but the moment you download the data, there’s an argument that you have obtained it without the consent of the data controller. Sometimes this might not be obvious, but in this case, there can be no doubt that the Cabinet Office did not intend for the data to be disclosed, and so anyone accessing it is doing so without the controller’s consent.

Of course, you might not have realised what you were downloading, so you’re almost certainly not acting knowingly or recklessly at that point. However, it’s probably a safe assumption that in the hour or so that the spreadsheet was available, it was downloaded multiple times. So what of the people who still have a copy? Nobody can be in any doubt about the fact that it was published by mistake, so its continued retention is without the Cabinet Office’s consent.

It would be a bold claim to accuse everyone who still has a copy of committing a criminal offence, but under the 1998 Act, it would be impossible to do so. I’ve been directly involved in multiple incidents where a controller mistakenly sent data to the wrong person and had huge difficulties in recovering the data or securing its destruction. The person hadn’t deliberately stolen a copy of the data or sought to access it, so what do you do if they refuse to hand it back or delete it? Those with long memories might remember the huge bill racked up by Belfast City Council in their ultimately successful attempt to prevent the misuse of data about elected members that they inadvertently sent to a woman in England. The new offence changes the rules. Merely possessing the data is potentially an offence, and I think this should give pause for thought to anyone who still has a copy.

There are some defences that a person can mount – you can argue that retention is necessary to prevent or detect crime, is legally authorised or because of the particular circumstances, is in the public interest. For example, if you retained data because you wanted to blow the whistle or report it to the Information Commissioner, especially if the controller wasn’t going to and you thought they should, I would guess that this would be a solid defence against prosecution. But in this case, it’s clear that the Cabinet Office has already notified the Commissioner, the nature of the compromised data is not in doubt, and it’s difficult to see what public interest there would be in keeping the personal data of innocent people, however badly the Cabinet Office may turn out to have handled it.

There have been, as far as I know, no prosecutions for the retaining offence so far – the only action has been a rather insipid press release from the ICO about a case that they might have been able to prosecute under the new legislation. It’s entirely possible, even likely, that the ICO won’t seek to criminalise people solely for having data in their possession unless they do something nefarious with it or refuse to get rid of it when asked to. Nevertheless, if you have a copy of the honours data on your laptop right now, my very strong advice as your friend and unappointed DPO is to delete it forthwith, and await the outcome of the ICO’s investigation sometime in 2021.

Another day, another story in the Observer about Dominic Cummings and the Brexit vote, inspired (if that is ever the right word in this context) by revelations from Ian Lucas, the former MP for Wrexham. Lucas did not stand in the 2019 General Election and his former seat went to the Tories. Notwithstanding his decision to step down from politics, his determination to re-fight the 2016 Brexit Vote is undiminished, despite the fact that Boris Johnson’s victory means that Brexit is now a certainty, and any hope of going back in time is dead and gone.

Lucas has now passed correspondence he obtained when an MP to the Observer. Inevitably written up by the paper’s Cummings Conspiracy Correspondent Carole Cadwalladr, the revelation is that in correspondence with the Information Commissioner, Cummings said that had the referendum been won narrowly by the Remain side, he would have contested its legitimacy. Cummings claimed that the electoral process is compromised and nobody has done anything about it. I guess there might be some minor interest in seeing Cummings’ hypocrisy exposed – the man who lectures Remainers about picking which votes to respect turns out to be unprincipled and two-faced. Given the Leave campaign’s now total victory in the Brexit debate, I’m not sure what the point really is.

There is, however, an interesting angle to the story which is very relevant to today, especially given the large numbers of MPs on all sides who were either vanquished on Thursday night or decided like Lucas that their time was done. In Data Protection terms, politicians have a complicated identity, being associated with a number of different data controllers. As a party representative, an MP is likely to receive or have access to data from their party, and so must answer to them. Separately, as an MP, MSP, AM or councillor, a politician may well have a committee or other official role that gives them access to personal data for which the Parliament, Assembly or Council will be controller. Finally, as a representative of constituents and for other specific purposes, a politician will be a controller in their own right, liable directly for the way in which they use personal data.

