Immigrant song

With the sensitivity for which they are rightly renowned, the Home Office chose to celebrate Christmas by tweeting a cheery video full of beaming millennials, promoting the new ‘settled status’ registration scheme for EU nationals who want to stay in the UK after Brexit. People who have made their home in the UK have to register and pay for the privilege. Setting aside the crass, thoughtless way in which the scheme was promoted, concerns have been expressed on social media about the Data Protection implications, especially as regards how data is used and whether it complies with GDPR and the DPA 2018. There is an interesting sentence in the documentation: “we may also share your information with other public and private organisations in the UK and overseas“. The people behind the @the3million twitter account made an FOI request about this, and the Home Office have refused to confirm the identity of the organisations in question. They relied on S31 of the FOI Act, which allows information to be withheld if (among other things) disclosure would or would be likely to prejudice “the operation of the immigration controls“.

S31 requires the Home Office to demonstrate a causal link between disclosure and prejudice, and has a public interest test that allows for disclosure if the public interest in doing so outweighs the public interest in withholding. So while the Home Office picked the right exemption, their decision to refuse could be challenged. The ICO doesn’t have a strong record of overturning these kinds of decisions, so the fate of any complaint is hard to predict.

But what’s that? Surely individuals subject to this process have GDPR rights, and can find this out for themselves via a subject access request? Two elements of GDPR would appear to assist – Article 13 requires the Home Office to specify “the recipients or categories of recipients” to which personal data will be disclosed in order to be transparent, while Article 15 gives the subject a right to the same information on request as part of a subject access request.

Except they don’t. I’m certain that the wording I have seen doesn’t comply with Article 13 because even the ‘categories’ bit would only work if it was clear what types of recipients are involved, and it’s plainly not. However, the GDPR allows for exemptions, and there is an exemption that the Home Office managed to get through Parliament in the DPA 2018 which allows them to keep the identity of the recipients secret. Schedule 2, Pt 1, (4) says that both transparency and subject access rights can be set aside if applying them would or would be likely to “undermine the maintenance of effective immigration controls“. If the Home Office don’t want to tell people going through the process who their data will be shared with, this exemption allows to do so. They have to believe that transparency will undermine effective immigration control, but this is the Home Office – they probably do believe that.

So what recourse do EU citizens have? They could, of course, challenge the Home Office approach by either taking them to court or complaining to the Information Commissioner. The Commissioner could decide that the application of the exemption was incorrect (as they could with S31 of FOI), and they have powers to enforce that decision. Aside from Elizabeth Denham’s obsession with data analytics in politics (especially when allegedly deployed by the Leave side), the ICO does not have a strong track record of taking on big organisations. Admittedly, the ICO recently took on the Metropolitan Police over their Gangs Matrix database, but the problem with that is the Gangs Matrix was a mess and the Met more or less acknowledged that.

The problem here is that if the Home Office maintain their position, the ICO would have to substitute their judgment for their’s. This wouldn’t be a mistake or a cock-up; if the Home Office use the DPA exemptions in the same way as they have the FOI ones, the only way that people can get better transparency is for the ICO to tell them that they’re wrong. This is often when Wilmslow bottles it. It’s straightforward to enforce on an organisation that has just lost thousands of people’s data (I’m sure it takes a lot of graft, but the decision to do it isn’t as hard). It’s much more difficult when the data controller hasn’t made a mistake, but is using the exemptions as described. Even if the ICO believes that the exemptions have been wrongly applied (and they might not), the Home Office is likely to ignore any recommendations and appeal any enforcement action.

The alternative is the courts, which is just as much of a roll of the dice as a complaint to the ICO, with the added complexity and cost of actually going to court. I have confidence that a court would test the Home Office’s arguments more robustly that the ICO would, but the Home Office wouldn’t be acting irrationally or unreasonably, and a judge might agree with them. These exemptions made it through Parliament and are on the statute book; the Home Office can plainly use them, and it’s not a breach of the GDPR unless the ICO or a court says that they have been applied unfairly.

