There are many groups of people on Twitter who I wish that I could block en masse. Off the top of my head, I would block everyone who is wearing shades in their avatar, anyone who lists their blocking policy in their profile, or anyone whose profile includes the phrases ‘SPORTING TEAM / NATIONALITY till I die’, ‘I want my country back’, or ‘thought leader’. I do not wish to ban any of these people from Twitter, I would just like never to encounter them. This is not a matter of right or wrong, censorship or human rights. Everyone has a right to speak but they have to earn and maintain an audience. And sometimes, you can spot a bellend on sight.

In recent days, controversy has raged in a corner of the internet about the Block Bot, a program that users can deploy to block automatically certain people on Twitter; their current webpage explains more. The Block Bot allows one group of people (who I will call the BlockBotters) to block another group of people (who I will call the Blocked) whose views they don’t like or agree with. The Blocked don’t like it. This is all I can say for certain. Many of the Blocked are active on blogs and on Twitter, angry at being blocked, at the apparent labels attached to the Blocked or both, and they plainly want to do something about it. Two popular avenues appear to be libel / defamation actions, and Data Protection.

The libel angle is easy to understand. Richard Dawkins was apparently listed as ‘racist’, ‘gross’, ‘rapeapologist’, ‘childabuseapologism’, ‘transphobia’, and ‘youradick’. Although everyone can surely agree to the last one on the basis that his name is Richard and he is a monumental dick, Dawkins may or may not be justified in suing for libel on some of the other labels. The problem here is that there’s no point haggling about whether the Block Bot has defamed anyone – unless one or more the Blocked sue for libel and win, the online discussion of it goes nowhere and doesn’t stop the BlockBotters from running.

I haven’t exhaustively researched it (the whole mess is exhausting), but I think that the Matthew Hopkins blog was the first place to raise the alternative possibility of the Block Bot breaching Data Protection. I’m not saying the blog’s author is completely wrong, but when I hear someone citing Britain’s “very strong Data Protection laws”, I wonder which country they live in. First things first: the UK Data Protection Act does not apply to the Block Bot unless one or more of the people determining the purposes for which personal data is being used does so in the UK. If the BlockBotters are outside the UK but within the EEA, another country’s version of the EU Data Protection Directive will likely apply, but the UK one won’t. If none of the BlockBotters are based in the UK, game over: the UK Information Commissioner will not bite. It doesn’t matter if the data is stored or processed outside the UK (or even outside Europe) as long as some or all of the decision makers are in the UK. If they’re not, the DPA argument is dead. Move on.

There is the perennial issue that much / all of the material used by the Block Bot is in the public domain, but as I have said before, public data is still personal data if it identifies a living individual. If you disagree, show me the section in the Data Protection Act that says public domain data is exempt from the DPA. You won’t find it, because it isn’t there. More on that topic here.

Assuming there is a UK connection, there are two questions:

  1. Can you run an auto-blocking blacklist that blocks large swathes of Twitter users at a stroke without breaching the DPA?
  2. Have the BlockBotters done that, and if people complain to the ICO, will they do anything?

First things first: yes, you can run a Twitter blocklist in the UK. Anyone who thinks you can’t is welcome to show me the section or DP principle that says you can’t. Certain types of discrimination are illegal, and certain types of blacklists used for discriminatory purposes are also therefore illegal. The phrase ‘blacklist’ has been used by those criticising the Block Bot, and depending on what you mean by ‘blacklist’, that activity is often very difficult to do legally. If by blacklisting, you mean ‘secret list used to unfairly discriminate and disadvantage the people on it’, then I agree that blacklisting is almost certainly illegal in nearly every context. But if you mean ‘operate a list that prevents people from doing something that they want to do’, blacklisting isn’t illegal. What matters here is what the Block Bot does. The Block Bot is not secret, which automatically makes it less likely to breach the DPA in principle. Moreover, making a list of people you dislike or object to and then making decisions about them isn’t a DPA breach: it happens all the time.