When they cease to be an elected representative, much of this falls away. There isn’t much personal data in Cummings’ correspondence with Wood, but there is some, and Lucas isn’t the data controller for that data – Parliament is. Lucas’ role on the Culture, Media and Sport Committee will undoubtedly have given him access to private, possibly confidential data and some of it would have been personal data. Considering the scope of other Committees – health, security, and other sensitive matters – other ex-MPs will have significant data in their possession which should be in the control of Parliament. The same goes for lists of supporters or volunteers which are the responsibility of the party, not the ex-MP. Even the constituency casework data, for which the ex-MP would be responsible should arguably be disposed of or passed on to either the new MP or the local party. The purpose of providing sensitive personal data to your MP is for your MP to represent you – if that person is no longer doing that job, it’s arguably a breach of the first principle (fairness), the second principle (purpose limitation), and the third principle (relevance) for a former politician to retain their casework data once they have left office.

There are two serious issues here. The institutions must have clear processes to secure and recover personal data held by their former representatives. Once an MP has left Parliament by whatever route, if the Parliamentary authorities do not have processes to ensure that data is handed back and devices erased, this is very likely to be a breach of the GDPR’s security requirements to have appropriate organisational measures in place. I don’t underestimate the difficulty of this exercise with ex-MPs and their staff literally scattered across the UK, but if Parliament is the controller, they are required to recover the data. The same is true for the parties – if (for example) Jo Swinson remains an active member of the Liberal Democrats, it might well be reasonable for her to retain personal data she held as a LibDem MP, but if she walks away, the party needs to obtain any data she used as a LibDem representative or see it that it has been deleted. This is particularly important in a world where politicians will jump from one party to another.

The flipside of this is that the Data Protection Act 2018 makes it a criminal offence for a person to retain personal data without the authorisation of the data controller. If Parliament is the controller for the Cummings correspondence, Lucas has by his own admission retained and disclosed it without Parliamentary approval: “I used every means possible to secure the publication of them by parliament but ultimately was blocked from doing so, so I have chosen to make them public myself“. I wondered whether there could be an argument that MPs are joint controllers for all the data they access from Parliament or Party, but Lucas was an MP for 18 years and knows a lot more about it than I do. He doesn’t seem to think he was controller of the data, so I think that’s very persuasive. Any ex-MP who merely keeps data for which Parliament or Party is controller is likely to be committing a criminal offence, and any disclosure or other use of the data only multiplies the possible offences. There is, of course, a public interest defence to an allegation of these DP offences, but I believe that this should be tested.

The irony of Lucas’ claims to be valiantly exposing the truth about Cummings’ hypocrisy (and Cadwalladr’s enthusiastic reporting of it) is that the correspondence in question has apparently been on Parliament’s website since March 2019, made available following contempt proceedings against Johnson’s goblin advisor. I’ve never been a fan of Lucas’ self-promoting antics or Cadwalladr’s wayward approach to fact-checking, but this particular story is a joke. It does inadvertently raise a serious point about the conduct of Lucas and other ex-MPs; if Cadwalladr and the Observer are as concerned about data protection as they claim, looking at misuse by ex-politicos would be a more fertile area of research than old news from 2017 that was already in the public domain.

The OpenRightsGroup currently have a tool on their website to make subject access requests to political parties; they say that it is intended to investigate political profiling: “Who do political parties think we are?” is the heading on the page. There is definitely a problem with the way all parties use personal data, and the unhelpful and misleading narrative that only the Leave side in politics has questions to answer about data protection flatters the heinous practices of all major political parties. To be honest, if it was transparent, the Tories, Brexit Party and UKIP using profiling techniques to come to the conclusion that they should never contact me would be a very good thing and I wouldn’t feel any need to consent to it. As it happens, I made still valid opt-out requests to all the parties under the old Data Protection Act, and the only one who contacted me this time was the Labour Party. Thanks for nothing, comrades.

The language in ORG’s blog about profiling is emotive and potentially misleading, describing normal features of the DPA 2018 as ‘loopholes’. The blog says “DPA says that data processing can be in the public interest if it “supports or promotes democratic engagement”. This means that political parties could try to claim that their invasive scrutiny of you is lawful purely because they are trying to get you to vote”. If the processing was invasive, it would be unfair and so unlawful. If there is a reasonable alternative to the profiling, it’s not ‘necessary’ and so it’s unlawful.