Personally, I doubt that knowing who is receiving your data will undermine this process sufficiently justify the secrecy that the Home Office has already imposed using FOI, and which I expect they will use under DP, but it doesn’t matter what I think. This is where the hype around the GDPR runs into the brick wall of reality. The Home Office doesn’t need consent to gather, use and disclose personal data in this process, as long as it has another lawful basis to do so (legal obligation or official authority will certainly kick in here). The DPA gives them exemptions to keep the nature of that processing opaque, and if they choose to use them, challenging that decision is difficult and the outcome is uncertain. This leaves an odd situation but a lawful one – if they wish to live in a country they have already made their home, it seems that EU citizens have to submit to a closed, secretive process and they cannot find out what happens to their data during that process, who gets to see it, and for what purpose.

Compensation culture

We’ve had years of headlines about Cambridge Analytica and Facebook which have captured the public’s imagination like never before, and generated huge publicity for the Information Commissioner’s Office and their army of blue-jacketed enforcers. Action, on the other hand, has been slightly less forthcoming. No action has been taken against Cambridge Analytica itself – there is the prosecution of SCL Elections over a subject access request made by an American (David Carroll), but if anyone can explain why prosecuting the now defunct company when the best outcome is a fine that will never be paid because it will be buried at the bottom of the pile of creditors, comment below. The ICO issued their first GDPR enforcement notice against AIQ, and it was so clumsy it had to be withdrawn and replaced (it’s astonishing that the ICO’s mishandling of this landmark action has gone virtually unnoticed). There is the famous Facebook fine of course, but that is already under appeal. Given that the Commissioner’s case changed radically from the Notice of Intent (published against all normal ICO practice) to final penalty, I don’t think that the ICO should count any chickens on the outcome.

The other issue haunting the case is a number of legal firms mounting ambitious compensation claims on behalf of those who believe themselves to be affected. Just as I am sceptical about the ICO’s track record, some odd assertions in a story in the Independent about David Carroll’s own attempt to sue Cambridge Analytica make me wonder whether the compensation road will be any less rocky. The claim is happening under the old Data Protection Act, and so Carroll and his solicitors will have to prove some kind of damage. Carroll’s solicitor Ravi Naik from ITN Solicitors is quoted as saying payouts could spiral to as much as £43 billion if only 10% of the possible affected pool of people claimed successfully.

Even if one conservatively uses the lowest end of the range, both in number and value of each claim, and calculates on the basis of 10 per cent of the estimated 87 million affected Facebook users only, with claims of £5,000 each against Cambridge Analytica, that still implies a total potential claim value of £43.5bn

I think his claims are optimistic at best, and at worst, comically exaggerated. Facebook did claim that up to 87 million people’s data may have been affected, but they’ve wavered since – to the extent that the ICO now admit that UK data wasn’t used by Cambridge Analytica in their final penalty on Facebook, despite building their NOI around that very claim. Carroll is claiming between £5000 and £20000, but he won’t get a penny unless he can show evidence of the breach in the first place, and then evidence of the damage. Claiming compensation for non-material damage is tricky. You can’t show something concrete like lost wages or business – the money won’t be awarded just because Carroll says he’s upset or annoyed, and the courts have shown scepticism in the past about claims of damage or distress (look at the Tetrus case that ICO lost on the issue of distress a few years back).

That 87 million number is a maximum, not a certainty, and the UK courts have shown themselves to be unmoved by generic class action claims of damage. Look at Richard Lloyd’s failed claim against Google, where the court said that different people will react to the use of their data in different ways. Perhaps Carroll has made a good case about the harm he says was done to him, but even if he has, that is not to say that all claimants are in the same position. If my data was abused by Facebook, my reaction would be numb resignation at worst. I can’t get outraged about Facebook abusing my data, any more than I can get upset by rain being wet. This is why I don’t use Facebook.