Many newspapers last weekend reported the story of Albert Carter, an 80-year-old who has been banned from every Sainsbury’s in the UK, after he collided with a shopper on his mobility scooter. You may argue with the morality of exiling Mr Carter to another supermarket, but a Sainsbury’s store is private property, and if Sainsbury’s want to ban him, they can. He has been blacklisted, his personal data has been processed in order to effect this ban, and the Data Protection Act has not been breached in the process. Many councils and other organisations run warning marker or flag systems – significant actions are taken as a result. Many pubs and clubs exclude punters under Pubwatch or similar schemes, and not always because of hard factual information. Blacklists exist, and they can be made to work. Blacklist is an unattractive word for something that can be completely illegal, entirely justifiable, or something in between.

The Matthew Hopkins blog links the Block Bot to the ICO’s action on the Consulting Association construction blacklist. This is an unhelpful and misleading comparison. For one thing, the BlockBot lets people block you on Twitter; it doesn’t blight your life for decades by making you unemployable. More importantly, the ICO did not take action against the Consulting Association because it was a blacklist; they took action because it was an unjustifiably secret blacklist. Lack of transparency was far from the only problem – Phil Chamberlain and Dave Smith’s magnificent book Blacklisted (which I cannot recommend highly enough) describes a sordid, illegal process that could never have satisfied the DP principles. Much of the data – about individuals’ union or political beliefs – would be classed as sensitive data, and the Consulting Association could not identify an appropriate DP condition for using such data. Much of the data was excessive or irrelevant for determining whether people were suitable for work, especially as individuals were prevented from working purely because they were involved in union activities or had made complaints about health and safety. It was impossible to legally run the Consulting Association blacklist, but running a list that excludes or bans people from certain activities is not a breach of the DPA.

The organisers of any Twitter block-list are processing personal data (the names of the blocked and any associated characterisations), so they must notify the Information Commissioner that they are doing so, they must inform individuals that they are on the list (because there is no exemption, they must correct inaccuracies (by which I mean blocking me when they meant to block you), set out a retention policy, answer subject access requests and keep data secure. Arguably they need an appeals process, and a review process to ensue that the reason for the block is still valid.

There is an argument that allowing people to block strangers en masse is unfair in the dictionary sense of the word, but Twitter already allows blocking, so if the Block Bot breaches the DPA because it facilitates blocking, so does Twitter. A blocklist that does not have some clear, coherent criteria for why people are blocked might be operating unfairly, but anyone who thinks the ICO is going adjudicate on this part of the process doesn’t really know the ICO.

It’s possible that the Block Bot’s organisers have breached the DPA by how they set it up.They haven’t notified the Commissioner (as far as I can see) and they aren’t exempt from notification, so that’s a criminal breach if they’re based in the UK. I can’t be sure whether the Blocked receive a direct notification that they’re on the blocked list, but if they don’t, that’s also a breach of the first principle. However, neither of these breaches kills the Block Bot. The ICO’s prosecution record for non-notification is haphazard – MPs, MEPs, elected members and others haven’t notified and the ICO has done nothing. Even when non-notification is brought to the ICO’s attention, they often just write to the organisation concerned and tell them to notify. If the ICO can find the organisers.

The same is true for a lack of fair processing (i.e. not telling people they are blocked). The most likely outcome of a complaint about the lack of a fair processing notice is that the ICO will tell the BlockBotters to inform the Blocked that they have been blocked. I think publishing the list of the Blocked online is unfair and excessive, breaching the first and third principles. The Block Bot would be more DPA compliant if it did not include this element of public naming and shaming. However, the data is not sensitive (in the Data Protection sense of the word), and given that the ICO has a track record of enforcing almost exclusively on security and surveillance, a decision to take action here is so far from the ICO comfort zone, it’s inconceivable.

I’m certain that falsely or libellously labelling people (if that happened / is happening) would make the Block Bot unfair. If someone successfully sued the Block Bot organisers for libel, that would make it easier for to argue that the Block Bot breached the first principle requirement for lawfulness. One could even argue that falsely accusing someone of rape apologism (if indeed the allegation can be proven to be false) is a breach of the fourth Data Protection principle on accuracy. However, there are two problems. Firstly, if the ICO sees successful libel actions, they will use that as an excuse not to act, rather than the other way around, because there is another remedy to the situation. More importantly, the Data Protection Act explicitly recognises the creation and processing of opinions as being part of the act, rather than something that is forbidden.