GDPR allows special categories data to be processed where there is an exception, and one such exception is substantial public interest, based on specific legal authorisations. The DPA contains such authorisations for certain activities, and one such is that political parties can process political opinions (and only political opinions) for political purposes. Again, for ORG, this is a ‘loophole‘.  The SPI provisions aren’t a clever way for parties to get around the law: they are the law. It’s legitimate for parties to do what the law allows them to do; if ORG complained that the parties don’t abide by the SPI provisions or aren’t sufficiently transparent, that might be fair comment. This might seem like a minor point, but I think ORG are attacking the legislation unfairly, not possibly non-compliance with it.

I think there are also some #GDPR issues to consider with the tool itself. The chief problem is lack of a formal, explicit fair processing notice, which results in confusion that could easily have been avoided. The tool identifies which part of the country you’re in, in order to rule in / out parties which only stand in individual nations rather than all of the UK. After uploading proof of your ID, it then makes a request to all the parties. You cannot pick and choose; it has to be all of them. Before you finally send, the tool clearly shows you which parties your requests will be going to which is good, but another aspect doesn’t sit right with me. This is ORG’s explanation of why you can’t use the tool to select individual parties to apply to:

The aim of you sending this request is to contribute to Open Rights Group’s research understanding how all UK political parties use personal data for campaigning and other purposes. To gain the necessary information to analyse this properly, we need to gather data from all parties across all parts of the UK. It would not be helpful to our research to gather data selectively so we have not allowed for the tool to do this.

I assume ORG don’t get access to the data disclosed to you because there is no mention that they do anywhere on the page or on the forms when you use the tool. Any such access would be a serious, penalty-deserving infringement of #GDPR, so presumably it doesn’t happen

The site says “To gain the necessary information to analyse [profiling] properly”, they have to make you apply to all parties. Then: “If you opt-in to future emails from Open Rights Group, we will check in with you after 30 days to confirm whether you have received a response”. But that can’t be the end of it; knowing whether the request was answered will not tell ORG “how all UK political parties use personal data for campaigning and other purposes“. Either ORG intend to ask to see the data that was requested, or the exercise is pointless. So why aren’t they clear about the later stages of the process now? Do they know what they’re going to do, and if so, why not explain it?

Of course, ORG will almost certainly counter my concerns by saying that any data supplied to them from received requests will be obtained with consent (there’s no other lawful way they could get it), but the assertions about the aim of the research aren’t matched by transparency about how it will be carried out. This is, at best, not good practice. When you’re scrutinising an opaque process, you shouldn’t be running one yourself. A proper fair processing notice would solve this, and there isn’t one.

There’s more. I’m sure there will be people who want to know about every party’s processing, even if the one they support. But equally, there will be people using the tool who aren’t interested in what every party has got – ORG might be, but the applicant may not. There will be people who never would have made the request at all without the tool’s existence. Are these requests unfounded?

If a party receives an ORG SAR (which will be easily identifiable from the standard text they’re using), could they argue that answering a SAR sent solely for someone else’s research purpose is unfounded or excessive? A lot of people – especially those who come to Data Protection from a political or campaigning perspective – see SARs and other rights as campaigning tools. A queasy assortment of characters have already attempted to weaponise data rights as a tool in the Brexit Wars (possibly encouraged by a Data Protection regulator who seems unusually preoccupied with the activities of only one side of the debate). Admittedly, ORG are targeting all parties rather than one side, but I still question the wisdom and legality of what they’re doing.

If I was a political party DPO, inundated with SARs and complaints (albeit deservedly), I’d probably look askance at these SARs and look for reasons to knock them back. Some campaigners might be outraged at the idea, but Data Protection in practice isn’t always a high-minded exercise in civil rights. Sometimes, it’s trench warfare. Sometimes, data protection practitioners will do what they can to deal with the torrent of work that spills onto them.