The consensus on LinkedIn seems to be that a possible breach is automatically accompanied by a ringing cash register – but that’s not a safe assumption, backed by any evidence. Lloyd lost his Google claim. Everyone who wrote excited Tweets and LinkedIn posts about the outcome of the recent Morrisons case – where the supermarket was found vicariously liable for a breach committed by an employee – ignored the fact that even if Morrisons lose their planned appeal to the Supreme Court, the issue of how much each claimant gets hasn’t been considered yet. Admittedly, Morrisons is a claim for misuse of private information and breach of confidence, but even so, we haven’t got to the bit about the money yet. The claimants may each get a big payout; they may get bus fare. There hasn’t been a case in the UK where multiple people received a big payout because their personal data was abused.

Naik’s extravagant claims and ambitious maths make for an impressive headline, but it’s speculation. I’m uncomfortable about the idea of tempting people into joining litigation (which is presumably the point of Naik’s claim) using hyped-up numbers in this way. The words sound sensible, and Naik effectively describes his estimate as conservative, but it’s a fantasy. Carroll will lose unless he can persuade the court that a breach occurred, that he experienced damage, and that there is a figure that will compensate him for that harm. We have had a few interesting and successful compensation claims in the past, but the idea that we’re looking at lottery jackpots for DP claimants is, so far, Fake News.

 

Live and Let Dai

To say that anything connected with GDPR is the worst example of its kind is a foolhardy business. I’ve read so many terrible articles, LinkedIn posts and Tweets about GDPR, to single any one of them out and say ‘THIS ONE IS THE WORST’ seems pointless. Most of them are bad. However, after watching 33 minutes of waffle, padding and gleefully misinformed bullshit, I am reckless enough to say that the intellectual property lawyer Dai Davis’ talk here is the worst presentation or talk I have seen about the GDPR in any format.

Admittedly, the trainer in me hated it because of the incompetence – Davis has to keep going back to the podium to change slides because he hasn’t brought a remote, and he pads the talk out with protracted questions to the audience that don’t add anything to what he is saying. When someone intelligent-sounding in the audience takes him on by asking a proper question, he runs a mile.

More seriously, a good chunk of the talk is taken up with an attempt to create a formula for how much you should spend on data protection compliance based on the likelihood of being fined. It’s an eye-catching and controversial thing to throw out in a conference, but I don’t believe even Davis knows what point he’s making. Is he really saying that a every organisation should spend a meaningless, averaged-out €2000 to comply with GDPR, or is that just a flourish? Every organisation is different to another, and will have radically different priorities and appetites for risk, so trying to create a standardised methodology is so random and unhelpful, I don’t think it’s a serious point.  Given the number of basic mistakes and baseless assertions he makes in such a short time, however, the only thing I can add to his calculations is that however much you spend on GDPR, you should probably not spend it on advice from him.

I may not have got them all, but here is as full a collection of all the blunders as I could manage:

  • Davis cannot remember how many deputies the Commissioner has, but he knows that it’s between 11 and 13. There are 3 deputies (James Dipple-Johnstone, Paul Arnold and Steve Wood); there have never been more than 3.
  • Davis consistently gets the name of the ICO wrong – it’s almost always the ‘Information Commission Office’, although he varies it at least once with ‘Information Commission Data Protection Officer’ (he wasn’t talking about their DPO). To be charitable, it might be because he’s talking quickly, but the errors are relentless. He clearly thinks that Elizabeth Denham’s job title is ‘ICO’. because he calls her this repeatedly, and talks about what he would do if he was “the ICO“.
  • He asserts that the GDPR is not a ‘step change’ from the old legislation solely because it has lots of words, even though many of those words are very similar to words in the same order in the old version
  • He notes that there has not been a GDPR fine yet. Davis was speaking on May 30th, two days after the first 72 hours to *report* a relevant breach would have elapsed.
  • He asserts several times that in theory “every single breach” has to be reported to the ICO. This is completely false. There is a specific definition of a breach in the GDPR and incidents that do not meet a certain threshold of risk do not have to be reported.
  • He says that telecoms companies had to report breaches to the ICO since 2012. Communications providers have had this duty since 2011, not just telecoms companies.
  • Davis claims that public sector bodies self-report breaches to the ICO because they have no idea about how to take a commercial risk. There is the problem that public sector bodies are not commercial organisations by and large, so that argument makes no sense, but it’s also factually incorrect. To take one example, NHS bodies (the example shouted out by an audience member) have been obliged by the operation of the Information Governance Toolkit to report breaches to the ICO since at least 1st June 2013 (I think it was actually earlier than this, but that’s the one given in a Toolkit document that Davis could have found with a single Google search if facts were something he had any curiosity about).
  • Davis claims that the ICO is not really responsible for prosecutions for S55 offences, despite talking exclusively about prosecutions that the ICO carried out.
  • He includes the prosecutions in his calculations for the risk of being fined by the ICO, seemingly unaware that fines and prosecutions are two entirely distinct activities, with S55 prosecutions being against individuals rather than organisations. Throughout, Davis talks about the ICO enforcing on ‘people’, so I don’t know if he knows that the penalties were issued against data controllers.
  • He says that there were 18000 complaints in 2016 and the ICO has done nothing about nearly all of them. As someone who thinks the ICO is crap, even I have to acknowledge that most of these complaints were resolved informally and the absence of a fine does not mean that nothing happened. In quite a few cases, the complaint would not have been valid, and so no action would be appropriate.
  • He twice says that the maximum penalty for a breach under the DPA 1998 was £5,000,000; it was £500,000.
  • He quotes the head of the ICO’s ‘Breach Notification Division’, which does not exist.
  • He claims that the GDPR contains more loopholes that requires the ICO to hire criminal lawyers. The standard of evidence for a GDPR breach is balance of probabilities, and GDPR removes the requirement to prove damage or distress for a monetary penalty.
  • He says the ICO has 700 staff – they haven’t recruited these staff yet.
  • He tells a story of how he tells his hotel clients (who, if they exist, have my pity) that they cannot claim to be GDPR compliant because they use “mobile telephones” and allow their staff to send text messages. According to Davis, it is impossible to use mobile phones securely.

At the point where Davis says “smart lawyers like me“, my jaw did not drop, it fell off.

Leaving aside how garbled and smug Davis’ performance is, you might wish to charitable and take on his central thesis – that you probably won’t get a GDPR fine. He’s right. There have been relatively few penalties under Data Protection thus far and so the risk of getting one is relatively small. I cannot disagree with this banal point because I have made it myself any times. However, I can’t tell if his conclusion is simply that nobody should bother complying or whether there would have been a ‘however, you should comply because…’ moment, because there isn’t a conclusion. Presumably because he has run out of time, Davis just stops. So what, Dai? What’s your point? What should the audience do with this information? Should they just ignore GDPR?  There’s definitely a sense of this when he says that 10 years from now, the owner of a B&B will not know what GDPR is.

If Davis had the guts or the discipline to get to a conclusion that GDPR doesn’t matter, that would have been something. His contempt for detail would still be an impediment, but ‘Ignore GDPR’ is an assertion worth tackling. I could counter by arguing that the threat of a fine isn’t a good reason to comply, but respecting human dignity and avoiding harm to real people though inaccuracy, intrusion and insecurity is, but Davis never stops circling the airport, so I don’t even know if that’s what he’s saying.

If his contention that organisations don’t have the ability to measure risk effectively and need to get GDPR in perspective, that’s actually a good point, but he makes it so incompetently that again I’m not motivated to take him on. I have grudging sympathy for the idea that reputational damage is an overhyped risk (again, it’s not a point he makes clearly), but I know that many in the Data Protection world would passionately disagree, and I suspect that they could use Facebook’s current woes as evidence that public perception over data misuse isn’t something that boardrooms can ignore.