It’s one thing to expect the ICO to decide on factual inaccuracy, and there are a handful of enforcement actions based on those. It’s quite another to ask the ICO to decide what is an accurate opinion. I don’t think that Richard Dawkins is a rape apologist, but equally, I think at the very least some of his statements on rape have been extremely moronic, bordering on unpleasant and I understand why others might think he is. And that’s assuming that I properly understand what rape apology is. How can the Information Commissioner be expected to decide which opinion is right?

If I said that Richard Dawkins was a war criminal, this would plainly be untrue because he has never been involved in prosecuting a war. But if I said that Tony Blair was a war criminal, you might not agree, but could you say that it is factually inaccurate? More importantly, if I created a Twitter Blocklist of Notorious War Criminals and included Blair, George W. Bush, Dick Cheney, Donald Rumsfeld and so on, is it remotely likely that a case officer in Wilmslow is going to make a Compliance Unlikely Assessment because they’ve decided that these men aren’t notorious war criminals? And more importantly, is the ICO willing to enforce their decision using an Enforcement Notice, or issue me with a Civil Monetary Penalty?

Give me a break.

And this is where we are with Block Bot complaints about Data Protection. Readers who have made it this far are welcome to disagree with my views on whether Twitter blacklists breach the DPA. But on one thing, I know I am right: the ICO will not enforce on the Block Bot, even if the UK DPA applies. The ICO has ignored inconvenient decisions of the UK Court of Appeal (Durant) and the European Court of Justice (Lindqvist). They routinely – and wrongly – claim that blogs are exempt from Data Protection because of the domestic purposes exemption. It’s obviously open to the Blocked to litigate – on libel, or even on the damage / distress caused by being insulted or blocked under the DPA. On this, I have no view and make no predictions. That’s an argument between the BlockBotters and the Blocked, if it ever happens. The half-baked DP advice flying around may have had an effect on the text on the Block Bot website already, and who knows, maybe legal fears will have an effect in the future. But if anyone thinks that the ICO will close down the Block Bot, or even force the BlockBotters to be take anyone off the list, I am convinced they’re in for a disappointment, both because that’s not how Data Protection works, and more importantly, the ICO isn’t that bold or imaginative.

Are You Now, or Have You Ever Been

The Labour Party’s recent – if belated – interest in the Consulting Association is a good thing. The late Ian Kerr ran a secret blacklist for a range of big-name construction companies, and there is simply no defence for what he and they did. The fundamental principle of Data Protection is fairness, and fairness is not just about the general notion of being equal and proportionate – the DPA specifically requires organisations to inform individuals about how their data is used. Even if the construction industry needed a quick central system for checking the reliability of casual employees, it would be vital for workers to know about and have access to it to ensure that the facts were correct and the decisions justifiable. The secret nature of the system, of course, was to cover the real aim of rooting out people who might ask awkward questions about health and safety or working conditions.

It is hard to imagine anything more squalid than a hugely successful industry – bloated with public sector contracts and many establishment connections – targeting ordinary working people who want to prevent deaths, accidents and unfair working practices. This activity is a stain on their reputations and they must not be allowed to forget it. The anger directed by unions, Liberty and individual workers is justified. The fact that the construction companies escaped largely unpunished is a scandal. The chief responsibility for this disgraceful business lies at their door.

However, much of the ire is bizarrely directed at the Information Commissioner. Despite his cack-handed defence on the Today programme, the current Commissioner Christopher Graham is not to blame for the construction companies’ apparent impunity, nor is his predecessor. I think Richard Thomas’ tenure as Information Commissioner was fairly disastrous (especially for FOI), but the Consulting Association prosecution was possibly the biggest success of his time in the job. Few of the criticisms hold any water. Unions have demanded that the entire CA database should be handed over to them – using publicity and FOI to achieve this. This would be a breach of the Data Protection Act. The ICO obtained the database as part of an investigation, and whatever the motives of the unions, it would be unfair to every person on that list for their information to be given out to every angry union that demands it.

The ICO has also been criticised for not proactively contacting all of the people on the list. As someone who already thinks that the ICO does not put enough resources into enforcement, the idea that they would spend the doubtless huge sums of money contacting thousands of people (after sorting through the information to identify them properly) is ludicrous. The ICO is not there to help people pursue claims – they are there to enforce the law, not to take sides and support individual actions. It was their job to take on the problem – they did that.