I accept that my opinion that organised SAR campaigns are inherently unethical isn’t widely shared, but when I tell you that they’re also stupid, I’m a lot more confident that I’m right. The Data Protection Act 1998 kept the door to why the request was being made firmly closed, but even the Directive talked about subject access existing “in order to verify in particular the accuracy of the data and the lawfulness of the processing“. The GDPR blows the door wide open – ‘unfounded‘ and ‘excessive‘ both invite attention to why the request was made. ORG would probably argue that they’re trying to verify the lawfulness of political party processing, but the parties could equally argue that they’re encouraging requests that the applicant themselves probably wouldn’t have made. The indiscriminate nature of the tool and the inadequate explanation of why such a blunderbuss is being deployed could play into the hands of a party that decides to roll the dice.

The UK’s political shitshow is not going to end any time soon, and if you want to use your data rights to find out what anyone is doing with your data, that is entirely your business and clearly part of what SARs are for. But if you’re doing it to make a point rather than to see your data, I think you’re misusing your rights and if you get refused, you probably deserve it. Worse still, if you’re participating in an orchestrated campaign, I think you’re playing with fire. The very politicos you might object to may notice the inconvenience and irritation of mass SARs, and decide, as the UK floats away from the European data protection mainstream, to create some real loopholes where none currently exist.

Most people have little routines that they enjoy on a Sunday. Doing a spot of gardening, going for a run – I know one person who relishes his Sunday trip to the tip. For me, a minor weekend pleasure is the masochistic ritual of reading a maddeningly ill-informed article about Data Protection in the Guardian or Observer. This weekend did not disappoint, despite a surprising break with tradition in that the piece in question was not written by John McNaughton.

This time, we have Stephanie Hare, expressing sentiments summed up in a headline that gets two things wrong before the article even gets going: “These new rules were meant to protect our privacy. They don’t work.” No, the GDPR is not meant to protect anyone’s privacy. The word ‘privacy’ is mentioned once in a footnote that refers to another piece of legislation (which isn’t supposed to protect our privacy either). The purpose of the GDPR is to maintain the European model of data protection i.e. a deal between commerce and individual rights. It’s an asymmetric and imperfect deal, but the idea is the internal market requires the use of personal data in order to function, especially across International borders, and so there needs to be a regulated system to allow governments and businesses to use data. The language of the GDPR, like the directive before it, makes absolutely clear how the deal works. The organisation that gathers and uses the data is the ‘controller’. That tells you all you need to know. The individual is no more than the ‘subject’, given some rights and a limited amount of control over how their data is used.

I think the GDPR does a better job than its predecessor of making those rights work meaningfully – it’s free in most cases to exercise them, the fairness provisions explicitly acknowledge transparency and clarity, the right to be forgotten (if that’s what we have to call it) puts more of an onus on the controller than the subject. More subtly, the GDPR recognises power imbalances and automated processing of all kinds as being inherently high risk because of the lack of control that the subject suffers. This is all good stuff, but GDPR doesn’t protect your privacy, and complaining that it doesn’t is like complaining that a decent quality car will not float. It’s pointless to criticise the GDPR as ‘not working’ when you think it should be doing something it isn’t designed for. Hare is letting the regulators and companies completely off the hook by implying that it’s a free for all, rather than a situation where the law is clear and people aren’t following or enforcing it.

It gets worse. Hare’s first assertion is “Who owns your data? This is one of the toughest questions facing governments, companies and regulators today and no one has answered it to anyone’s satisfaction.” The answer to this question is actually really easy: the person who holds the data owns it. You don’t own the data about you held by HMRC or Twitter or Facebook. They do. They probably have intellectual property rights over it, but for all practical purposes, they decide what happens to it, who receives copies of or extracts of it, and when it is deleted. The subject plainly doesn’t own it. They have rights over it sometimes, and they own a copy of any data they request, but that’s it. Asking about ownership is really asking the wrong question – apart from the fact that activists and campaigners are never going to get an answer they like, what’s worse is that by accepting that the debate should be about ownership rather than rights and control, you’re accepting the IAB and Mark Zuckerberg’s approach to data. I’m not an activist, and even I can see that you’re debating The Man on his terms. If we want to stop the commodification of data, we could start by talking about the problem in a better way.