In the end, I think Davis is a clever man pontificating about a subject he neither cares for or understands, but the danger is that people will watch the talk and be contaminated by it. You could argue that I am making it worse by drawing attention to it solely so I can take the piss. All I can say is, the talk is out there. People will see it. As this is the case, if you find his argument (such as it is) attractive, it’s worth pointing out how sloppy and ill-informed his thinking is. It’s worth asking if this is the ‘Ignore GDPR’ guy, why would you listen to him?

EVERYTHING’S FINE

Due to the activities of a particularly noisy blackbird, I woke at 5.15am, and so headed to the ICO’s website to see if they had published their long-awaited report into politics and data analytics. The press release was there, and the report itself was tweeted out a little while ago. Given all the noise and hype (and an enormous amount of misinformation), I have a few observations about the interim report. Given that I predicted that the ICO would do nothing, I should be delighted that Wilmslow has finally decided to respond to all of my goading by taking action, but it’s not quite that simple.

  1. Despite the headlines and strong statements from whistleblower Chris Wylie, Facebook have not been fined £500,000. They might be, but what ICO has done is issued a notice of intent, which means that Facebook has the opportunity to make representations before the fine is issued – if it is. It’s entirely possible that Facebook will pay up and move on, but equally, it’s possible that they’ll make representations that kill off the fine altogether. Finally issuing a maximum penalty after the DPA 1998 is technically dead is a very ICO move, but it hasn’t happened yet. If they pull it off, I will be thrilled to have called this one the wrong way.
  2. The much-vaunted ‘criminal prosecution’ of SCL Elections has an element of a government announcing previous spending commitments as new money. As far as I can see, the prosecution (which hasn’t happened yet) is against SCL for their alleged failure to comply with an enforcement notice served because of their alleged failure to comply with a Subject Access request made by the US academic, David Carroll. I have already made myself deeply unpopular by suggesting that a regulator with a relatively hesitant approach to enforcement should not be prioritising the DP rights of non-EU citizens. If Americans want DP rights, they should pass laws like California is doing, rather than using UK taxpayers’ money to refight the Trump election. Nevertheless, the really interesting thing is that the notice was served after SCL went into administration, which means that either ICO intends to prosecute the directors under Section 61 of the DPA (which would be a bold move indeed, given that the directors presumably are no longer in control of the company) or they’re going after the administrators, which is bullshit.
  3. There is an enforcement notice against the Canadian company AIQ – this is quite something, as it is the first time that the ICO has used its GDPR powers to place a limitation on processing (i.e. the processing of data about UK and EU votes obtained unfairly by AIQ). I have no idea how ICO intends to prosecute AIQ if they fail to comply with the notice, what with them being in Canada. It’s entirely possible that AIQ will go along with it for a quiet life. I think the notice is unenforceable if they decide to flip Mrs Denham the bird.
  4. Despite the war between Carole Cadwalladr and Aaron Arron Banks (reminder to wash my hands after typing that name) that has provided the background noise for the ICO’s investigation, it’s interesting that the ICO is not currently taking action against Leave.EU. Indeed, there’s nothing new on Cambridge Analytica either. However, the ICO confirms that they are still looking at Leave.EU, but also at Vote Leave and the Remain campaign. As someone who thinks that leaving the EU is a slow act of national Seppuku, it’s fascinating to learn that ICO seems to think the analytics issue might be more of an ‘everyone’s at it’ than ‘democracy stolen by Leave’.
  5. The most intriguing part of the report is the one getting the least headlines. As well as possibly issuing a penalty on Facebook, they’re also going after Emma’s Diary, a data broker that preys on pregnant women. Despite all of my misgivings about whether this long-running saga is a good idea when carried out at the same time as the implementation of GDPR, if the investigation finally forces the ICO to tackle the ugly underbelly of the UK’s trade in personal data, it will be a wholly good thing. ICO has avoided tackling data brokers and credit reference agencies for decades, and if they finally get dragged into the spotlight, that can only be a good thing.