The biggest criticism levelled against the ICO is the lack of prosecutions for the construction companies. The Unions and various Labour figures have been loud and self-righteous in their outrage over the perceived lack of action. The £5000 fine for Kerr was paltry, and the enforcement notices issued to the construction companies lacked the required sting. But all of this is Labour’s fault. Exposing Kerr and seizing his database was the most the ICO could do – as his operation depended on secrecy, the raid killed it. The only criminal offence that the ICO could charge Kerr with was non-notification and the maximum penalty for non-notification was £5000. It was not a criminal breach of the Data Protection Act to run or use a blacklist when the construction companies encouraged Kerr to do so and paid his bills and fine for him. In 2009, the ICO did not have the power to issue Civil Monetary Penalties. No regulator can prosecute without a specific offence, and there were no offences on the statute book. His current CMP powers are not retrospective, and if they should have been, it was Labour’s decision not to make that happen.

It’s easy to attack the ‘disgraceful belligerence’ of Chris Graham’s performance on Today, as Val Shawcross, a Labour London Assembly Member, did on Twitter. Jessica Asato, prospective Labour candidate in Norwich, does the same on Labour List: “Scandalously, when prosecution was sought for Ian Kerr the CEO of the Consulting Association (and apparently a previous employee of the Economic League) he was only fined £5000 for data protection issues and none of the firms who paid for the information were fined at all.” If this is a scandal, it is a scandal that Asato’s party devised. A fine for the companies was more or less impossible, unless the ICO also prosecuted them for not notifying their use of the CA database. The maximum fine would have been £5000, even if the prosecution had been successful.

The Data Protection Act 1998 and its associated regulations were created and passed by a Labour Government. If the ICO’s response –  the strongest possible legal response – was inadequate, it was because the Blair and Brown governments made it that way. Breaches of data protection had no adequate punishment until the shambolic data handling within Government embarrassed Brown into a U-turn. Labour still backed away from making data theft an imprisonable offence under pressure for the Daily Mail, and even now, Section 63 even makes it impossible for the ICO to prosecute the Government or the Royal Household for a criminal DPA breach. Any union, any worker, any ambitious politician who wants to raise the issue of why the construction companies got out of jail free cannot go after the ICO, and they are being dishonest if they do.

Chuka Ummuna, the Shadow Business Secretary, is making a lot of what is an unfashionable issue and he deserves credit for doing so. He wasn’t an MP when Labour set Data Protection up without any teeth, and so his hands are fairly clean. Nevertheless, I can’t help thinking that the party’s enthusiasm for the issue now might have something to do with the fact that they are no longer in government making decisions, and awarding humongous PFI contracts to the businesses that were guilty of the ‘affront to justice’ that Asato finds so offensive.

One strong element of Asato’s article still rings true, and brings us round (inevitably) to the part of this post which allows me to revert to type and have a dig at the Commissioner. She points out that blacklisting and stigmatising of union and other activists in construction is an ancient business, going back to the founding of the McCarthy-like Economic League in the 1920s. I think it’s safe to assume that there is a version of the Consulting Association running right now. Kerr is dead, but the idea that a practice that is at least 90 years old will suddenly stop because it was exposed is idiotic. Panorama exposed the League in 1994 and blacklisting didn’t die then. Deputy Commissioner David Smith sets out the ICO’s approach to the Consulting Association fairly on the office’s website, but he loses credibility with this unnecessary final flourish:

The construction blacklist remains a black spot on the history of employment in this country. While the work to close it down is long completed, our work to help those whose lives were affected by the blacklist continues.

Everyone involved in the Consulting Association case should be proud of the good work they did. If I was a very suspicious person, I would wonder whether Labour and the Unions see the ICO as a convenient whipping boy to cover up their own failings on this matter. But I support Asato when she says that the work on closing down blacklists is almost certainly not over. Rather than attacking the ICO for doing the right thing, workers, unions, politicians and advocates for better Data Protection should chide the ICO for resting on its laurels. It should be knocking on doors across the construction industry and demanding evidence that the 2009 enforcement notices – which have presumably not been withdrawn – are still being complied with. The stick they wield now is a lot bigger, and they should not persuade themselves that they don’t need to use it.