I don’t doubt Hare’s sincerity for a moment, but some of her most basic assertions are wrong which makes it very difficult to agree with her. She says that under GDPR, “we gained the right to find out what data is held on us and to request its deletion“. This is completely incorrect. These rights have existed (and have been used) since at least 1995. It’s true that they have not been not well-enforced, and that GDPR expresses them more effectively, but in my experience, people who present GDPR as a sea change in rights are those who think Data Protection started in 2016. Apparently, it’s a problem that individuals have to exercise their rights, and “the GDPR could have solved this easily by making privacy the default and requiring us to opt in if we want to have our data collected“. If I was being charitable, I would assume that Hare was talking only about commercial uses of data for advertising purposes but she doesn’t say so. We can’t run the NHS, social care, taxation or criminal justice on the basis of consent. You can’t protect vulnerable children from abuse if their parents have to agree to their data being processed. You can’t collect income tax only from those who consent for their data to be collected. Talking about personal data exclusively in terms of consent is ignoring all sorts of processing, legitimate or otherwise, that takes place because of statutory or contractual justifications. It’s almost aggressively unhelpful.

Hare describes “a grotesque game” of consent where people are pushed into consenting or alternatively diverted into a maze of confusing privacy policies. The GDPR that she claims doesn’t work explicitly outlaws this sham consent. There is no doubt or debate about this: GDPR consent must be freely given, specific and informed, or it is not consent. Nobody who understands GDPR has any doubt about this – the question is whether regulators like Helen Dixon and Elizabeth Denham are willing to attack business models that are built on such flagrant GDPR breaches. So far, the jury is out on Dixon, but Denham has shown her hand by dodging enforcement on Real Time Bidding and fining Facebook for entirely imaginary events, ultimately settling the case in a way that leaves Facebook’s business model entirely untouched. The problem here is not the GDPR – it is the people who are supposed to be implementing and enforcing it.

Worst of all, Hare’s summary quotes Edward Snowden’s ill-informed speech at the Web Summit last week, picking out the stupidest thing he said and presenting it as her trump card: “He thinks that legislation should address the collection of our data, not its protection after it is collected.” Just to be clear (because I always italicise quotes on this blog), the article emphasises the word ‘collection’ with italics. Hare clearly feels that this is a vital insight, instead of evidence of total ignorance. Like a lot of security people, Snowden has seen the word ‘protection’ and worked from there. The foundation of EU data protection law for more than 20 years is that the use of data must be lawful, and lawfulness can only be achieved by justifying the collection of data. This is the skeleton of Data Protection, this is what holds it up, and Hare’s use of the Snowden quote is, in my opinion, evidence that she does not know this. It is utterly irresponsible to use a platform like the Guardian to mislead people in this way, no matter how strong your concerns might be. The GDPR is inherently and irrevocably concerned with data collection, and if Hare (and Snowden) do not know this, they need to educate themselves before pontificating. By the way, if you were one of the dozens of Data Protection people who retweeted that Snowden quote as if it was some amazing revelation, all you did was demonstrate your ignorance.

There are other depressing things within the article – like a lot of people, Hare cites warnings from the recent Human Rights Committee report into online privacy, and in particular, picks up their patronising conclusion that 13 – 15 year olds are incapable of consenting. This writes off hundreds of thousands of young people and robs them of autonomy (something which people who believe in privacy should be very wary of doing). Anyone who has read the Human Rights Committee report will know that it recommends creating a single repository of all information held about every person, updated in real time. Aside from ID cards, I cannot think of a more dangerous, privacy-invasive proposal than taking *everything* about you and putting it in one place so that the Government (and every hacker in the universe) can get access to it.

It is not enough to care. It is not enough to express your concerns about an admittedly voracious and parasitic internet business model. You need to know what you’re talking about. Pulling apart a clearly sincere and well-intentioned piece from someone who I probably agree with about a lot of things is not a good look, and will probably lose me even more friends and admirers than ever before. But this isn’t good enough. I’m not taking the piss out of someone because they said ‘Regulations’ when they meant ‘Regulation’. This whole article is based on a completely flawed understanding of the law and what it sets out to do. If you have the platform, you have to use it responsibly, and I think Hare and the Guardian have let down a cause which both claim to uphold.