SOME PREDICTIONS

  • The Directors of SCL Elections will not be prosecuted successfully.
  • Facebook will not pay a fine of £500,000 (there may be a fine).
  • AIQ will grumble and make a show of complying, even though they know the notice is unenforceable.
  • The ICO will not take enforcement action against any major political party as a result of the investigation. There will be UNDERTAKINGS.

I will be delighted to be proved wrong on any of the above.

THE REQUEST

MY REQUEST

Email sent 25/05/18, 17.29

Hello

I would like to request all personal data associated with myself held by your company, in accordance with my rights under the GDPR.

The following information should allow you to identify me:
I live at [HOME ADDRESS]. My business name is 2040 Training, and my business address is Courthill House, 60 Water Lane, Wilmslow, Cheshire SK9 5AJ, UK, Company No: 6682698

You may hold data associated with me via the following email addresses and phone numbers: [PERSONAL EMAIL WITH MY NAME IN IT], [SECOND PERSONAL EMAIL WITH MY NAME IN IT], tim@2040training.co.uk, [EMAIL WITH MY NAME AND COMPANY NAME IN IT], [LANDLINE], 07508341090 or [PERSONAL MOBILE] or the Twitter handle @tim2040

My request includes any personal data held about me, including any assumptions, characterisations, classifications or inferred data recorded about or associated with me, as well as any factual, contact or other personal data and correspondence concerning me either internally or externally.

This should also include a clear indication of the source for all information held about me, and the names of any data controllers to whom my personal data has been passed. If you require any further information, please do not hesitate to contact me. Please note that all personal data including in this request has been supplied solely for the purpose of identifying data already held by your organisation, and none of it should be retained or added to records you hold for any other purpose.

Regards

Tim Turner

THEIR REPLY

Email sent 25/05/2018, 21.27

Hello,

Thanks for reaching out to us. I am glad to see that some are not wasting any time in exercising their rights!

Here are the definite answers I can provide at this stage:
* I have not found the email address tim@2040training.co.uk in our systems.
* I am not sure under what basis you are making your request for business information we might hold concerning the “2040 Training” business. The GDPR would not be applicable to that situation. If there is something I am missing, please let me know.

Otherwise, a constant concern with Subject Access Request is to confirm the identity of the person making the request. For this reason, before responding to any request concerning the other identifiers, I first need to confirm that the owner of those accounts actually did wish to formulate such a request. Therefore…
* for each of the other email addresses, please resend a direct request from that email address, so we can confirm they are yours.
* for each of the phone numbers, please send a copy of a recent phone bill in your name to confirm that you hold this phone number.
* for the Twitter account @tim2040, please contact us directly at @PersonalDataIO, and we can take it from there.

Finally, for the request concerning your home address, I will need some type of proof to confirm you live at that address. A utility bill in your name would do.

Sincerely,

Paul-Olivier Dehaye
PersonalData.io

 

MY REPLY TO THAT

Hi
Thanks very much for this.
You’ve given me everything I need here.
Best wishes
Tim
HIS REPLY TO ME

 

Great. Happy to help. Thanks for making our service better.

Paul

 

 

MY REPLY TO THAT NONSENSE

There’s a very long way to go on that.

T

 

HIS DESPERATE NEED FOR THE LAST WORD

Baby steps!

Paul

 

MY RIGHT TO BE FORGOTTEN REQUEST

Hi
Under Article 17 of the General Data Protection Regulation, I would like to request that you erase any personal data held by your company or any of its employees or volunteers in relation to myself. Specifically, I request that you erase any reference to any of the emails or phone numbers provided in my email to you from this address on 25th May 2018, including the email itself.
If you held any of the information before 25th of May, I expect you to erase it.
If you refuse to erase any personal data connected to any of the identifiers specified in my request of 25th May 2018 without proofs of ID, please let me know.
Best wishes
Tim Turner